Skip to main content

Privacy Policy

Last updated: February 8, 2026

1. Data controller

Haamu.ai is operated by Ville Murtonen, sole trader (toiminimi), Helsinki, Finland.

For privacy inquiries, contact us at privacy@haamu.ai.

Supervisory authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi

2. What we do

Haamu.ai is a text anonymization service. We help you remove personal data (PII) and change writing style so text cannot be traced back to its author.

3. Data we process and how

When you use Haamu.ai, you submit text for anonymization. Here is exactly how each mode handles your data:

  • PII Ghost — Your text is processed entirely on our server in Helsinki using Microsoft Presidio (open-source software). Your text never leaves our EU infrastructure. Nothing is sent to any third party.
  • Style Ghost with Claude (Anthropic) — Your text is sent to Anthropic for rewriting. Anthropic is a US-based company, but since September 2025, API requests from the EU are automatically routed through EU infrastructure for processing. Data at rest may still be stored in the United States. See Section 7 for details.
  • Style Ghost with GPT-4.1 (OpenAI) — Your text is sent to OpenAI for rewriting. OpenAI is a US-based company. Your text is transferred to their servers in the United States. See Section 7 for details on international transfers.
  • Full Ghost — PII is first removed on our server in Helsinki (same as PII Ghost), then the cleaned text (with personal data already removed) is sent to the selected AI provider for restyling.

4. Legal basis for processing

We process your data on the following legal bases under GDPR Article 6:

  • Consent (Art. 6(1)(a)) — By submitting text and clicking "Ghost it," you consent to its processing as described on this page. You can withdraw consent at any time by simply not using the service.
  • Contract performance (Art. 6(1)(b)) — For Pro subscribers, processing is necessary to provide the service you are paying for.
  • Legitimate interest (Art. 6(1)(f)) — We process a one-way cryptographic hash (HMAC-SHA256) of your IP address for rate limiting and abuse prevention. The raw IP address is held in memory only and cleared daily. The irreversible hash is stored in our usage log and automatically purged after 90 days.

5. Data retention

On our servers: We do not store, log, or retain any text you submit. All processing happens in memory and is discarded immediately after the response is returned. We store anonymized usage metadata (request mode, word count, duration, and a one-way hash of your IP address) for rate limiting and service improvement. This metadata is automatically purged after 90 days.

At AI providers: When you use Style Ghost or Full Ghost, your text is sent to Anthropic or OpenAI. These providers may retain API request data for a limited period (up to 30 days) for safety monitoring and abuse prevention, per their own data processing terms. Neither provider uses API data for model training by default. See their policies linked in Section 6.

6. Sub-processors

We use the following third-party processors:

  • Anthropic (Claude API, style rewriting) — US-based company. EU API requests are processed in the EU via multi-region processing (since September 2025). Data at rest may be stored in the US. Privacy Policy. Data may be retained up to 30 days for safety monitoring.
  • OpenAI (GPT-4.1 API, style rewriting) — US-based. Data is processed and stored in the United States. Privacy Policy. Data may be retained up to 30 days for abuse monitoring.
  • Hetzner Online GmbH (server hosting) — Germany/Finland, EU. Processes all data as infrastructure provider.
  • Polar.sh (payment processing) — Merchant of record for Pro subscriptions. Processes email, billing details, and VAT information. Privacy Policy.

7. International data transfers

PII Ghost mode: Your text is processed entirely within the EU (Helsinki, Finland). No international transfer occurs.

Style Ghost and Full Ghost with Claude (Anthropic): Your text is processed within EU infrastructure via Anthropic's multi-region processing. Data at rest may be stored in the United States. Transfers are made under Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

Style Ghost and Full Ghost with GPT-4.1 (OpenAI): Your text is transferred to OpenAI's servers in the United States for processing. Transfers are made under Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

You may request a copy of the applicable safeguards by contacting us.

8. Data we do NOT collect

  • We do not use tracking cookies or set any cookies
  • We do not use analytics services
  • We do not require account creation for the free tier
  • We do not build profiles or track usage history

9. Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — You may request information about what data we process about you.
  • Right to rectification (Art. 16) — You may request correction of inaccurate data.
  • Right to erasure (Art. 17) — You may request deletion of your data. Since we do not retain submitted text on our servers, there is nothing to delete on our end. If you used Style Ghost or Full Ghost, we will forward your erasure request to the relevant AI provider(s) under our data processing agreements.
  • Right to restrict processing (Art. 18) — You may request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20) — You may request your data in a portable format.
  • Right to object (Art. 21) — You may object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — You may withdraw your consent at any time by discontinuing use of the service. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact privacy@haamu.ai.

10. Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):

Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki, Finland
tietosuoja.fi
Email: tietosuoja@om.fi

11. Infrastructure

Our server is hosted by Hetzner Online GmbH in Helsinki, Finland (EU). PII Ghost processing occurs entirely within the EU. When you select Claude for Style Ghost or Full Ghost, your text is processed within EU infrastructure. When you select GPT-4.1, your text is transferred to OpenAI's servers in the United States (see Sections 6 and 7).

12. Contact

For privacy-related questions: privacy@haamu.ai