Privacy Policy.

1. Controller

The data controller is GHZ Creative - F.Z.E, registered in Ajman Free Zone (UAE), licence 49512. For any privacy-related request, write to privacy@ghzcreative.ai.

2. What we collect

Account data

When you sign up, we store your email address, a hashed version of your password (we never store the plain password), your display name if provided, and a record of email verification status. If you use Google sign-in, we additionally store the Google account ID and the email address returned by Google.

Session and security data

We store opaque refresh tokens (SHA-256 hashed) so we can keep you signed in, along with metadata about when sessions were created and rotated. We log authentication events (sign-up, sign-in, password reset, failed attempts) to detect abuse and to enforce rate limits.

Billing data

When you subscribe or buy a lifetime plan, Stripe processes your payment details directly — we never see or store your card information. On our side we keep your Stripe customer ID, your active subscription(s), one-time purchase records, and metadata about each Stripe event we receive (for accounting and reconciliation).

Application usage data

For GHZ Voice, when you use the transcription or text-cleanup features, your audio file or text is sent through our backend to a third-party AI provider (Groq, OpenAI, or Anthropic). We do not persistently store the audio or the text on our servers beyond the duration of the request. We log technical metadata (timestamp, request size, response status, latency, provider, and the action invoked) for billing, abuse detection, and debugging.

For GHZ Code, the application runs locally on your machine. We only receive licence-verification pings (your user ID and the requested app ID) and software-update checks (your current version). The terminal contents, your code, and your prompts stay on your machine.

Website analytics

The website uses Vercel Web Analytics, which is configured to be cookie-less and does not track individuals across sites. See our Cookie Policy for the technical details.

3. Why we process this data (legal bases)

• Performance of a contract — to create your account, deliver the apps, run the AI features, and process payments.
• Legitimate interest — to keep the services secure, prevent fraud, debug issues, and improve the product. Where this basis applies, we make sure the processing is proportionate to the goal.
• Legal obligation — to keep accounting records and to respond to lawful requests from competent authorities.
• Consent — for any optional communication you opt into (for example a newsletter). You can withdraw consent at any time.

4. Who we share data with (sub-processors)

We share the minimum data needed with the following sub-processors:

• Stripe (USA / Ireland) — payment processing, subscription management, billing portal.
• Groq (USA) — audio transcription (GHZ Voice).
• OpenAI (USA) — text cleanup (GHZ Voice, when the OpenAI provider is selected).
• Anthropic (USA) — text cleanup (GHZ Voice, when the Anthropic provider is selected).
• Resend (USA / EU) — transactional emails (verification, password reset, billing receipts).
• Google (Ireland) — only if you choose Google sign-in; we verify the ID token Google returns to us.
• Vercel (USA) — website hosting and cookie-less analytics.
• Our VPS provider (EU / Netherlands) — hosts our database and API.

Each sub-processor is bound by its own privacy and security commitments. We have signed or accepted data-processing terms where they are offered.

5. International transfers

Because some sub-processors are based in the United States, your data may be transferred outside the European Economic Area or your country of residence. We rely on the safeguards offered by these providers (such as the EU–US Data Privacy Framework, standard contractual clauses, or equivalent mechanisms) to protect your data during the transfer.

6. How long we keep your data

• Account data — for as long as your account is open, plus up to 90 days after deletion to handle disputes and chargebacks.
• Billing records — for the period required by applicable tax and accounting laws (typically up to 7 years).
• Authentication and proxy usage logs — up to 12 months, after which they are deleted or aggregated.
• Voice audio and text submitted to GHZ Voice — not stored on our servers beyond the duration of the request. The third-party AI providers may retain inputs for a short period under their own policies.

7. Your rights

Subject to applicable law (including the GDPR for users in the EEA, the UK GDPR for users in the United Kingdom, and the UAE Personal Data Protection Law), you have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• delete your data (you can also delete your account directly from the account dashboard);
• restrict or object to certain processing;
• port your data to another service;
• withdraw consent where processing is based on consent;
• lodge a complaint with the data-protection authority in your country of residence.

To exercise any of these rights, contact privacy@ghzcreative.ai. We aim to respond within 30 days.

8. Security

We use industry-standard safeguards: TLS 1.2+ for all traffic, bcrypt for passwords, hashed opaque refresh tokens, rate limits against brute-force attempts, server-side validation of all input, CORS allow-lists, security headers, and segmented secrets stored outside the codebase. No system is perfectly secure — please report any vulnerability you discover to security@ghzcreative.ai.

9. Children

The services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes

We may update this policy from time to time. The current version is always available at ghzcreative.ai/privacy. If we make material changes, we will notify you by email or via the account dashboard.

11. Contact

For any question about this policy, email privacy@ghzcreative.ai. For account, billing, or app issues, use support@ghzcreative.ai.