Closed Beta Ghost Biographer is currently in an invitation-only closed beta. Contact us if you'd like to request access.
GhostBiographer Beta Program  ·  Privacy & Data Protection  ·  For Beta Testers
Your Privacy. Our Commitment.

Your Data, Your Story,
Your Control

Honest answers to every question you should ask before trusting us with your memories.

Beta Program Edition  ·  v2026-05-02  ·  ghostbiographer.com

We wrote this because you deserve to know exactly what happens to your information. Not a vague promise, not a link to a policy document written by lawyers — a plain, honest account of how your data moves, where it goes, who can see it, and what risks exist.

We will not pretend this system is perfectly risk-free. No digital system is. What we will do is tell you the truth about the risks, what we have done to minimize them, and let you decide whether you are comfortable. That is the only honest way to ask for your trust.

If you have a question that is not answered here, please call us at (408) 583-1600 or email support@ghostbiographer.com. We will answer personally.

Your Data — Ownership & Separation

You do. Completely and always. GhostBiographer does not acquire any ownership of your content by virtue of you using the app. Your photographs, your voice, your stories, your biographical memories — they are yours before you start, they are yours while the app is helping you, and they are yours if you ever decide to leave.

Cornerstone Technologies is a custodian of your content while you are a subscriber — not an owner. The distinction matters. A custodian holds something for your benefit and returns it on request. That is our role.

Your right to take it all back: At any time, you can request a complete export of your data in a standard format, or request permanent deletion. We will comply within 30 days, and typically much sooner.

Yes — completely and by design. Every GhostBiographer user has their own isolated storage environment. This is not a matter of access controls on a shared database; it is a fundamental architectural choice.

What this means technically: your Life-Arc knowledge graph — the accumulating record of everything the app has learned about your life, your photographs, your relationships, your stories — exists in its own dedicated data store. It is not commingled with anyone else's. There is no query that could accidentally return your data alongside another person's, because they live in entirely separate environments.

Think of it like a safety deposit box at a bank. The bank holds many boxes, but each one is physically separate. Your box contains only your things. The bank employee can carry your box to the counter, but cannot open it — because only you have the key. Other customers' boxes are in the vault too, but entirely separate and inaccessible to you or anyone else.

Your photographs are stored in a storage location prefixed with a unique identifier tied only to your account. Your conversation sessions, your biographical nodes, your annotations — all scoped exclusively to you at every layer of the system.

The shortest answer is: we hold them carefully for you, and that is all.

·
Your photos live in a private Azure Blob Storage container scoped only to your user ID. No other user can see into that container; our own employees cannot see into the photos meaningfully — see the next two questions for the technical reasons.
·
Your Life-Arc (your knowledge graph of names, places, dates, relationships, and stories) lives in its own database schema, isolated per user.
·
We do not sell your data. Not to advertisers, not to data brokers, not to research firms. There is no version of GhostBiographer where your stories are a product we monetize.
·
We do not use your stories or photos to train AI models. Our AI calls go through Microsoft Azure AI Foundry under terms that prohibit Microsoft from retaining your content for training. We have not opted in to any training-data agreement with any AI provider, and we will not.
·
We do not share your data with anyone without your explicit instruction — including, eventually, the executor you designate.

No. The only person who can see your Life-Arc, your photos, and your draft chapters is you (and anyone you explicitly choose to share with).

Per-user isolation is enforced at every layer of the system, not just at the user interface:

·
Every database query is scoped to a specific user ID. There is no query in our codebase that returns data without a user filter — we treat that as a non-negotiable rule and enforce it in code review and automated tests.
·
Every storage path in our blob storage is namespaced by user ID. A request for someone else's photo would resolve to a different folder you cannot see.
·
Every API call requires a valid login token tied to your account. You cannot fetch another user's session, draft, or biography even by guessing a URL.

Other users on the platform are simply not visible to you, and you are not visible to them. The system does not have a "browse other people's biographies" feature — and never will.

The Life-Arc is the heart of GhostBiographer — it is the growing knowledge graph that the app builds as it learns about your life. It contains everything you share with the app: the names of the people in your photographs, their relationships to you, the stories you tell, the places you lived, the events you remember, the emotions you expressed.

So yes — it contains deeply personal information. That is what makes it powerful, and what makes protecting it so important to us.

The Life-Arc is stored on our servers in our PostgreSQL database. It is the persistent record that lets you resume your biography months or years later. We protect it in the following ways:

1
Per-user isolation. PostgreSQL Row-Level Security and per-query user-id scoping ensure that no application code path can return one user's Life-Arc in response to another user's request.
2
Encryption at rest. The disks holding the database are encrypted by Microsoft Azure at the storage layer. Anyone who obtained a stolen disk would see ciphertext, not your content.
3
Encrypted in transit. Every byte travelling between your device and our servers is wrapped in TLS 1.2 or higher.
What we want to be transparent about: the Life-Arc is not, today, encrypted under a per-user key that only you possess. A small, audited team of Cornerstone administrators with production-database credentials can read content in the database in the course of legitimate operations (debugging an issue you reported, restoring data, responding to support requests). Every administrative action is logged. We are working toward stronger isolation; the "How are encryption keys held during the beta?" section below describes exactly where we are today and where we are going.
Encryption — How Your Data Is Locked

Encryption is the process of scrambling data into an unreadable form using a mathematical key. Only someone who holds the correct key can unscramble and read it. Without the key, the encrypted data is meaningless — a stream of random-looking characters that reveals nothing about its contents, regardless of how much computing power is applied to it.

Where GhostBiographer uses encryption, we use AES-256-GCM — the same standard used by banks, governments, and the military. The "256" refers to the length of the encryption key in bits. There are more possible AES-256 keys than there are atoms in the observable universe — a computer attempting to guess one by brute force would require longer than the age of the universe to succeed. The "GCM" part adds a built-in tamper-detection check — if a single bit of encrypted data is altered, decryption refuses to proceed.

What we want to be transparent about during the beta: GhostBiographer protects your data through a layered combination of transport encryption, server-side encryption-at-rest, strict per-user data isolation, and AES-256-GCM encryption of the most sensitive credentials. We do not, today, hold your biographical content under a per-user key that only you possess. The only people with administrative access to the production database are a small, audited team at Cornerstone — and we explain below what that team can and cannot see, and why we are working toward stronger isolation.

Your data is protected in the following ways:

1
In transit. Every byte travelling between your iPad and our servers is wrapped in TLS 1.2 or higher (most often TLS 1.3) — the same technology that secures online banking. We never accept unencrypted connections to the app.
2
At rest in the database. The disks holding your photos, transcripts, and Life-Arc are encrypted by Azure at the storage layer. Anyone who obtained a stolen disk would see ciphertext, not your content.
3
Per-user data isolation. Every database query the app issues is scoped to the authenticated user's ID, enforced at the database layer through PostgreSQL Row-Level Security. There is no code path that can return one user's content in response to another user's request.
4
The most sensitive credentials are encrypted with their own key. Your two-factor-authentication seed (the secret that generates your six-digit login codes) is encrypted with AES-256-GCM before being written to the database, using a key derived separately from our master secret via HKDF-SHA256. Your password is never stored — only a one-way bcrypt hash. Backup recovery codes are also stored only as hashes.
5
For posthumous delivery: the KeyPad system. When you complete your finished biography and set up posthumous delivery to your designated executor, that delivery is gated by a Data Encryption Key wrapped under a physical-card escrow scheme — see the section below, "What happens to my data if I die?" The KeyPad is for that specific posthumous pathway, not for daily access to your in-progress drafts.

What this means in practice during the beta. An attacker who breached our network would face Azure-managed disk encryption, RLS-scoped queries, and per-user isolation — but not a per-user encryption key that only you hold. A small, audited team of Cornerstone administrators with production database credentials can, in principle, read content from the database in the course of debugging, support, or backup operations. We limit that team to the smallest set of people we can operate with, log every administrative action, rotate access regularly, and are working on architectural changes that would narrow this further. We chose to ship this honest description rather than oversell what is actually in place today.

Your account is protected by two-factor authentication, layered carefully so that no single failure can hand someone the keys to your story.

Closed beta exception (May 2026): while we're hand-holding the first wave of beta testers, you can sign in for the first time with a one-tap email link — no password or six-digit code needed on day one. Two-factor authentication becomes required within 7 days of activating your account; you set it up in Settings → Security at your own pace before the deadline. We're doing this because nearly every beta tester has hit some friction at the password / authenticator step, and we'd rather get you into the app first and secure your sign-in second — with our help if you want it.
1
A password you choose. Stored only as a one-way hash — even we cannot recover it. (If you forget it, you reset it; you don't retrieve it.)
2
A six-digit code from your authenticator app. This is called a TOTP code — Time-based One-Time Password. We are required by design to verify this on every login, every account; it is not optional. The underlying secret that generates these codes is itself encrypted at rest in our database using AES-256-GCM. The encryption key is derived from our server's master key using a cryptographic technique called HKDF-SHA256, with a domain separator that ensures your TOTP key is mathematically distinct from any other key in the system.
3
Backup codes. You receive one-time recovery codes when you set up TOTP. Print them or save them somewhere safe. If you ever lose your authenticator device, these get you back in.
4
Passkeys (Face ID, Touch ID, Windows Hello). On devices with biometric hardware, you can use a passkey for everyday login instead of typing a code. The biometric never leaves your device — only a cryptographic proof does.
The practical consequence: a stolen password alone cannot get into your account. A stolen database alone cannot generate your six-digit codes. Both layers would have to fail simultaneously, on the same account, for an attacker to have a chance.

Don't panic. We've planned for this exact moment.

1
Use one of your backup codes. When you set up two-factor authentication, you were given a list of one-time recovery codes. Each one works exactly once. Enter one in place of the six-digit code, and you're in.
2
Use your passkey, if you set one up. If you registered Face ID or Touch ID on a different device, that device can sign you in even without your phone.
3
Contact us for an MFA reset. If neither of the above works, call (408) 583-1600 or email us. We will verify your identity through our support team — deliberately more slowly than normal login — and reset your two-factor setup. You will then re-register a new authenticator and receive new backup codes.
One thing we cannot do: we cannot tell you what your TOTP secret is, even if you ask us in person. Once it's encrypted in our database, even our own engineers cannot read it. The reset path is the only way back.

Several things, all working at once:

·
Rate limiting. Repeated failed logins from any single source are slowed down and eventually blocked. Brute-force guessing is not a viable strategy against this app.
·
Audit logging. Every failed login attempt is recorded — the time, the IP address it came from, and which account was targeted. We do not log what password was attempted; we log only that an attempt happened.
·
Two-factor still stands. Even an attacker who somehow guesses your password is stopped cold by the six-digit code requirement.
·
Administrative access is fully audited. Internally, our administrative tools require a long secret key that is rotated on a documented schedule. Every use of that key — successful or rejected — is recorded in the audit log along with the source IP address and which administrative endpoint was touched. There is no quiet back door.

If we ever detect activity that looks like a real attempt to compromise your account, we'll contact you directly.

Every file you upload passes through a series of checks before it lands in your storage:

1
Image verification. Each photo is opened and verified to be a real, valid image. Corrupt files, "zip bombs" (compressed files that try to overwhelm a server when unpacked), and other binaries disguised as photos are rejected with a clear error message.
2
Length limits on every text field. Messages to the biographer are capped at 4,000 characters. Filenames and labels are capped at 255 characters. These limits are enforced on the server, not just in the browser, so they cannot be bypassed.
3
Bulk uploads (up to 200 photos at once) are validated per-file. If 198 succeed and 2 are corrupt, you get a detailed report telling you exactly which two failed and why — no silent partial-success.
4
Photo metadata is stripped. Before storing your photo, we strip out embedded metadata that often contains GPS coordinates of where the photo was taken and the camera serial number. The image you uploaded is preserved; the location of your front porch is not.

None of this is paranoia — it is the boring, careful work that keeps the app stable and prevents both accidental copy-paste mistakes and deliberate abuse.

This is the most important privacy question you can ask, and we want to answer it honestly — including the parts where we are still building toward a stronger guarantee.

Today, during the beta:

·
Transport keys (TLS) are negotiated between your iPad and our servers for each session and discarded when the session ends. These are managed by the operating system on both sides and are not held by Cornerstone after the fact.
·
At-rest disk-encryption keys for the database itself are managed by Microsoft Azure as part of our hosting platform. They protect against physical theft of storage hardware.
·
The application-level key that encrypts your TOTP secret is derived from a master secret held by our backend services. It is rotated under a documented procedure and is never logged or transmitted. This key never leaves the server, and it is the only encryption key directly associated with content of yours that we hold.
·
Your password is stored only as a one-way bcrypt hash. We cannot recover it, even with full database access — if you forget it, you reset it.
·
The KeyPad escrow keys for posthumous biography delivery are split between two physical cards held in two different physical locations, and are only used at the moment of posthumous handoff (see the next section). They do not protect your in-progress content during normal use.

