Privacy Policy

Last updated: January 2025 · Effective: January 2025

Ghost Network ("we", "us", "our") is operated by a volunteer team based in Norway and the EEA. This Privacy Policy describes how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

1. Data Controller

Ghost Network is the data controller for personal data collected through this website and associated services. Contact: privacy@ghostnetwork.no

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Username, email address, hashed password, date of registration.
  • Session data: IP address, user agent, login timestamps. Stored in Redis and automatically purged after 30 days.
  • Activity data: In-game actions, chat logs (moderation purposes), document reads, wiki contributions.
  • Communication data: Support tickets and reports you file with us.

We do not collect payment card data. Donations are processed by third-party processors (Stripe) under their own privacy policies.

3. Legal Basis for Processing

  • Contract performance (GDPR Art. 6(1)(b)): Processing necessary to operate your account and provide services.
  • Legitimate interests (GDPR Art. 6(1)(f)): Security monitoring, fraud prevention, server integrity, moderation.
  • Consent (GDPR Art. 6(1)(a)): Optional communications and marketing (where applicable). You may withdraw at any time.
  • Legal obligation (GDPR Art. 6(1)(c)): Retention of logs required by applicable law.

4. How We Use Your Data

  • To create and manage your account
  • To enforce community rules and investigate violations
  • To send account-related emails (verification, password reset, security alerts)
  • To maintain security logs for incident response
  • To display your profile, username, and in-game activity to other players (as agreed upon registration)

5. Data Retention

  • Active accounts: Retained as long as your account exists.
  • Session tokens: 30 days, automatically purged.
  • Security logs: 12 months, then deleted.
  • Banned accounts: Core account data retained indefinitely to enforce the ban. All non-essential data is purged after 6 months.
  • Deleted accounts: All personal data deleted within 30 days of account deletion request, subject to legal holds.

6. Your Rights

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request we limit processing of your data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is consent-based, withdraw at any time.

Exercise these rights by logging into your account portal under Privacy, or by emailing privacy@ghostnetwork.no. We respond within 30 days.

7. Data Sharing

We do not sell or rent your personal data. We may share data with:

  • Infrastructure providers: Servers hosted in the EEA (Hetzner, Germany). Governed by their DPA/GDPR compliance.
  • Payment processors: Stripe, for donation processing. Their privacy policy applies.
  • Law enforcement: When required by applicable law or court order.

8. Cookies and Local Storage

We use a session cookie (ghost_session) essential for authentication. No third-party tracking cookies are used. Local storage may be used for UI preferences (theme, sidebar state).

9. Security

We use industry-standard security measures including HTTPS/TLS, bcrypt password hashing, rate limiting, and 2FA support. No system is perfectly secure, but we work to minimize risk.

10. Children

Ghost Network is not directed at children under 13. If you are under 13, do not register. If we discover we have collected data from a child under 13, we will delete it promptly.

11. Changes to This Policy

We may update this policy. Material changes will be announced via email to registered users. Continued use after changes constitutes acceptance.

12. Contact & Complaints

Questions: privacy@ghostnetwork.no
You may also lodge a complaint with Datatilsynet (Norway's data protection authority) at www.datatilsynet.no.