Privacy Policy

This Privacy Policy describes how Ghola (“Ghola,” “we,” “us,” or “our”) collects, uses, stores, and shares information when you use the Ghola web application at ghola.xyz, the Ghola mobile application, the Ghola APIs, and any related services (collectively, the “Services”).

By using the Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Services.

2.1 Account information

When you create an account we collect your email address, a hashed password (or your sign-in identifier from Google or Apple if you use those providers), your display name, and any profile metadata you choose to provide.

2.2 Wallet and on-chain data

Ghola integrates with Solana wallets, including the Solana Seeker Seed Vault and Mobile Wallet Adapter. We collect your public wallet address and on-chain transaction signatures. We do not collect or store your private keys, seed phrase, or recovery material — those remain on your device.

2.3 Connected accounts

If you connect Gmail, Google Calendar, or other third-party services, we receive OAuth tokens scoped to the permissions you grant. These tokens are encrypted at rest using AES-256-GCM. We access only the data needed to perform tasks you explicitly request.

2.4 Conversation and task content

When you chat with Ghola or assign it tasks (placing a phone call, drafting an email, controlling a device, querying a model) we collect the inputs you provide, the outputs generated, and metadata about the request. This is required to fulfil the request and to display your task history back to you.

2.5 Voice calls

When you ask Ghola to place a phone call on your behalf, the call is placed through our voice provider (Bland AI). Call audio, transcripts, and metadata may be processed and retained by both Ghola and the voice provider for the purpose of completing the task and providing you a record. You are responsible for complying with all applicable call-recording and consent laws in your jurisdiction.

2.6 Device and usage data

On mobile we collect device identifiers, operating system version, app version, and crash reports. The Ghola mobile app uses the Android Accessibility Service when you grant it; this allows the agent to read on-screen content and perform actions in apps you choose. Accessibility data is processed locally on your device and is only transmitted to our servers when required to fulfil a task you initiated.

2.7 Payment information

Subscription payments are processed by Stripe. We do not store your full card number. We retain the last four digits, card brand, customer ID, and subscription status returned by Stripe. USDC settlement transactions occur on the Solana blockchain and are publicly visible by their nature.

• To operate, maintain, and improve the Services.
• To execute the tasks you assign to your agent (calls, emails, device actions, model queries, on-chain transactions).
• To authenticate you and secure your account.
• To process payments, settle USDC, and bill subscription tiers.
• To send you transactional notifications (task completions, call outcomes, billing receipts).
• To detect, investigate, and prevent fraud or abuse.
• To comply with legal obligations.

We do not sell your personal information. We do not use your conversation content to train third-party foundation models without your explicit, opt-in consent.

To deliver the Services we share limited information with the following processors:

• Supabase — managed Postgres database hosting.
• Anthropic — language model inference (Claude).
• Together.ai — language model inference for marketplace models.
• Bland AI — outbound voice calls.
• Google — Gmail and Calendar APIs (only when you connect them).
• Stripe — subscription billing and payment processing.
• Solana RPC providers — broadcasting and reading on-chain transactions.
• Vercel — web hosting and edge delivery.

Each processor handles data under its own privacy terms. We transmit only the minimum data required to provide the integration you have requested.

We retain account data for as long as your account is active. You may delete your account at any time from the in-app settings; when you do so we delete or anonymise associated personal data within 30 days, except where retention is required for legal, accounting, or fraud-prevention purposes.

On-chain transactions cannot be deleted or modified due to the immutable nature of the Solana blockchain.

We use industry-standard practices to protect your data: encryption in transit (TLS), encryption at rest for sensitive tokens (AES-256-GCM), JWT-based session authentication, scoped OAuth grants, and least-privilege access controls. No system is perfectly secure, and we cannot guarantee absolute security.

Depending on your jurisdiction (including the EU/EEA, UK, California, and other regions) you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Request a portable copy of your data.
• Withdraw consent for optional processing at any time.

To exercise any of these rights, email us at the address in the Contact section below.

The Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

Ghola is operated from the United States and our processors may store data in the United States, the European Union, and other jurisdictions. By using the Services, you consent to the transfer of your information to these jurisdictions.

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a new effective date. For material changes we will provide additional notice (such as an in-app banner or email).

For privacy questions or to exercise your rights, contact us at privacy@ghola.xyz.