Alpha Privacy Policy

Privacy Policy

Last updated: May 18, 2026

Ghostlight (“we”, “us”, “our”) is operated from British Columbia, Canada. This Privacy Policy describes what personal information we collect through Ghostlight and its Theatre Manager application (the “Service”), how we use it, and the choices you have. We aim to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia’s Personal Information Protection Act (PIPA).

The Service is currently in invite-only alpha. Our practices may evolve as we move toward general availability; we will update this Policy and notify you of material changes.

1. Information we collect

We collect information in three ways:

a) Information you provide

  • Account details: email address, password (stored as a salted hash, never in plain text), display name, and your acknowledgement that you are at least 19 years old and accept our Terms.
  • Actor profile: headshots, resumes, audition videos, demo reels, biographical details (pronouns, age range, height, hair colour, build), union affiliation, and contact information you choose to add.
  • Audition submissions: the materials you submit to a call, any selected roles, and any notes or scheduling responses you provide.
  • Production data (company accounts): productions, roles, schedules, talent roster entries, reviews, ratings, notes, and uploaded production files (scripts, music, blocking, etc.).
  • Support and feedback: messages you send us by email or through the Service.

b) Information collected automatically

  • Activity logs: actions you take in the Service (sign-in, file uploads, permission changes, etc.), with timestamps. These are used for security and audit purposes.
  • Technical data: IP address, browser user agent, approximate location derived from IP, and basic device characteristics. We use IP addresses for rate-limiting authentication endpoints to defend against brute-force attacks, and to log failed-login attempts on your account.
  • Cookies: we set a single HTTP-only session cookie when you sign in. We do not use third-party advertising or analytics tracking cookies during alpha.

c) Information from third parties

If a theatre company invites you to join its team or a talent roster, we may receive your name and email from that company in order to send the invitation.

2. How we use your information

  • provide, operate, and improve the Service;
  • route audition submissions to the recipient theatre company;
  • authenticate you, secure your account, and detect abuse;
  • send transactional emails — verification, password resets, callbacks, offers, scheduling updates, and important notices about the Service;
  • respond to your support requests and gather pilot feedback;
  • comply with legal obligations and enforce our Terms.

We do not sell your personal information. We do not use the Service to serve third-party advertising.

3. Who can see your information

Theatre companies you submit to see the audition materials and profile information you choose to share with that submission, along with any reviewer notes their team adds internally.

Members of a company team can see productions, submissions, roster entries, and shared files for that company. Per-team-member permission controls and personal notes are described in our product documentation.

We share with service providers (sub-processors) that help us run the Service, under contractual confidentiality and security obligations:

  • Supabase — managed Postgres database and file storage.
  • Vercel — application hosting and edge delivery.
  • Resend — transactional email delivery (verification, password reset, audition notifications).
  • Upstash — Redis-backed rate limiting.
  • Stripe — payment processing for pilot companies who opt in to billed services. Card details are handled by Stripe and never stored by us.

Some of these providers may store or process data outside Canada, including in the United States and the European Union. Where that’s the case, your information may be subject to the laws of those jurisdictions, including lawful access by foreign authorities.

We may also disclose information if required by law, in response to valid legal process, to protect our rights or the safety of users, or in connection with a corporate transaction (with notice to you where practicable and required).

4. Retention

We retain your information for as long as your account is active and as needed to provide the Service.

  • Account closure: when you delete your account, we soft-delete your user record (your email is anonymized) and remove or detach personal identifiers from related records. Audition submissions you sent to a theatre company remain visible to that company unless they delete them on their end, since they form part of the company’s casting record.
  • Activity logs and security records: retained for up to 24 months for audit, security, and incident response.
  • Backups: residual copies may persist in encrypted backups for a limited period after deletion.

We will keep this section in sync with our deletion logic as it matures; if you have questions about a specific data type, please reach out.

5. Your rights

You have the right to access, correct, or request deletion of your personal information. You may also withdraw consent for optional processing (subject to the consequences of doing so, such as no longer being able to use the Service).

Many of these rights can be exercised directly in the Service — you can update your profile, change your password, or close your account from your settings. For anything that you can’t do yourself, email hello@ghostlight.tech and we’ll respond within a reasonable timeframe (and within any statutory deadline).

If you believe we are not handling your information appropriately, you can contact the Office of the Privacy Commissioner of Canada or the Office of the Information and Privacy Commissioner for British Columbia.

6. Security

We use industry-standard measures to protect your information — encryption in transit (HTTPS), password hashing, HTTP-only session cookies, rate limiting on authentication endpoints, and account lockout after repeated failed login attempts. No system is perfectly secure, however, and because the Service is in alpha you should treat the Service as you would any pre-release software.

Suspect a security issue? Please report it to hello@ghostlight.tech.

7. Children

The Service is intended for users 19 years of age or older(the age of majority in British Columbia). We do not knowingly collect personal information from anyone under 19. If you become aware that someone under 19 has provided us with personal information, please contact us and we will take steps to delete it.

8. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated through the Service or by email before they take effect. The “Last updated” date at the top of this Policy reflects the most recent revision.

9. Contact

Privacy questions, access or deletion requests, or feedback on this Policy: hello@ghostlight.tech.