Privacy Policy
Last updated: 28 May 2026
⚠️ Draft — pending legal review. This policy is based on Ghana's Data Protection Act, 2012 (Act 843) and the EU GDPR. It must be reviewed by a qualified data-protection lawyer before being published as binding. The Data Protection Commission of Ghana also requires that you register as a data controller before processing personal data commercially.
1. Who we are (the data controller)
[LEGAL ENTITY NAME] ("Adwuma", "we", "us") of [REGISTERED ADDRESS], Ghana is the data controller for personal data processed through this platform.
- Data Protection Commission registration: [DPC NUMBER] _(pending)_
- Data Protection Officer: dpo@adwumagh.com _(placeholder)_
2. What personal data we collect
We collect the following categories of personal data:
From you directly
| Category | Examples |
|---|---|
| Identity | Full name, date of birth, Ghana Card number |
| Contact | Phone number, email address, postal address |
| Authentication | Hashed password, OTP codes (short-lived), session tokens (hashed) |
| Financial | Mobile money number and network, bank account details (where provided), order history, ledger entries, invoice records |
| Identity verification | Ghana Card front + back image, selfie liveness video, biometric match score |
| Business profile | Storefront name, slug, tagline, description, logo, cover photo, RGD number, GRA TIN |
| Listings & content | Product titles, descriptions, photos, prices, location, perishability |
| Communications | In-app chat content, AI co-pilot conversations, customer support tickets |
| Preferences | Language, region, notification settings |
From your device
| Category | Examples |
|---|---|
| Technical | IP address, user agent, device type, operating system, browser, screen size |
| Usage | Pages viewed, features used, click paths, search queries, time on page |
| Location | Approximate city based on IP (precise GPS only when you explicitly opt in for a listing's pickup location) |
| Cookies / local storage | Session token, language preference, recently viewed listings |
From third parties
| Source | Data |
|---|---|
| Smile ID (or equivalent KYC partner) | Identity verification result, match confidence score |
| Hubtel / Paystack (payment providers) | Payment confirmation, transaction reference, payer name, MoMo network |
| Partner lenders | Credit decision, loan status, repayment record |
| Cloudflare (CDN/WAF) | Bot/threat signals |
3. Why we process it (lawful bases)
We process personal data on the following lawful bases under Ghana's Data Protection Act and GDPR Article 6:
| Purpose | Lawful basis |
|---|---|
| Operating your account and the platform | Contract (Art. 6(1)(b)) |
| Verifying your identity (KYC) | Legal obligation (Act 843, AML/CFT laws), and our legitimate interest in preventing fraud |
| Processing payments and payouts | Contract; legal obligation under payments law |
| Calculating a credit score from your activity | Your consent at the point you apply for credit |
| Sharing credit profile with a partner lender | Your consent at the point you select that lender |
| AI co-pilot interactions | Contract; legitimate interest in service improvement (with safeguards) |
| Marketing and product announcements | Consent (you can withdraw at any time) |
| Crash reporting and product analytics | Legitimate interest in security and quality |
| Responding to legal requests | Legal obligation |
4. Who we share it with
We share personal data only as necessary, with the following categories of recipients:
- Payment service providers — Hubtel, Paystack, and equivalent licensed
providers in markets we expand into
- KYC / identity verification providers — Smile ID and equivalents
- Partner lenders — only the credit profile and only when you apply for
credit through them
- Logistics partners — Jumia Logistics, Speedaf, or equivalents, only
where you have chosen partner delivery
- Hosting and infrastructure — Contabo (servers), Cloudflare (CDN, WAF,
storage)
- Communications providers — Hubtel SMS, WhatsApp Cloud API (Meta), email
providers
- Government and regulators — where required by Ghanaian law or by court
order
- Successors in interest — in the unlikely event of a merger, acquisition,
or sale, your data may be transferred subject to the same protections set out here
We do not sell personal data to advertisers.
5. AI Co-pilot and your data
When you use the AI co-pilot:
- We send the most recent 40 turns of your conversation to our AI model
provider (Anthropic and/or DeepSeek, configurable per deployment)
- We include summarised business data (sales totals, inventory counts,
ledger entries) that the model needs to answer your question — never including raw images or KYC documents
- The model provider does not train on your data (per our contracts with
them; check their own privacy notices for current terms)
- We retain conversation history for up to 24 months for service
improvement, then anonymise
You can delete a co-pilot conversation from the chat UI at any time.
6. International transfers
Some processors (e.g. Anthropic, DeepSeek, Cloudflare) are located outside Ghana. Where personal data leaves Ghana we rely on one of the following:
- The recipient country has an adequate data-protection regime
- Standard contractual clauses (or the GDPR equivalent) with the recipient
- Your explicit consent for the transfer (where applicable)
7. How long we keep it
| Data category | Retention period |
|---|---|
| Identity and account records | Lifetime of the account + 6 years (anti-money-laundering requirement) |
| Order, payment, and payout records | 6 years after the transaction (Ghana Revenue Authority record-keeping) |
| KYC images and selfie videos | 5 years after account closure |
| In-app chat | 2 years |
| AI co-pilot conversations | 2 years, then anonymised |
| Marketing preferences and analytics | Until you withdraw consent or 13 months, whichever is shorter |
| Web server access logs | 90 days |
| Backups (PostgreSQL snapshots) | Rolling 30 days |
After the retention period, data is securely deleted or anonymised so that it can no longer be linked to you.
8. Your rights
You have the right to:
- Access the personal data we hold about you (request a copy)
- Correct inaccurate data
- Delete your data, subject to retention obligations above
- Restrict processing in some circumstances
- Object to processing on the basis of legitimate interest
- Withdraw consent at any time where processing was based on consent
- Receive a portable copy of data you provided
- Lodge a complaint with the Data Protection Commission of Ghana
(https://www.dataprotection.org.gh) or, where applicable, your local supervisory authority
To exercise any of these rights, email dpo@adwumagh.com with enough information for us to verify your identity. We will respond within 30 days (extendable by a further 30 if the request is complex).
9. How we protect your data
We follow industry-standard security practices, including:
- TLS 1.2+ for all data in transit (where TLS is enabled — see operational
status)
- Argon2id password hashing
- Hashed-only storage of refresh tokens and OTP codes
- Helmet and rate-limiting on the API
- Encrypted backups of the database
- Per-route rate-limits to prevent abuse
- PII redaction in application logs
- Quarterly security reviews, annual penetration testing once we are
serving real users at scale
Despite these measures, no system is perfectly secure. If we discover a data breach affecting your personal data, we will:
- Notify the Data Protection Commission of Ghana within 72 hours of
becoming aware
- Notify you directly when the breach is likely to result in a high risk
to your rights and freedoms
10. Cookies and similar technologies
We use strictly necessary local storage to keep you signed in and to remember your language preference. We use functional storage to cache the catalogues you browse. We do not use third-party advertising cookies.
| Technology | Purpose | Duration |
|---|---|---|
adwuma.access (localStorage) | Session JWT | Until you log out |
adwuma.lang (localStorage) | Language preference | 1 year |
adwuma.recent (localStorage) | Recently viewed listings | 7 days |
| Cloudflare cookies | DDoS protection | Up to 30 days |
You can clear these via your browser at any time.
11. Children
Adwuma is not intended for users under 18. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 18, we will delete it.
12. Changes to this policy
We will notify you of material changes in-app and by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.
13. Contact
Questions about this policy or your data:
- dpo@adwumagh.com _(placeholder)_
- Postal: [REGISTERED ADDRESS]
If you cannot resolve your concern with us, you can lodge a complaint with the Data Protection Commission of Ghana (https://www.dataprotection.org.gh).