Privacy policy

1. Who runs ghunt.sh

ghunt.sh is an independent reimplementation of the GHunt OSINT framework. It is not affiliated with Google, and not affiliated with the original open-source GHunt project. For any privacy request or question about this policy, write to [email protected].

2. What we collect

We collect only what the service needs to run and to defend itself against abuse.

Account data

When you sign in, our authentication provider stores your email address, a display name or username, and a stable user identifier. We use it to associate searches with your account, show your credit balance, and gate paid features.

Search queries

When you submit a lookup, we record the query (typically an email address or Gaia ID), the type of lookup, whether it succeeded, and the timestamp. If the lookup returns data, the consolidated report is saved to your history so you can reopen it without re-running the search.

Technical data tied to each request

We store your IP address with each request. This is used to enforce rate limits, detect abuse, and provide an audit trail.

Payments and credits

When you buy credits, our payment provider (Stripe) handles your card data. We never see your card number. We do store the checkout session id, the payment intent id, the amount, the currency, and the credits granted, so we can reconcile your wallet and answer billing questions.

Cookies and similar storage

We use strictly necessary cookies for sign-in sessions, a small amount of local storage for your language preference, and product analytics cookies (set by our analytics provider, EU-hosted) once you are signed in. We do not use advertising cookies or third-party trackers for marketing.

3. What we do NOT collect

• We do not read or store the content of any Google account other than what the account owner has chosen to make public.
• We do not store Google passwords, recovery information, or session tokens belonging to lookup targets.
• We do not notify lookup targets that they were searched. Google's public endpoints we query are not user-facing in that sense.
• We do not sell your data, ever.

4. Why we process your data (legal basis)

• Contract. To run the lookups you ask for, save your history, debit credits, and process payments.
• Legitimate interest. To prevent abuse of the service (rate limiting, fraud detection, debugging), measure aggregate usage, and improve features.
• Legal obligation. To retain billing records and respond to lawful requests.
• Consent. For optional product analytics, where required by local law.

5. Who processes data on our behalf

We rely on a small set of vendors. Each one is a data processor bound by contract to handle your data only on our instructions.

• Authentication provider. Stores your sign-in credentials and account profile.
• Stripe. Processes card payments for credit purchases.
• Cloudflare. Sits in front of the site as CDN and proxy, sees request IPs, blocks abusive traffic.
• Product analytics provider (EU-hosted). Records usage events to help us improve the product. Profiles are only created for signed-in users.
• Database and hosting provider. Stores your account, history and credit ledger inside the EU.
• Google public endpoints. Receive each lookup query as part of the normal request flow. Google's own privacy terms apply to Google.

A current and detailed sub-processor list is available on request.

6. How long we keep it

• Account data: kept while your account exists. Deleted on account deletion request.
• Search history (reports): kept until you delete the entry from /history. Once you delete it, it is hidden from your view immediately; a short-term copy is retained for fraud and abuse triage before being purged.
• Search logs (IP, query, success flag): retained for abuse triage. Periodically pruned.
• Bulk batches: same rules as single searches.
• Payment records: kept as long as required by tax and accounting law (typically several years).

7. Your rights

If you are in the EU, the UK, or another jurisdiction with similar law, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted (right to erasure).
• Export your data in a portable format.
• Restrict or object to processing.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these, email [email protected]. We answer within 30 days.

8. About the people you look up

ghunt.sh is an OSINT tool. By design, every lookup goes to public Google endpoints, and only data the target has made public through Google's own privacy settings is returned. We do not notify the target, we do not retain anything about the target beyond the report you ran, and we do not enrich the data with third-party sources behind the scenes.

If you are the subject of a lookup and want any saved report referencing you removed, email [email protected]. Provide enough information for us to identify the report; we will confirm and delete it.

9. Changes to this policy

We may update this page. The date at the top reflects the latest revision. For material changes, signed-in users will be notified by email or via an in-app banner before the change takes effect.

10. Contact

Privacy questions, deletion requests, sub-processor list, breach reports: [email protected].