Legal

Privacy Policy

Updated May 26, 2026

Last updated: 2026-05-26

Specter is a local-first desktop app that syncs your Shopify articles and Ghost posts to a folder of local markdown files. This page describes — in plain English — what data Specter touches, where it lives, and who else sees it. This is a working document; have it reviewed by a lawyer before relying on it as your final published policy.

Data controller: aabergkvist AB · Swedish company reg. 559317-4948 · VAT SE559317494801 · Stålverksgatan 1, 302 50 Halmstad, Sweden. Trading as Brilliant Rebels.

What Specter is

Specter is a small desktop app that you install on your own computer. It connects to your blogs and stores — Shopify and Ghost — and keeps a folder of markdown files on your disk in two-way sync with them. Everything you write lives as plain .md files you can open in any editor.

What data Specter handles

On your computer (where almost everything lives)

The following data is stored locally on your machine, in a config directory at ~/.config/ghost-sync/ with file permissions set to 600 (your user account only):

  • Shopify access tokens — issued by your store during the Connect flow.
  • Ghost API keys — that you paste during onboarding.
  • Your post content — every article and post Specter has synced, as markdown files in the sync folder you chose.
  • License information — your license key and activation status.
  • App preferences — sync mode, conflict strategy, last-sync timestamps.

None of this is sent to a Specter server. It travels only between your computer and the CMS you connected it to.

On our server (only briefly, during the Connect flow)

When you connect a Shopify store, Specter uses a small handshake server to complete the OAuth approval safely. That server briefly stores:

  • A short-lived OAuth handshake record — proves the approval came from the right shop. Auto-deletes within minutes.
  • A single-use exchange code — used once to hand off the resulting Shopify access token to the desktop app over HTTPS. Auto-deletes within minutes (5-minute time-to-live).

No merchant content, no customer data, no order history, and no personally identifying information beyond the shop handle ever reaches our server. Once the exchange code is consumed, the record is deleted; if you abandon the Connect flow, it expires on its own.

From your CMS (Shopify or Ghost)

Specter reads and writes only what you ask it to sync:

  • Article and post content — body, title, tags, status, feature image URL, custom excerpt, slugs, frontmatter.
  • Container metadata — Shopify blog names; Ghost site identity.

Specter never reads anything outside the scope you grant. It does not read your customers, orders, products, payouts, themes, members, newsletters, analytics, or any other surface of your store or blog. For Shopify, the OAuth scopes requested are limited to article/blog read and write (read_content, write_content); for Ghost, Specter only ever uses the Admin API key you paste.

Third parties Specter touches

To do its job, Specter has to talk to a few external services:

  • Shopify — for the OAuth handshake and the Admin API calls that read and write your articles. Governed by Shopify’s privacy policy.
  • Ghost CMS — for Admin API calls against your own Ghost blog. Governed by your Ghost host’s privacy policy (Ghost(Pro), your self-hosted instance, etc.).
  • Our payment provider — handles checkout when you buy Spectersync Core. Acts as merchant of record, collects tax, processes the card. They see your payment details; we don’t.
  • Our license service — verifies your Pro license key when you activate. Sees your license key and a machine identifier. Does not see your content.
  • Our site host — serves the spectersync.com marketing site and the short-lived OAuth handshake server described above.

We chose each of these with privacy in mind: no advertising networks, no behavioural tracking SDKs, no third-party analytics that follow users between sites.

What we don’t do

To be explicit:

  • No telemetry. Specter does not phone home about your usage, settings, or what you’re syncing.
  • No usage tracking. We do not collect aggregate metrics on opens, sync counts, or activity from your installed app.
  • No selling data. We do not sell, rent, or share user data. Ever.
  • No bundled AI inference. Specter does not run language models against your content. If you want AI to edit your posts, you point your own tools (Claude, ChatGPT, Gemini, Copilot) at the local folder.
  • No training data extraction. We do not collect content from your blog or store to train models — ours or anyone else’s.

How to request deletion

Email hello@spectersync.com and tell us what you want removed. We respond within 14 days.

Because almost everything Specter touches lives on your own computer or with the CMS you connected, “deletion” usually means one of:

  • Local data: delete the sync folder and ~/.config/ghost-sync/ on your machine.
  • Shopify-side cleanup: if you uninstall Specter from your Shopify store, Shopify sends us standard GDPR webhooks (customers/data_request, customers/redact, shop/redact) and we honour them automatically. Any handshake records associated with your shop expire on their own within minutes.
  • Account data with us: payment receipts and license records held by our payment and license providers. Email us and we will request deletion through those providers on your behalf.

Data retention

  • On your computer: persists until you delete it. Specter does not auto-expire anything locally.
  • OAuth handshake records on our server: auto-expire 5 minutes after the handshake starts, or immediately when the exchange code is consumed — whichever comes first.
  • Purchase and license records: kept by our payment and license providers for as long as required by accounting and tax law (typically 7 years in Sweden). You can request deletion via the route above.
  • Email correspondence: kept for as long as needed to provide support. You can ask us to delete it.

Your rights

If you are in the EU/EEA, the UK, or another jurisdiction that grants you privacy rights, you have the right to access, correct, port, and delete data we hold about you, and to lodge a complaint with your local supervisory authority. Email us and we’ll route the request.

Changes to this policy

We will update this page when something material changes (a new provider, a new scope, a new data type). The “Last updated” date at the top reflects the most recent change.

Contact

hello@spectersync.com

Subscribe now View on GitHub