What we do not do today, but want to be transparent about: we do not currently hold your biographical content under a per-user encryption key that only you possess. A small, audited team of Cornerstone administrators with production credentials can read content from the database in the course of legitimate operations (debugging a bug you reported, restoring data from a backup, responding to a user-initiated support request). Every administrative action is logged.

Why we are telling you this directly. We considered describing the system more aspirationally and decided not to. You are entrusting us with intimate memories during a beta period where we are still building the product. You deserve to know exactly what protects your content right now, exactly who can in principle access it, and exactly what we are working toward. We would rather earn your trust slowly with the truth than quickly with a marketing claim we would later have to walk back.

What we are working toward. We are designing an architecture that will narrow administrative access further and move more of the trust boundary onto your device. When that work is shipped and verified, we will revise this document, send every active user a clear notification of the change, and invite you to review what changed and why. We will not quietly upgrade the description of our security without telling you.

During the beta, the honest answer is: a small, audited team can — though we hold ourselves to strict rules about when and why. We are not going to claim a guarantee we cannot enforce architecturally yet. Here is exactly what is true today.

The team with production database access is intentionally tiny — currently a single founder/operator, with a second engineer slated for read-only access during peak debugging windows. Every administrative session uses a rotated credential. Every administrative request is logged with the time, the source IP, and the endpoint touched.

We use that access only for purposes you would expect us to use it for:

·
Investigating a bug or error you reported, when we cannot reproduce it without looking at your account state
·
Restoring data you accidentally deleted, when you have asked us to
·
Responding to a feedback report or support request you submitted through the app
·
Performing routine database backup, restore, and migration operations
·
Complying with a valid legal process (a court order or law-enforcement subpoena), in which case we will notify you if legally permitted to

We will not use that access for purposes you would not expect:

·
We do not browse user content for internal interest, marketing analysis, or product research
·
We do not share your content with third parties for any purpose other than the AI processing required to operate the app and providers explicitly disclosed in this FAQ
·
We do not train AI models on your content, and the AI providers we use have agreed in their API terms not to train on it either
·
We do not sell, rent, or otherwise commercialize your data
If you are uncomfortable with administrative read-access existing during the beta — and that is a reasonable position to hold — please tell us. We will help you decide whether the beta program is right for you at this stage, with no penalty if you choose to wait until we have shipped stronger isolation. The whole point of being in the beta is that you are seeing the product before it is finished, and that includes seeing the security posture before it is finished.
After You're Gone — The KeyPad System

This question is the reason GhostBiographer exists. The KeyPad system is the mechanism that delivers your finished biography to the people you choose — and importantly, it gates that posthumous delivery on physical evidence held outside our company, so the final delivery does not depend on us being around forever.

Two paired physical key cards — small, ordinary-looking storage cards — are held in two different places.

1
When you sign up, we generate a matched pair of cards. Card A stays locked in our secure facility — the "vault card." Card B is mailed by FedEx to whomever you designate as your literary executor (typically a family member or trusted friend), accompanied by a paper insert with their name, your name, and clear instructions about what the card is and when to use it.
2
The finished biography file (the printable PDF, ebook, or audiobook the system produces from your Life-Arc) is encrypted with a Data Encryption Key (DEK). The DEK is wrapped using key material from your vault card and stored only in wrapped form. The matching half of that wrapping lives on Card B, in your executor's possession.
3
While you are alive, the cards sit dormant. Your in-progress Life-Arc and conversation content live in our database under the protections described in the encryption section above (per-user isolation, server-side disk encryption, audited admin access). The KeyPad mechanism gates the posthumous handoff, not your day-to-day usage.
4
When you pass, your executor returns Card B to us along with the paper insert and proof of your passing (typically a death certificate). After we verify the legal documentation, we — for the first time — combine Card A and Card B to unwrap the DEK and deliver your finished biography to your executor in the format you chose: print, ebook, audiobook, or all three.
What KeyPad guarantees: the wrapped final biography file cannot be unwrapped by us, by a court, by an acquirer, or by an adversary with full database access — without Card B. Neither card is sufficient on its own. The wrapping requires both cards, in physical form, in the same place.
What KeyPad does not guarantee: KeyPad protects the wrapped final-biography file. It does not encrypt your in-progress Life-Arc, photographs, or conversation transcripts during your lifetime; those are protected by the layered measures in the encryption section above and remain readable in principle by our small audited admin team during legitimate operations. We considered describing this more aspirationally and chose not to.

