Privacy Policy

Last updated: June 27, 2026

1. Introduction

Mytho ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Important: Mytho is an independent third-party tool and is not affiliated with, endorsed by, or sponsored by Ghost Foundation. Ghost® is a registered trademark of Ghost Foundation.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (encrypted)
  • Business name (optional)
  • Contact information

2.2 Product Data

When you use our Service, we store:

  • Product information (names, descriptions, prices)
  • Product images you upload
  • Inventory levels and variants
  • Shipping configurations
  • Discount codes

2.3 Order Information

We collect order data including:

  • Customer names and email addresses
  • Shipping addresses
  • Order details and amounts
  • Fulfillment status

Note: Payment information (credit card details) is processed and stored by Stripe, not Mytho. We never see or store your customers' payment card information.

2.4 Stripe Connect Data

When you connect your Stripe account, we receive:

  • Stripe account ID
  • Business information from Stripe
  • Account status and capabilities

2.5 Technical Data

We automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Access times and pages viewed
  • Referring website addresses

2.6 Email Configuration (SMTP)

If you configure custom email notifications:

  • SMTP server details
  • Email credentials (encrypted)
  • From email address

3. How We Use Your Information

We use the collected information to:

  • Provide the Service: Enable e-commerce functionality on your Ghost® site
  • Process payments: Facilitate transactions through Stripe
  • Send notifications: Order confirmations and shipping updates
  • Customer support: Respond to your inquiries and provide assistance
  • Service improvements: Analyze usage patterns and fix bugs
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Legal compliance: Comply with applicable laws and regulations
  • Communications: Send service updates and important notices

4. Data Sharing and Third Parties

4.1 Stripe

We use Stripe for payment processing. When you connect your Stripe account or your customers make purchases:

  • Payment data is sent directly to Stripe
  • Stripe processes and stores payment information
  • Stripe's Privacy Policy applies

4.2 Email Service Providers

If you configure custom SMTP settings, emails are sent through your chosen provider (e.g., Postmark, SendGrid, Mailgun). Your provider's privacy policy applies to email delivery.

4.3 Cloud Hosting

Our Service is hosted on Railway. Your data is stored on secure servers managed by Railway. Railway's privacy policy applies to infrastructure-level data handling.

4.4 Cloudflare R2 (object storage)

Files you upload - product images, media library files, content library files - are stored in Cloudflare R2. Public URLs are served via the cdn.mytho.dev CDN. Cloudflare's privacy policy applies.

4.5 Cloudflare for SaaS (custom checkout domains)

If you configure a custom checkout domain (e.g. pay.yourstore.com), Cloudflare for SaaS provisions and serves the SSL certificate. The domain's hostname and Cloudflare's SSL status are stored on our side; the SSL provisioning data is held by Cloudflare.

4.6 Printful (Print on Demand)

If you connect a Printful account to enable print-on-demand products, Printful receives the customer name, shipping address, ordered items, and order metadata required to fulfill production and delivery. Printful is the merchant of record for production and shipping defects on POD items. Printful's privacy policy applies to this data.

4.7 Ghost CMS (membership integration)

If you enable the Content Library, we use your Ghost Admin API key to read membership tiers and verify member identity (via Ghost-issued JWTs). When a logged-in member loads or downloads a library file, their email and tier mapping pass through our servers so we can authorise the request and log the download. We do not store Ghost member passwords or session cookies.

4.8 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4.9 We Do NOT Submit Your Data to AI Services

We do not sell, share, or submit your data - or your customers', staff, or contractors' personal data - to any third-party artificial-intelligence or machine-learning service for ingestion, parsing, scraping, model training, or any similar purpose. Mytho contains no AI feature that learns from, or is trained on, the data you or your customers put into the platform. Where we use AI-assisted tools in our own software development, they operate on our source code, not on your production data; your production records are never used to reproduce issues or train models.

4.10 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights and safety.

5. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: Data in transit is encrypted using HTTPS/TLS
  • Password protection: Passwords are hashed using bcrypt
  • Database security: PostgreSQL database with access controls
  • Sensitive data: SMTP credentials are encrypted at rest
  • Access controls: Strict internal access policies

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Active accounts: Data is retained while your subscription is active
  • Canceled accounts: Data is retained for 90 days to allow reactivation
  • After 90 days: Data may be permanently deleted
  • Legal requirements: Some data may be retained longer to comply with legal obligations

You may request immediate deletion by contacting us at [email protected].

7. Your Rights

7.1 Access and Portability

You have the right to:

  • Access your personal data
  • Request a copy of your data in a portable format
  • Export your product, order, and customer data

7.2 Correction and Deletion

You can:

  • Update your account information at any time
  • Request deletion of your account and data
  • Delete individual products, orders, or customers

7.3 Objection and Restriction

You may:

  • Object to certain data processing activities
  • Request restriction of processing under certain circumstances

7.4 GDPR Rights (EU Users)

If you're in the EU, you have additional rights under GDPR:

  • Right to data portability
  • Right to lodge a complaint with a supervisory authority
  • Right to withdraw consent at any time

7.5 CCPA Rights (California Users)

If you're a California resident, you have rights under CCPA:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we don't sell data)
  • Right to non-discrimination for exercising your rights

8. Cookies and Tracking

8.1 Essential Cookies

We use essential cookies to:

  • Maintain your login session
  • Remember your preferences
  • Ensure security and prevent fraud

8.2 Analytics

We may use analytics tools to understand how users interact with our Service. This helps us improve functionality and user experience.

8.3 Third-Party Cookies

Stripe may set cookies for payment processing. Refer to Stripe's cookie policy for details.

9. Your Customers' Data

You are the data controller for your customers' personal information (names, email addresses, shipping addresses) collected through orders.

You are responsible for:

  • Informing your customers about data collection
  • Having a privacy policy on your Ghost® site
  • Complying with GDPR, CCPA, and other privacy laws
  • Handling customer data requests (access, deletion, etc.)

Mytho acts as a data processor on your behalf. We process customer data only as instructed by you and as necessary to provide the Service.

10. Children's Privacy

Our Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers, including:

  • Standard contractual clauses approved by the EU Commission
  • Compliance with applicable data protection regulations

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: [email protected]
Website: mytho.dev

For data protection inquiries, please include "Privacy Request" in the subject line.

14. Supervisory Authority

If you're in the EU and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority.