Privacy Policy

Your privacy is our core product. Here's exactly how we handle your data.

Last updated: June 1, 2026

1. Introduction

GhostRelay ("we," "our," or "us") operates the ghostrelay.me website and email forwarding service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

We are committed to protecting your privacy. Our business model is built on privacy — we have no incentive to collect or sell your data.

2. Information We Collect

Account Information

  • Email address (for forwarding purposes)
  • Hashed password (we never store plaintext passwords)
  • Account creation date

Alias Data

  • Alias addresses you create
  • Labels and notes you assign to aliases
  • Forwarding statistics (email count only — not content)
  • Active/inactive status

What We Do NOT Collect

  • We do NOT read or store email content
  • We do NOT log email sender/recipient metadata beyond delivery
  • We do NOT use tracking pixels or third-party analytics
  • We do NOT sell, rent, or share your data with anyone
  • We do NOT serve advertisements

3. How We Use Your Information

We use the information we collect solely to:

  • Forward emails from your aliases to your real email address
  • Authenticate you when you log into your account
  • Display forwarding statistics in your dashboard
  • Send you critical service notifications (e.g., security alerts)
  • Prevent abuse of our service (rate limiting, spam detection)

4. Email Processing

When an email arrives at one of your aliases, we process it in real-time:

1

Email arrives at alias address on our mail server

2

We verify the alias is active and not blocked

3

Email is immediately forwarded to your real address

4

No copy is stored on our servers — the email passes through

Emails are processed in-memory and are never written to disk or stored in any database. We operate as a pure relay — no email content is ever retained.

5. Data Storage & Security

We implement industry-standard security measures:

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Passwords are hashed with bcrypt (cost factor 12)
  • Authentication tokens are cryptographically signed JWTs
  • Infrastructure runs on Cloudflare's global edge network
  • Rate limiting protects against brute force attacks
  • Regular security audits and penetration testing

6. Data Retention

We retain your account data for as long as your account is active. When you delete your account:

  • All aliases are immediately deactivated
  • Your personal data is permanently deleted within 30 days
  • Forwarding statistics are anonymized and aggregated
  • Backups containing your data are purged within 90 days

7. Third-Party Services

We use minimal third-party services:

ServicePurposeData Shared
CloudflareInfrastructure & CDNIP addresses (for security)
Neon (PostgreSQL)DatabaseAccount & alias data

We do NOT use Google Analytics, Facebook Pixel, or any advertising trackers.

8. Your Rights

Under GDPR and CCPA, you have the right to:

  • Access — Request a copy of all data we hold about you
  • Rectification — Correct any inaccurate personal data
  • Erasure — Request permanent deletion of your account and data
  • Portability — Export your data in machine-readable format (CSV)
  • Objection — Object to processing of your personal data
  • Restriction — Request limitation of processing

To exercise any of these rights, contact us at privacy@ghostrelay.me. We respond within 30 days.

9. Cookies

We use only essential cookies:

  • Authentication token — Keeps you logged in (localStorage)
  • Theme preference — Remembers your light/dark mode choice

We do not use any tracking cookies, advertising cookies, or third-party cookies.

10. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will delete it immediately.

11. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email notification to registered users. The "Last updated" date at the top indicates when this policy was last revised.

12. Contact Us

For privacy-related questions or concerns:

Email: privacy@ghostrelay.me

Response Time: Within 30 days

Data Protection Officer: Taylor Kim