The dual-physical-custody mechanism — the requirement of two paired cards, in two physical locations, plus a paper-and-card chain of evidence — is one of the patentable inventions in the GhostBiographer system.

Eleanor finishes her biography over two years. Her executor, her daughter Margaret, has Card B and the paper insert sitting in a fireproof box in her own home — she's never opened it; she's just been told what it is. Eleanor passes. Margaret sends the card and the death certificate to Cornerstone via tracked mail. After verification, Cornerstone combines Card A with Card B, unwraps the final-biography DEK, and prints three copies — one for Margaret, one for her brother, one for the family library. The cards are destroyed after delivery.

Both situations are handled.

·
Designating a new executor: from your account settings, you can request a new card pair. The old pair is retired in our records and a fresh pair is generated and mailed to your new executor. Your biography content is unaffected — the underlying encryption is rewrapped to the new pair.
·
Lost Card B: if your executor reports the card lost or destroyed, we issue a replacement following the same identity-verification path used for any executor change.
·
Concerned about your executor? You can change them at any time, for any reason, through your account. The previous executor's card is invalidated when the new pair is issued.
AI Models — Which Ones, When, and What They See

GhostBiographer is not a single AI — it is a pipeline that routes different tasks to different AI services, each chosen for its particular strength at that task. Here is an honest account of the services we use during the beta period:

1
OpenAI (GPT models) — Used for conversational interview generation: forming the questions the app asks you about your photographs and your life. Also used for extracting structured biographical facts from your responses — turning what you say into organized knowledge graph entries.
2
Anthropic (Claude models) — Used for longer-form tasks: generating your chapter outlines, drafting your biography prose, and performing continuity checks across your narrative. Claude is particularly well-suited to sustained, nuanced long-form writing.
3
OpenAI Whisper (speech-to-text) — Used to transcribe your voice recordings into text. Your voice audio is sent to Whisper, which returns a text transcript. The audio is not retained by OpenAI after transcription.
4
Vision AI (OpenAI GPT-4o Vision or equivalent) — Used to analyze your photographs: identifying people, places, events, approximate dates, and contextual details that the app uses to ask you informed questions.
5
InsightFace / ArcFace (face recognition) — Used to detect and group faces across your photograph collection, so the app can recognize that the same person appears in multiple photos and ask you to identify them once rather than repeatedly. This runs on our own servers — it is not a third-party API call.
6
Kokoro TTS (text-to-speech) — Used to read the app's questions and responses aloud to you in a natural voice. This runs locally on our infrastructure and does not send your data to a third party.
We may add or substitute AI providers as better options become available or as costs change. We will update this document and notify beta testers when we do. We will never add a provider whose data practices we have not reviewed.

This is the most technically detailed question we can answer, and we want to answer it fully. Here is a stage-by-stage account of what personal data leaves your app and goes to an AI service:

Stage 1 — When you upload a photograph

What is sent: The photograph itself (image pixels) is sent to the Vision AI service (OpenAI GPT-4o Vision). The image may contain faces, locations, handwritten notes, personal objects, and other identifying visual content.
What comes back: A structured description — who appears to be in the photo, what event it depicts, an estimated date, notable objects. This is stored in your encrypted Life-Arc.
Is the image retained by OpenAI? Per OpenAI's API data policy at the time of writing, images submitted via API are not used to train models and are not retained beyond the processing window. We recommend you review their current policy at openai.com/policies.
You upload a photograph of your mother's 60th birthday party in 1978. The image is sent to the Vision AI. It returns: "A group of approximately 8 adults gathered around a table with a birthday cake. The setting appears to be a home dining room, likely late 1970s based on clothing and décor." This description is encrypted and stored in your Life-Arc. The image itself is then stored in your encrypted blob storage.

