Privacy Policy

When you use CediSync we collect information in two ways: what you give us directly (account details, bureau details, billing information) and what the product generates as you use it (transaction records, audit log entries, device and session data).

• Account data: name, email, phone, role.
• Bureau data: bureau name, branches, staff list, currencies, rates, trades, customer records, vault balances, expenses.
• Billing data: subscription status, invoices, payment reference (full card details are handled by Paystack, not us).
• Usage data: pages visited, actions taken, timestamps, IP address, browser and device identifiers.

We use this data to operate the service, keep it secure, bill you, support you when you ask, and improve the product.

We do not sell your data. We do not use your bureau data to train models. We do not use your customer records for anything other than providing the service back to you.

[Counsel review — confirm explicit statements on profiling and automated decisioning per Ghana Data Protection Act.]

We process personal data on the following bases under the Ghana Data Protection Act, 2012 (Act 843):

• Contract: to deliver the service you have signed up for.
• Legal obligation: to meet tax, AML, and regulatory requirements.
• Legitimate interest: to secure the service, prevent fraud, and improve the product.
• Consent: for optional communications you have opted into.

[Counsel review — verify specific references to Act 843 and any subsidiary legislation.]

We share data with vetted sub-processors who help us run the service — for hosting, email delivery, payments, and analytics — under written agreements that bind them to comparable or stronger protections than this policy.

Current sub-processors:

• Amazon Web Services (hosting, af-south-1 Cape Town)
• Supabase (managed Postgres on AWS)
• Paystack (subscription billing and payments)
• Resend (transactional email delivery)

We update this list when it changes. [Counsel review — confirm full sub-processor list and notification obligations.]

Account and bureau data is retained for the duration of your subscription and for 90 days after cancellation, during which you can export your records or reinstate the account. After 90 days we delete the data from production systems. Encrypted backups are purged on their normal rotation schedule within 35 days.

Audit log entries are retained for 7 years to meet regulatory record-keeping expectations for bureaux. Billing records are retained for the period required by tax law.

[Counsel review — confirm retention windows align with BoG and tax authority requirements.]

Under Ghanaian data protection law you have the right to:

• Access a copy of the personal data we hold about you.
• Correct data that is wrong.
• Have data deleted where it is no longer needed for the purpose collected.
• Object to processing in certain cases.
• Lodge a complaint with the Data Protection Commission.

To exercise any of these rights, email hello@cedisync.com. We respond within 30 days.

Your data is hosted in AWS af-south-1 (Cape Town). It does not leave the African continent in normal operation. Where a sub-processor operates outside Africa (for example, email delivery or analytics), we use appropriate safeguards — standard contractual clauses or equivalent — to ensure protections travel with the data.

[Counsel review — verify mechanism for cross-border transfers and named jurisdictions.]

We describe our security practices in detail on our security page. Headlines: encryption at rest and in transit, row-level data isolation, role-based access, audit logging, daily backups.

We update this policy when the underlying facts change. Material changes are notified by email to the account owner at least 30 days before they take effect. Non-material clarifications are posted here with an updated effective date.

For privacy questions, data subject requests, or general enquiries:

• Email: hello@cedisync.com
• Security: security@cedisync.com
• Address: Accra, Ghana