← Back to Home

Privacy Policy

Last updated: January 1, 2026

Introduction

GhostForm ("we", "our", or "us") is a privacy-first form builder operated by Project Marvlock. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

GhostForm is open-source software. You can view our source code on GitHub to verify our privacy claims.

Our Privacy Principles

GhostForm is built on the following privacy principles:

  • No tracking: We don't use cookies, fingerprinting, or analytics to track users
  • Minimal data collection: We only collect data necessary to provide the service
  • Data ownership: You own all your form submissions and data
  • Transparency: Our code is open-source and auditable
  • GDPR-friendly: Designed with privacy regulations in mind

Information We Collect

Account Information

When you create an account, we collect:

  • Email address (for authentication and communication)
  • Hashed password (stored securely, never in plain text)

Form Data

We store:

  • Form definitions (name, fields, settings) that you create
  • Form submissions received through your forms
  • All data is encrypted at rest

IP Addresses

IP addresses are collected only for rate limiting purposes to prevent spam and abuse. IP addresses are:

  • Stored with form submissions for rate limiting
  • Not used for tracking or analytics
  • Not shared with third parties
  • Only used to enforce per-IP submission limits

This is a legitimate security measure to protect forms from abuse. IP addresses are not used to identify, track, or profile users.

Session Information

We use session cookies to maintain your login state. These cookies:

  • Are HTTP-only (not accessible via JavaScript)
  • Are used only for authentication
  • Are not used for tracking or analytics
  • Expire after 30 days of inactivity

What We Don't Collect

GhostForm does not collect:

  • Browser fingerprints
  • Device information
  • Location data
  • Analytics or usage tracking
  • Third-party cookies
  • Advertising identifiers
  • Social media tracking pixels

How We Use Your Information

We use collected information only to:

  • Provide and maintain the GhostForm service
  • Authenticate your account
  • Store and deliver form submissions
  • Enforce rate limits to prevent abuse
  • Send important service-related communications (if necessary)

We do not:

  • Sell your data to third parties
  • Use your data for advertising
  • Share your data with analytics services
  • Use your data for any purpose other than providing the service

Data Storage and Security

  • All data is stored in secure databases with encryption at rest
  • Passwords are hashed using industry-standard algorithms
  • Form submissions are encrypted in the database
  • We use secure, encrypted connections (HTTPS) for all data transmission
  • Access to data is restricted to authorized personnel only

Your Rights

You have the right to:

  • Access: View all your forms and submissions
  • Export: Download all your data in JSON format
  • Delete: Delete your account and all associated data at any time
  • Control: Enable or disable forms, set rate limits, and manage settings

To exercise these rights, use the features in your GhostForm dashboard or contact us.

Data Retention

  • Form data is retained until you delete it
  • Account data is retained until you delete your account
  • When you delete your account, all associated data is permanently removed
  • IP addresses used for rate limiting are stored with submissions but are not used for tracking

Third-Party Services

GhostForm uses the following third-party services:

  • MongoDB: Database hosting (data is encrypted at rest)
    • Vercel/Deployment Platform: Hosting infrastructure

These services are used only for infrastructure and do not have access to your form data for their own purposes. We do not share your data with any other third parties.

Open Source

GhostForm is open-source software. You can:

  • View our source code on GitHub
  • Audit our privacy claims by examining the code
  • Self-host your own instance if desired
  • Contribute improvements to the project

Children's Privacy

GhostForm is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have questions about this Privacy Policy, please contact us: