Honest answers to every question you should ask before trusting us with your memories.
Beta Program Edition · v2026-05-02 · ghostbiographer.comWe wrote this because you deserve to know exactly what happens to your information. Not a vague promise, not a link to a policy document written by lawyers — a plain, honest account of how your data moves, where it goes, who can see it, and what risks exist.
We will not pretend this system is perfectly risk-free. No digital system is. What we will do is tell you the truth about the risks, what we have done to minimize them, and let you decide whether you are comfortable. That is the only honest way to ask for your trust.
If you have a question that is not answered here, please call us at (408) 583-1600 or email support@ghostbiographer.com. We will answer personally.
You do. Completely and always. GhostBiographer does not acquire any ownership of your content by virtue of you using the app. Your photographs, your voice, your stories, your biographical memories — they are yours before you start, they are yours while the app is helping you, and they are yours if you ever decide to leave.
Cornerstone Technologies is a custodian of your content while you are a subscriber — not an owner. The distinction matters. A custodian holds something for your benefit and returns it on request. That is our role.
Yes — completely and by design. Every GhostBiographer user has their own isolated storage environment. This is not a matter of access controls on a shared database; it is a fundamental architectural choice.
What this means technically: your Life-Arc knowledge graph — the accumulating record of everything the app has learned about your life, your photographs, your relationships, your stories — exists in its own dedicated data store. It is not commingled with anyone else's. There is no query that could accidentally return your data alongside another person's, because they live in entirely separate environments.
Your photographs are stored in a storage location prefixed with a unique identifier tied only to your account. Your conversation sessions, your biographical nodes, your annotations — all scoped exclusively to you at every layer of the system.
The shortest answer is: we hold them carefully for you, and that is all.
No. The only person who can see your Life-Arc, your photos, and your draft chapters is you (and anyone you explicitly choose to share with).
Per-user isolation is enforced at every layer of the system, not just at the user interface:
Other users on the platform are simply not visible to you, and you are not visible to them. The system does not have a "browse other people's biographies" feature — and never will.
The Life-Arc is the heart of GhostBiographer — it is the growing knowledge graph that the app builds as it learns about your life. It contains everything you share with the app: the names of the people in your photographs, their relationships to you, the stories you tell, the places you lived, the events you remember, the emotions you expressed.
So yes — it contains deeply personal information. That is what makes it powerful, and what makes protecting it so important to us.
The Life-Arc is stored on our servers in our PostgreSQL database. It is the persistent record that lets you resume your biography months or years later. We protect it in the following ways:
Encryption is the process of scrambling data into an unreadable form using a mathematical key. Only someone who holds the correct key can unscramble and read it. Without the key, the encrypted data is meaningless — a stream of random-looking characters that reveals nothing about its contents, regardless of how much computing power is applied to it.
Where GhostBiographer uses encryption, we use AES-256-GCM — the same standard used by banks, governments, and the military. The "256" refers to the length of the encryption key in bits. There are more possible AES-256 keys than there are atoms in the observable universe — a computer attempting to guess one by brute force would require longer than the age of the universe to succeed. The "GCM" part adds a built-in tamper-detection check — if a single bit of encrypted data is altered, decryption refuses to proceed.
Your data is protected in the following ways:
What this means in practice during the beta. An attacker who breached our network would face Azure-managed disk encryption, RLS-scoped queries, and per-user isolation — but not a per-user encryption key that only you hold. A small, audited team of Cornerstone administrators with production database credentials can, in principle, read content from the database in the course of debugging, support, or backup operations. We limit that team to the smallest set of people we can operate with, log every administrative action, rotate access regularly, and are working on architectural changes that would narrow this further. We chose to ship this honest description rather than oversell what is actually in place today.
Your account is protected by two-factor authentication, layered carefully so that no single failure can hand someone the keys to your story.
Don't panic. We've planned for this exact moment.
Several things, all working at once:
If we ever detect activity that looks like a real attempt to compromise your account, we'll contact you directly.
Every file you upload passes through a series of checks before it lands in your storage:
None of this is paranoia — it is the boring, careful work that keeps the app stable and prevents both accidental copy-paste mistakes and deliberate abuse.
This is the most important privacy question you can ask, and we want to answer it honestly — including the parts where we are still building toward a stronger guarantee.
Today, during the beta:
What we do not do today, but want to be transparent about: we do not currently hold your biographical content under a per-user encryption key that only you possess. A small, audited team of Cornerstone administrators with production credentials can read content from the database in the course of legitimate operations (debugging a bug you reported, restoring data from a backup, responding to a user-initiated support request). Every administrative action is logged.
What we are working toward. We are designing an architecture that will narrow administrative access further and move more of the trust boundary onto your device. When that work is shipped and verified, we will revise this document, send every active user a clear notification of the change, and invite you to review what changed and why. We will not quietly upgrade the description of our security without telling you.
During the beta, the honest answer is: a small, audited team can — though we hold ourselves to strict rules about when and why. We are not going to claim a guarantee we cannot enforce architecturally yet. Here is exactly what is true today.
The team with production database access is intentionally tiny — currently a single founder/operator, with a second engineer slated for read-only access during peak debugging windows. Every administrative session uses a rotated credential. Every administrative request is logged with the time, the source IP, and the endpoint touched.
We use that access only for purposes you would expect us to use it for:
We will not use that access for purposes you would not expect:
This question is the reason GhostBiographer exists. The KeyPad system is the mechanism that delivers your finished biography to the people you choose — and importantly, it gates that posthumous delivery on physical evidence held outside our company, so the final delivery does not depend on us being around forever.
Two paired physical key cards — small, ordinary-looking storage cards — are held in two different places.
The dual-physical-custody mechanism — the requirement of two paired cards, in two physical locations, plus a paper-and-card chain of evidence — is one of the patentable inventions in the GhostBiographer system.
Both situations are handled.
GhostBiographer is not a single AI — it is a pipeline that routes different tasks to different AI services, each chosen for its particular strength at that task. Here is an honest account of the services we use during the beta period:
This is the most technically detailed question we can answer, and we want to answer it fully. Here is a stage-by-stage account of what personal data leaves your app and goes to an AI service:
Stage 1 — When you upload a photograph
Stage 2 — When the app asks you a question about a photograph
Stage 3 — When you speak your response
Stage 4 — Extracting new facts from your response
Stages 5 & 6 — Outline and draft generation (later phases)
Under the current API terms of service for both OpenAI and Anthropic, data submitted through their APIs by developers (like us) is not used to train their models by default. This is different from data submitted through their consumer products (like the ChatGPT website), where training opt-outs may apply differently.
Specifically:
We also recommend you review Google's policies if we integrate any Google AI services, which we will disclose explicitly if and when we do.
We believe you deserve a candid risk assessment, not a reassurance campaign. Here is our honest evaluation:
| Risk | Likelihood | Impact | Our Mitigations |
|---|---|---|---|
| AI provider data breach OpenAI or Anthropic is hacked and API call contents are exposed |
LOW | HIGH if it occurred | We use only large, well-resourced providers with strong security programs. We send the minimum necessary data per call. We cannot fully control third-party security. |
| Cornerstone server breach Our servers are accessed without authorization |
LOW | MEDIUM-HIGH | Azure-managed at-rest encryption protects against physical disk theft. PostgreSQL Row-Level Security and per-user query scoping limit lateral movement. We do not, today, hold your content under a per-user key only you possess — so an attacker who reached running database services would, in principle, be able to read content. We mitigate this with hardened cloud infrastructure, restricted administrative surface, network isolation, audit logging, and alerting on anomalous access patterns. |
| AI provider policy change OpenAI or Anthropic changes their API data policies to allow training |
MEDIUM | MEDIUM | We monitor provider policies and will notify you of material changes. We would switch providers or build mitigations before any such change takes effect for your data. |
| Lost iPad / forgotten password You lose access to your account |
MEDIUM | LOW | You can reset your password via verified email and recover account access. Your one-time backup codes (generated when you set up two-factor authentication) restore access if you also lose your authenticator device. Because your content is not encrypted under a key only you hold, losing your device does not put your content at risk of permanent loss — just out of reach until you regain account access. |
| Transcript interception in transit Your voice transcript is intercepted while being sent |
VERY LOW | HIGH if it occurred | All transmissions use TLS 1.3 — the strongest available transport encryption. Interception is theoretically possible but extremely difficult in practice. |
| Cornerstone misuse Cornerstone employees or systems access your data inappropriately |
LOW | HIGH if it occurred | During the beta, a small audited team has the ability to read database content for legitimate operational reasons (debugging, support, backup, restore). We mitigate this through minimal staffing of that team, rotated credentials, full audit logging of every administrative action, written internal use policies, and a roadmap commitment to reduce this surface in future architecture work. |
| Government or legal demand A court order or government demand requires us to produce your data |
LOW | MEDIUM | We can produce only what we have. We will challenge demands we believe are improper, will produce only the narrowest content responsive to a valid legal process, and will notify you that a demand was received whenever we are legally permitted to. We will document any such demand in an annual transparency report. |
This is a fair question, and one we think about carefully.
If Cornerstone shuts down: we commit to providing at least 90 days' notice and offering every user a complete export of their data in a standard format (including all photographs, transcripts, Life-Arc data, and biography drafts) before any systems are decommissioned. After decommissioning, all data on our servers would be permanently deleted under documented procedures and a final destruction certificate.
If Cornerstone is acquired: your data would not transfer to an acquirer without your explicit consent. Any acquisition agreement would require the acquirer to honor this commitment or return your data to you. This commitment will be formalized in our full Terms of Service.
There are practical steps that meaningfully reduce your exposure:
Regardless of where you live, Cornerstone commits to honoring the following rights for every GhostBiographer user:
To exercise any of these rights, contact us at support@ghostbiographer.com or call (408) 583-1600.
Please reach out directly. We answer personally.
We would rather spend an hour on the phone answering your questions than have you participate with unresolved concerns. Your comfort and confidence are the foundation everything else is built on.