Privacy Policy

1. Data controller

Haamu.ai is operated from Helsinki, Finland. For privacy inquiries, contact us at privacy@haamu.ai.

2. What we do

Haamu.ai is a text anonymization service. We help you remove personal data (PII) and change writing style so text cannot be traced back to its author.

3. Data we process and how

When you use Haamu.ai, you submit text for anonymization. Here is exactly how each mode handles your data:

• PII Ghost — Your text is processed entirely on our server in Helsinki using Microsoft Presidio (open-source software). Your text never leaves our EU infrastructure. Nothing is sent to any third party.
• Style Ghost — Your text is sent to the AI provider you select (Anthropic or OpenAI) for rewriting. These are US-based companies. Your text is transferred to their servers, which may be located outside the European Union, including in the United States. See Section 7 for details on international transfers.
• Full Ghost — PII is first removed on our server in Helsinki (same as PII Ghost), then the cleaned text (with personal data already removed) is sent to the selected AI provider for restyling.

4. Legal basis for processing

We process your data on the following legal bases under GDPR Article 6:

• Consent (Art. 6(1)(a)) — By submitting text and clicking "Ghost it," you consent to its processing as described on this page. You can withdraw consent at any time by simply not using the service.
• Contract performance (Art. 6(1)(b)) — For Pro subscribers, processing is necessary to provide the service you are paying for.
• Legitimate interest (Art. 6(1)(f)) — We process your IP address in memory for rate limiting and abuse prevention. IP addresses are not persisted to disk and are cleared from memory daily.

5. Data retention

On our servers: We do not store, log, or retain any text you submit. All processing happens in memory and is discarded immediately after the response is returned.

At AI providers: When you use Style Ghost or Full Ghost, your text is sent to Anthropic or OpenAI. These providers may retain API request data for a limited period (up to 30 days) for safety monitoring and abuse prevention, per their own data processing terms. Neither provider uses API data for model training by default. See their policies linked in Section 6.

6. Sub-processors

We use the following third-party processors:

• Anthropic (Claude API, style rewriting) — US-based. Privacy Policy. Data may be retained up to 30 days for safety monitoring.
• OpenAI (GPT API, style rewriting) — US-based. Privacy Policy. Data may be retained up to 30 days for abuse monitoring.
• Hetzner Online GmbH (server hosting) — Germany/Finland, EU. Processes all data as infrastructure provider.
• Cloudflare, Inc. (CDN, DNS, DDoS protection) — US-based. All HTTP traffic passes through Cloudflare. Privacy Policy.

7. International data transfers

PII Ghost mode: Your text is processed entirely within the EU (Helsinki, Finland). No international transfer occurs.

Style Ghost and Full Ghost modes: Your text is transferred to Anthropic or OpenAI, whose servers may be located in the United States. These transfers are made under Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). You may request a copy of the applicable safeguards by contacting us.

All traffic: HTTP requests pass through Cloudflare's global network for security and performance. Cloudflare processes data under SCCs and is certified under the EU-US Data Privacy Framework.

8. Data we do NOT collect

• We do not use tracking cookies or set any cookies
• We do not use analytics services
• We do not require account creation for the free tier
• We do not build profiles or track usage history

9. Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15) — You may request information about what data we process about you.
• Right to rectification (Art. 16) — You may request correction of inaccurate data.
• Right to erasure (Art. 17) — You may request deletion of your data. Since we do not retain submitted text on our servers, there is nothing to delete on our end. If you used Style Ghost or Full Ghost, we will forward your erasure request to the relevant AI provider(s) under our data processing agreements.
• Right to restrict processing (Art. 18) — You may request restriction of processing in certain circumstances.
• Right to data portability (Art. 20) — You may request your data in a portable format.
• Right to object (Art. 21) — You may object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — You may withdraw your consent at any time by discontinuing use of the service. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact privacy@haamu.ai.

10. Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto):

Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki, Finland
tietosuoja.fi
Email: tietosuoja@om.fi

11. Infrastructure

Our server is hosted by Hetzner Online GmbH in Helsinki, Finland (EU). PII Ghost processing occurs entirely within the EU. Style Ghost and Full Ghost modes involve transferring text to AI providers whose servers may be located outside the EU (see Sections 6 and 7).

12. Contact

For privacy-related questions: privacy@haamu.ai