Ghost and clear outline of data on privacy for sites powered by Ghost

I am wondering if there is a resource that clearly outlines what data Ghost gathers/stores about people that are accessing any sites “powered” by Ghost. The Ghost privacy policy is not 100% clear whether the policy applies to just those accessing ghost.org and its forum, or also to any sites powered on the Ghostplatform.

A good privacy policy always states what it governs. In Ghost’s case, it opens with this sentence:

This privacy policy (“Privacy Policy”) describes how Ghost Foundation Ltd (“Ghost Foundation”, “we”, “us” or “our”) collects, uses, and discloses, transfers, and otherwise processes and handles (collectively, “Processes”) your personal data.

The policy describes how the Ghost Foundation collects data. Since any Ghost sites, either on Ghost(Pro), on other managed hosting services, or self-hosted, are generally not controlled by the Ghost Foundation, but well…whoever runs it, the policy doesn’t apply there.

Any data privacy policy will also depend on whether you use any other services on there, e.g. Google Fonts in your theme, a CDN, etc.

I have tried to put my thoughts on Ghost and its privacy together here:

Tried to keep it general, but it also touches upon a few topics that are mainly relevant to the Ghost setup I offer at Magic Pages. I’d argue, 95% of it applies to all Ghost sites though.

2 Likes

Super helpful. Thank you. Do we know how long Ghost is storing IPs and approximate goelocations for?

Technically forever. There is no mechanism built in that would remove these from the members table in the database. As long as the member exists in there, the information is in there as well :upside_down_face:

Oh. I was more meaning more this part of your statement: “When you opened this page, quite a few things happened. Your browser sent a request to your internet service provider, which then directed it to the appropriate server”. Do you know, is Ghost indefinitely keeping IPs? Also, you seem very knowledgeable on this, is each ghost instance on its own virtual server + database? And what would be their [as in ghost.org] access to respond to jurisdictional data requests? If that is from a country outside the EU would that then go through an international tribunal?

That is depending on the web server, that’s where the logging happens. I can only answer this for Magic Pages, where these logs are stored for 7 days. If you self host, you have direct control over it. If you’re on another managed hosting service, it might be worth reaching out to their support (support@ghost.org for Ghost(Pro)).

I am not sure about Ghost(Pro)'s architecture on that level. I know some other hosting services do it this way. At Magic Pages, all instances are Kubernetes deployments, with their own database instances attached. So, not full virtual servers, but encapsulated without the other sites having access to any of its resources.

That is quite a detailed question :sweat_smile:
The Ghost Foundation is incorporated in Singapore, so I doubt that EU/non-EU would matter. As a hoster, they are acting as a data processor, so all they would probably do is forward any requests to you as the data controller.

For all of this: I am not a lawyer and not affiliated with Ghost(Pro). Just putting my thoughts together. If you want definitive answers from Ghost(Pro), I’d suggest sending them an email :slight_smile:

1 Like

Amazingly helpul. I really appreciate you sharing your knowledge. Thank you

1 Like