Does Ghaze use cookies?

No. Ghaze is cookie-free by default. No tracking cookies are set on visitor devices, so no cookie banners are required.

Is Ghaze GDPR compliant?

Yes. Ghaze meets GDPR, CCPA, ePrivacy and the Australian Privacy Act. Inputs are masked at capture, IP addresses are hashed and dropped, no fingerprinting is performed.

Can I delete customer data on demand?

Yes. Delete a session, a user profile or a whole site's history at any time from the dashboard or via the API. We honour the request inside 24 hours.

/ security & privacy

Ghaze security · privacy-friendly analytics

Built privacy-first. Hosted in Sydney.

Cookie-free. Sydney-only data residency. AES-256 + TLS 1.2+. The compliance posture your legal team wants. Written in plain English.

Data residency: Sydney

Every byte of customer data lives in AWS ap-southeast-2 (Sydney). It does not cross a border for any reason. Backups are also Sydney-region.

Encrypted in transit and at rest

TLS 1.2+ on all connections. AES-256 on disk. Per-customer KMS-managed keys. Keys rotated quarterly.

Privacy by default

We don't set cookies on visitors. We don't capture keystrokes on inputs. We don't fingerprint. Replays mask all sensitive form fields at capture-time.

You control retention & deletion

Per-plan retention windows. Delete a session, a user profile, or a whole site's history at any time from the dashboard or API. We honour the request inside 24 hours.

Auth & access

Email + OTP for all accounts. SSO/SCIM available on Pro Agency. Per-workspace role-based access — agency-side and client-side users separated.

Infrastructure

Single-region active-active across 3 AZs in Sydney. Daily encrypted backups, 30-day retention. Independent uptime monitoring (and yes, we use our own tool).

/ compliance

The frameworks we operate under.

Need our DPA, sub-processor list or pen-test summary? Email [email protected] — most requests answered same-day.

Australian Privacy Act (1988)
Compliant
GDPR
Compliant
CCPA / CPRA
Compliant
ePrivacy Directive
Compliant
PCI DSS
Out of scope · we never touch cardholder data
SOC 2 Type 1
In progress · target H1 2026

/ what we don't do

What Ghaze never collects.

Cookies on visitor devices
Browser fingerprints
Keystrokes on form inputs
Password / credit-card / sensitive fields
IP addresses (we hash, then drop)
Demographic profiles
Cross-site tracking IDs
Anything Hotjar's 'Suggestion engine' would call 'AI insights'
Your data sold to anyone, ever

Privacy-first, by default.
Try the install.

Cookie-free, Sydney-hosted, GDPR / CCPA / AU Privacy Act covered out of the box.

Start 7-day free trial Open the live demo