Privacy

I am not a privacy lawyer, I just write a blog.
Your privacy is a priority to me.
If you find any flaws, do not hesitate to let me know: finn@ds-econ.com

This webpage is hosted with the Ghost framework. This webpage does not use any add-ins which go beyond the ones of the framework. Please let me know if there are any concerns or problems, I have no interest in infringing your rights or violating your privacy.

Wondering how Ghost fares when it comes to privacy and GDPR rules? Good news: Ghost does not use any tracking cookies of any kind.

Here I'd like to point towards two privacy topics:

  1. I use the plausible.io tracker, which is GDPR compliant. See privacy policy.
  2. When you sign-up to my newsletter, your email address will not leave the Ghost online platform and won't be shared with any third party. Per default Ghost also provides a location on state level when you sign-up, which also won't be shared. The same applies for any other personal information, such as your name which could be inferred from a personal email address. By signing up to the newsletter, you consent to receiving occasional emails from ds-econ.com for new posts and other marketing purposes.

What about cookies?

Ghost uses a first-party session cookie when you log-in to this website with an account. According to this thread, the cookies are not tied to any personal information. To the best of my knowledge, these cookies only serve as "strictly necessary cookies", and are hence exempt from the cookie consent rules from the GDPR. See here: https://gdpr.eu/cookies/:

"Receive users’ consent before you use any cookies except strictly necessary cookies."

How does Ghost comply with GDPR?

We act as both a data processor and a data controller under the GDPR.

When customers use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets uploaded into a Ghost site.

We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name and contact information.

What personal data do we collect and store from our customers?

We store data that customers have given us voluntarily. For example, in our role as data controller, we may collect and store contact information such as name and email address when customers sign up for our products and services or seek support. We also may collect other identifying information from our customers, such as IP address.

We separately act as a data processor when customers use our products and services to process EU personal data, such as uploading personal data to a Ghost site. Customers decide what personal data, if any, is uploaded to our products and services.

What is the Ghost Data Processing Agreement ("DPA")?

Customers that handle EU personal data are required to comply with the privacy and security requirements under the GDPR. As part of this, they must ensure that the vendors they use to process the EU personal data also have privacy and security protections in place. Our DPA outlines the privacy and security protections we have in place. We are committed to GDPR compliance and to helping our customers comply with the GDPR when they use our services. We have therefore made our DPA available to all our customers and it can be found here: Data Processing Agreement.

Are customers required to sign the Ghost DPA?

In order to use our products and services, you need to accept our DPA, which we have provided a link to on our website: Data Processing Agreement. By agreeing to our terms of service, you are automatically accepting our DPA and do not need to sign a separate document.

Can a customer share the Ghost DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.

Are there unique DPA needs for individual countries?

The GDPR applies to all of the EU and we offer a DPA that is compliant in all EU countries.

Do we transfer data internationally?

Ghost stores all data in the EU. In certain circumstances, we will process personal data that originates from the EU in outside of the EU when conducting support and maintenance of our services. We provide a level of protection of privacy that complies with the EU rules.

How do we handle delete instructions from customers?

Customers have the ability to remove or delete information they have uploaded to our products. Likewise, customers may deactivate their account and request that all personal data we have collected and stored is deleted. Log into your account at my.ghost.org for further instructions.

How can a customer view and download content from our services and transfer it to another provider?

You can easily download all content from a Ghost site at any time by exporting content or theme using the UI provided within Ghost Admin. If you wish to download a copy of your image assets, we are also more than happy to provide those by emailing support@ghost.org.

Further Privacy Information

Information of Website Visitors

Non-Personally-Identifying

This website might collect non-personally-identifying information, that is typically made available by web-browsers or servers, e.g. date-and-time of visit or browser time. The goal of the collection of this information is to improve the visitors use of this web-page. Occasionally, we may release this information in aggregated form, e.g., by publishing a report on the patterns or trends in the use of this blog.

Personally-Identifying

There might be a necessity to require personally-identifying information, depending on the interaction with the website of some visitors. The amount and type of the gathered information depends on the type of the interaction.

Security of Data

Because no method of transmission or storage is totally secure, we cannot guarantee absolute security of your data. Even though, the security and privacy of your personal information is of great significance for us.

Our Service may contain links to external sites that are not operated by us, clicking on a third party link will direct you to that third party’s website. It is advised to review the Privacy Policy and terms and conditions of every site you visit. We have no control over, and assume no responsibility for the offerings of any third party sites.

Aggregated Data

We may collect and display statistics about the behavior of visitors to its website. Furthermore we might display this data publicly or to third parties. However, we will not disclose your personally-identifying information.

Future Changes in the Privacy Policy

Even though large changes to our privacy policy are not expected, our privacy policy might change at our sole discretion in the future. We recommend to check this page for changes in our privacy policy and make you aware that continuing to use our web-page after changes in this privacy policy will inaugurate your consent to those changes.