Stage 2 — When the app asks you a question about a photograph

What is sent: A carefully constructed prompt to the conversational AI (OpenAI GPT or Claude). This prompt includes: the photo's description from Stage 1, a summary of relevant entries from your Life-Arc (people, events, places already known to be connected to this photo), and the history of the current conversation session.
What comes back: The AI's next question — delivered to you as text and read aloud by the TTS system.
What personal content is in this prompt? The Life-Arc summary that is included may contain names, relationships, dates, and biographical facts you have previously shared. For example: "The user's mother is named Ruth, born 1918, who lived in Detroit. The user has mentioned her sister Carol and brother-in-law Frank."
The app is about to ask you a question about that birthday party photo. The prompt it sends to the AI might read: "The user is looking at a photograph of a birthday celebration, approximately 1978. Their Life-Arc indicates their mother Ruth turned 60 in 1978 and lived in Detroit. Known attendees from prior sessions include their sister Carol and Frank. Generate a warm, curious opening question that invites the user to share a memory about this event." The AI returns: "Is that Ruth's 60th? Who organised the party — was it you, or did Carol take charge?" That question is read aloud to you.

Stage 3 — When you speak your response

What is sent: Your voice recording (audio file) is sent to OpenAI Whisper for transcription.
What comes back: Your words as text, including any emotional cues Whisper detects (e.g., [sighs], [long pause]).
Sensitivity level: This is the most sensitive data transmission in the system. Your own words, spoken aloud, about your most personal memories, are transmitted as audio to a third-party service. This cannot be avoided — on-device transcription at the accuracy level required for biographical content is not yet reliable enough for our purposes.

Stage 4 — Extracting new facts from your response

What is sent: Your transcribed response text is sent to the AI with an instruction to identify any new biographical facts mentioned — new names, dates, relationships, events.
What comes back: A structured list of new entities to add to your Life-Arc. These are encrypted and stored.

Stages 5 & 6 — Outline and draft generation (later phases)

What is sent: A comprehensive summary of your Life-Arc — potentially many months of accumulated biographical data — along with your interview transcripts relevant to each chapter. This is the largest data transmission in the system.
What comes back: Your chapter outline, then your biography draft prose — which is immediately encrypted and stored in your Life-Arc.
Sensitivity level: High. This transmission may include decades of your most personal memories, relationships, and experiences, consolidated into a single context window sent to the AI.
The key thing to understand: in all of these stages, the data is sent to the AI service for processing only — like handing a document to a typist to transcribe, and taking it back when they are done. The AI does not keep a copy, build a profile of you, or use your content to train future models (under the API terms of both OpenAI and Anthropic at the time of writing). But the transmission does occur, and we want you to know it.

Under the current API terms of service for both OpenAI and Anthropic, data submitted through their APIs by developers (like us) is not used to train their models by default. This is different from data submitted through their consumer products (like the ChatGPT website), where training opt-outs may apply differently.

Specifically:

·
OpenAI API: Per their current policy, API data is not used for model training unless a customer explicitly opts in. We have not opted in.
·
Anthropic API: Per their current policy, API data is not used for model training without customer agreement. We have not provided that agreement.
Honest caveat: These policies are set by those companies, not by us, and they can change. We monitor them and will notify you of any material change. We recommend periodically reviewing their current policies directly: openai.com/policies and anthropic.com/privacy.

We also recommend you review Google's policies if we integrate any Google AI services, which we will disclose explicitly if and when we do.

Risk Assessment — Honest and Candid

We believe you deserve a candid risk assessment, not a reassurance campaign. Here is our honest evaluation:

