Privacy Policy

Effective Date: March 22, 2026 | Version 3.0

Welcome to the Ghana Enterprises Agency (GEA) Client Portal (“Portal”). This policy explains how we collect, use, share, and protect personal data when you access and use the Portal, including certification and service forms, payments, messaging (SMS/Email/WhatsApp), push notifications, and administrative tools.

1. Who We Are (Data Controller)

The Portal is operated by Ghana Enterprises Agency (GEA) (“GEA”, “we”, “us”, “our”). For the purposes of the Data Protection Act, 2012 (Act 843), GEA acts as the Data Controller for personal data processed through the Portal.

2. Scope

This policy applies to data processed when you:

• Create or use an account (including OTP SMS login).
• Submit applications and forms (including Formidable Forms-based data collection).
• Make payments and receive receipts/invoices.
• Receive notifications via SMS, email, WhatsApp, or push notifications.
• Use administrative tools such as filtering, exports, bulk uploads, and directories.
• Use the Portal as a Progressive Web App (PWA).

3. Legal Basis for Processing

We process personal data under one or more of the following lawful bases:

• Consent: where you opt into a feature (e.g., notifications where applicable) or provide information voluntarily.
• Service delivery/contract: to provide Portal services, process applications, generate outputs, and support user accounts.
• Legal obligation: to meet audit, recordkeeping, and regulatory requirements.
• Public task/statutory function: where applicable to GEA’s mandate.
• Legitimate interests: to secure the Portal, prevent abuse, and improve service delivery.

4. Information We Collect

We collect information that you provide directly, information generated during Portal usage, and certain technical information collected automatically.

A. Account and Identity Data

• Username, email address, name and profile information you provide.
• User role/permissions (e.g., BAC users, regional users, administrators).
• Authentication/session data (WordPress login cookies and session indicators).
• OTP login activity (request time, verification attempts). OTP codes are not stored in plain text.

B. Contact Data

• Phone numbers (including WhatsApp where used) and email addresses.
• Operational contact directories used for communications (regional, district/BAC, head office).

C. Location & Directory Data

The Portal may store structured directory information used for operations, routing, and communications, such as:

• Country, Region, District, Assembly, Position.
• Regional and district/BAC phone numbers and emails.
• Head office emails.
• User references linking a directory entry to a Portal user where applicable.

D. Business, Certification, and Service Data

• Business details such as name, registration identifiers, operational information, sector/subsector/activity classification, and supporting documentation where required.
• Data submitted through certification and service forms used to generate certificates, reports, or eligibility outputs.

E. Payments and Transaction Data

• Transaction references, amounts, descriptions, and payment status.
• Payer phone number (e.g., mobile money) where required for payment initiation.
• Invoice/receipt links and payment audit records.

F. Communications Data (SMS / Email / WhatsApp / Push)

• Message content sent through the Portal and delivery status information (sent/failed) where logging is enabled.
• WhatsApp delivery metadata needed to send messages through WhatsApp Business/Meta Graph API.
• Push subscription details (endpoint and keys) if you enable web push notifications.

G. Technical & Usage Data

• IP address, browser type, device/OS information, and user agent.
• Security logs such as login and logout events and failed attempts.
• Approximate location derived from IP where used for security verification.
• PWA usage data, including service worker registration and caching behavior for faster loading.

H. Cookies and Local Storage

We use cookies/local storage for essential Portal functionality and feature preferences.

5. How We Use Your Information

We use your data for the purposes below:

6. Messaging Templates and Placeholders

Some Portal tools allow messages to be sent using templates and placeholders. Where enabled, placeholders may include:

• {region}, {district}, {country}, {assembly}, {position}

These are used to personalize messages and are populated from directory/form data linked to the recipient.

7. Sharing Your Information with Third Parties

We share information with third parties only to operate the Portal, deliver services, and meet legal obligations. We do not sell your personal data.

SMS & Communication Providers

Your phone number and message content are transmitted to these providers to deliver notifications:

• mNotify
• Arkesel (fallback SMS gateway)
• Hubtel (messaging and/or payment services depending on configuration)

WhatsApp Messaging

If WhatsApp messaging is enabled, phone numbers and message content are transmitted via WhatsApp Business services (Meta Graph API).

Payment Processors

We use third-party payment processors to handle financial transactions safely. We do not store credit card details on our servers.

• Hubtel (including PayProxy checkout initiation/callbacks where configured)
• Paystack (where configured)

Geolocation Services

For security logging and location verification (where enabled), we may query services that map IP addresses to approximate location:

• ip-api.com, ipwho.is, ipapi.co: To determine location from IP addresses.

Push Notifications (Web Push)

If you opt in to push notifications, we store a browser subscription record (endpoint and keys) linked to your account and use it to deliver notifications.

Content Delivery Networks (CDNs) and Embedded Resources

Some front-end resources may be loaded from third-party CDNs (such as icons, fonts, or table libraries). Those providers may receive your IP address and user agent when your browser loads these resources.

8. International Transfers

Some providers used for communications, payments, push notifications, or content delivery may process data outside Ghana. Where this happens, we take steps to ensure appropriate safeguards consistent with applicable law.

9. Data Retention

We retain data for as long as necessary to provide services and comply with legal obligations. Retention periods vary by category:

• Account data: while your account remains active and for a limited period thereafter for audit/security.
• Certification/service records: retained to support program delivery and historical verification (may be long-term).
• Payment/transaction records: retained for auditing and statutory financial recordkeeping.
• OTP login codes: short-lived; expire automatically and are stored only in hashed form.
• Push subscriptions: retained until you unsubscribe, disable notifications, or the subscription becomes invalid.
• Logs: retained for troubleshooting and security auditing, then rotated/deleted according to operational policy.

10. Data Security

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These include:

• Encryption: Data transmission is protected via SSL/TLS protocols.
• Access Control: Strict role-based access control (RBAC) ensures only authorized personnel (e.g., Regional/District Officers) can view your sensitive business data.
• Monitoring & Logging: Operational and security logging to support incident response and system stability.

11. Your Rights (Ghana Data Protection Act)

Under the Data Protection Act, 2012 (Act 843), you have the following rights:

• Right to Access: You can request copies of your personal data.
• Right to Rectification: You can request correction of inaccurate or incomplete data.
• Right to Erasure: You can request deletion of your personal data, subject to lawful retention requirements.
• Right to Restrict Processing: You can request that we restrict the processing of your personal data.
• Right to Object: You can object to the processing of your personal data for direct marketing purposes.

12. Children’s Privacy

The Portal is not intended for children. If we learn we have collected personal data from a child without appropriate authorization, we will take steps to delete it.

13. Changes to This Policy

We may update this policy to reflect changes in technology, law, or Portal features. We will post the updated version with a revised effective date.

14. Contact Us

If you have questions or comments about this policy, or wish to exercise your data rights, please contact us: