Legal

Privacy Policy

Last updated: April 2026

1. Who We Are

Ghost Protocol (Pvt) Ltd ("Ghost Protocol", "we", "us") is a cybersecurity and software engineering studio registered in Colombo, Sri Lanka. We operate the website ghosts.lk and provide security testing, software development, and developer tools including Wyrm.

2. Information We Collect

We collect information you voluntarily provide:

  • Contact forms: Name, email, message (via Formspree)
  • Booking: Name, email, scheduling data (via Cal.com)
  • Waitlist: Email address for product updates
  • Purchases: When you purchase a subscription or service, payment is processed by Paddle.com Market Ltd ("Paddle"), our Merchant of Record. We do not collect or store your payment card details. Paddle collects your name, email, billing address, and payment information as needed to process transactions. See Paddle's Privacy Policy.
  • Client engagements: Business information needed to deliver services

We automatically collect:

  • Analytics: Page views, referrers, country (via Cloudflare — no cookies, privacy-first)
  • Server logs: IP address, browser type, timestamps (standard web server logs)

3. How We Use Your Data

  • To respond to your inquiries and provide requested services
  • To process purchases and manage subscriptions (via Paddle)
  • To schedule and manage consultations
  • To send product updates (only if you opted in)
  • To improve our website and services
  • To comply with legal obligations

We never sell, rent, or share your personal data with third parties for marketing purposes.

4. Payment Processing

All payments for Ghost Protocol products and subscriptions are processed by Paddle.com Market Ltd, which acts as our Merchant of Record. This means Paddle is the entity that processes your payment, handles sales tax/VAT, and issues invoices and receipts on our behalf.

When you make a purchase, Paddle collects and processes your payment information directly. We never see, store, or have access to your full credit card number or payment credentials. Paddle is PCI-DSS compliant and processes data in accordance with their Privacy Policy.

We receive from Paddle: your name, email address, country, transaction ID, subscription status, and purchase history — only what is necessary to provide you with the products and support you purchased.

5. Third-Party Services

We use the following services that may process your data:

  • Paddle — Payment processing, invoicing, tax compliance (privacy policy)
  • Cloudflare — CDN, DNS, analytics (privacy-focused, no tracking cookies)
  • Formspree — Contact form processing
  • Cal.com — Appointment scheduling
  • GitHub — Open source project hosting
  • Google Workspace — Email communication

Each service has its own privacy policy. We choose privacy-respecting providers.

6. Data Security

As a cybersecurity company, we take data protection seriously. We use HTTPS everywhere, implement security headers (CSP, HSTS, X-Frame-Options), and follow industry best practices for data handling. Client engagement data is handled under NDA and stored securely.

7. Cookies

We do not use tracking cookies. Cloudflare may set essential cookies for security (e.g., bot protection). No third-party advertising or analytics cookies are used on this site. Paddle may set cookies during the checkout process as necessary to complete your purchase.

8. Your Rights

You have the right to:

  • Request access to your personal data
  • Request correction or deletion of your data
  • Withdraw consent for marketing communications
  • Request a copy of your data in a portable format
  • Object to data processing based on legitimate interest

For payment-related data held by Paddle, you may also contact Paddle directly via their privacy portal.

To exercise any of these rights with us, email ryan@ghosts.lk.

9. Data Retention

We retain contact form submissions and client data for as long as necessary to provide services and comply with legal obligations. Subscription and purchase records are retained for accounting and tax purposes as required by law. You may request deletion at any time for non-essential data.

10. International Transfers

Ghost Protocol is based in Sri Lanka. Your data may be processed in Sri Lanka and in the jurisdictions where our service providers (Cloudflare, Paddle, Google) operate. We ensure adequate protection through our providers' data protection policies and, where applicable, standard contractual clauses.

11. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of our services constitutes acceptance of the updated policy.

12. Contact

Questions about this privacy policy? Contact us at ryan@ghosts.lk or through our contact page.

Ghost Protocol (Pvt) Ltd
Colombo, Sri Lanka