Risk Likelihood Impact Our Mitigations
AI provider data breach
OpenAI or Anthropic is hacked and API call contents are exposed
LOW HIGH if it occurred We use only large, well-resourced providers with strong security programs. We send the minimum necessary data per call. We cannot fully control third-party security.
Cornerstone server breach
Our servers are accessed without authorization
LOW MEDIUM-HIGH Azure-managed at-rest encryption protects against physical disk theft. PostgreSQL Row-Level Security and per-user query scoping limit lateral movement. We do not, today, hold your content under a per-user key only you possess — so an attacker who reached running database services would, in principle, be able to read content. We mitigate this with hardened cloud infrastructure, restricted administrative surface, network isolation, audit logging, and alerting on anomalous access patterns.
AI provider policy change
OpenAI or Anthropic changes their API data policies to allow training
MEDIUM MEDIUM We monitor provider policies and will notify you of material changes. We would switch providers or build mitigations before any such change takes effect for your data.
Lost iPad / forgotten password
You lose access to your account
MEDIUM LOW You can reset your password via verified email and recover account access. Your one-time backup codes (generated when you set up two-factor authentication) restore access if you also lose your authenticator device. Because your content is not encrypted under a key only you hold, losing your device does not put your content at risk of permanent loss — just out of reach until you regain account access.
Transcript interception in transit
Your voice transcript is intercepted while being sent
VERY LOW HIGH if it occurred All transmissions use TLS 1.3 — the strongest available transport encryption. Interception is theoretically possible but extremely difficult in practice.
Cornerstone misuse
Cornerstone employees or systems access your data inappropriately
LOW HIGH if it occurred During the beta, a small audited team has the ability to read database content for legitimate operational reasons (debugging, support, backup, restore). We mitigate this through minimal staffing of that team, rotated credentials, full audit logging of every administrative action, written internal use policies, and a roadmap commitment to reduce this surface in future architecture work.
Government or legal demand
A court order or government demand requires us to produce your data
LOW MEDIUM We can produce only what we have. We will challenge demands we believe are improper, will produce only the narrowest content responsive to a valid legal process, and will notify you that a demand was received whenever we are legally permitted to. We will document any such demand in an annual transparency report.
The two risks we consider most significant in practice: first, the transmission of your voice transcripts and Life-Arc summaries to third-party AI APIs during active use — your content is briefly visible as plaintext to those providers, although they have agreed in their API terms not to retain or train on it. Second, the existence of administrative database access during the beta — content readable by a small audited Cornerstone team is also content that can in principle be exposed by mistake or by attack. We have minimized both surfaces, and we describe them honestly so you can decide whether your comfort matches the protection in place today.

This is a fair question, and one we think about carefully.

If Cornerstone shuts down: we commit to providing at least 90 days' notice and offering every user a complete export of their data in a standard format (including all photographs, transcripts, Life-Arc data, and biography drafts) before any systems are decommissioned. After decommissioning, all data on our servers would be permanently deleted under documented procedures and a final destruction certificate.

If Cornerstone is acquired: your data would not transfer to an acquirer without your explicit consent. Any acquisition agreement would require the acquirer to honor this commitment or return your data to you. This commitment will be formalized in our full Terms of Service.

We treat your data as something we are holding in trust, not as a commercial asset. The 90-day notice, the export-on-request commitment, and the explicit-consent requirement before any transfer to an acquirer are the contractual protections you have today; we are also working toward stronger architectural protections, and we will tell you when those land.

There are practical steps that meaningfully reduce your exposure:

1
Use a strong, unique password. A strong, unique password is the first barrier between your account and an attacker. Combined with two-factor authentication, it makes account takeover extremely difficult.
2
Keep your iPad's operating system up to date. Outdated operating systems have known vulnerabilities. Recent versions of iOS protect against many classes of attack that older versions do not.
3
Enable Face ID or Touch ID. This adds a biometric layer before the app can be opened. If someone else picks up your iPad, they cannot access your GhostBiographer session without your face or fingerprint.
4
Save your one-time backup codes somewhere safe. When you set up two-factor authentication, you receive a list of recovery codes. Print them or store them in a password manager so that losing your authenticator device does not lock you out of your own biography.
5
Tell us if you want a story off the record. If there are sensitive stories you wish to talk through but are not ready to have written down, tell the biographer at the start of the session that this is "off the record" — we will treat it accordingly. (A formal Off-the-Record mode is on the roadmap; for now, this works through the conversation itself.)
Your Rights & Our Commitments

Regardless of where you live, Cornerstone commits to honoring the following rights for every GhostBiographer user:

·
Right to access: You can request a complete copy of all data we hold for your account at any time.
·
Right to export: You can request your data in a portable, standard format (JSON for structured data, original files for photographs and recordings).
·
Right to deletion: You can request permanent deletion of all your data. We will confirm deletion within 30 days.
·
Right to correction: You can correct any personal information in your account at any time through the app.
·
Right to withdraw: You can stop participating in the beta program at any time, for any reason, with no penalty beyond the loss of your beta discount.

To exercise any of these rights, contact us at support@ghostbiographer.com or call (408) 583-1600.

Please reach out directly. We answer personally.

Phone: (408) 583-1600
Email: support@ghostbiographer.com
Mail: Cornerstone Technologies, Inc., 2059 Camden Ave #298, San Jose, CA 95124

If you have a question that is not answered here and that you think other beta testers would want to know, tell us — we will add it to this document.

We would rather spend an hour on the phone answering your questions than have you participate with unresolved concerns. Your comfort and confidence are the foundation everything else is built on.