Privacy policy.
This policy explains how CediHub (“we”, “us”) collects, uses, stores and protects personal data when an institution licenses our operator console. It is written for two audiences: the financial institution that contracts with us (our customer), and the end-customer of that institution (the data subject).
If you are an end-customer of a rural bank, credit union or microfinance institution that uses CediHub, the institution remains the data controller. CediHub acts as a data processor under their instructions.
1. What we collect
Through the operator console and its mobile / USSD channels, the platform processes:
- Identity data: name, Ghana Card number, date of birth, photograph, signature, biometric reference returned by the NIA.
- Contact data: phone number, postal address, email (where given), next of kin.
- Financial data: account balances, transaction history, loan applications and repayments, susu contributions.
- Operational data: login events, IP address, device fingerprint, audit-log entries for every action a user takes inside the console.
2. Why we process it
- To provide core banking, lending, savings, payments and reporting services to the contracting institution.
- To meet anti-money-laundering, counter-financing-of-terrorism and Bank of Ghana reporting obligations.
- To detect and prevent fraud against the institution and its customers.
- To maintain, secure and improve the platform.
3. Legal basis
Processing relies on (a) the contractual relationship between the data subject and the institution, (b) the institution's legal obligations under the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930) and Anti-Money Laundering Act, 2020 (Act 1044), and (c) the data subject's consent for non-essential processing such as marketing communications.
4. Where data lives
Production data is stored on encrypted infrastructure inside Ghana by default. A sovereign on-premise deployment is available where the institution's governance committee requires it. Daily backups are age-encrypted and stored off-site within the same jurisdiction.
5. How we protect it
- AES-256-GCM encryption for tenant secrets at rest; TLS 1.2+ in transit.
- Per-action role-based access control (RBAC) with audit trails.
- Least-privilege principle for all support engineers; no shared credentials.
- Append-only audit log of every read / write / approval action.
- Quarterly internal penetration tests; annual third-party review.
6. Sharing
We share personal data only with: (a) the contracting institution, (b) regulators where legally required (Bank of Ghana, FIC, GRA), (c) sub-processors essential to the service — Ghana telcos for MoMo settlement, the NIA for Ghana Card verification, our cloud and backup providers. A current list of sub-processors is available on request to privacy@cedihub.com.
7. Retention
We retain data for as long as the institution requires it to provide services and to meet statutory record-keeping obligations (typically six years from the end of the customer relationship under Ghanaian banking law). On contract termination, we return and / or securely destroy data within 90 days, subject to the institution's instructions.
8. Your rights
Under Act 843, you have the right to access your data, to correct inaccurate data, to object to processing, and to lodge a complaint with the Data Protection Commission of Ghana. To exercise these rights, contact the institution that holds your account first. If unresolved, you may write to privacy@cedihub.com.
9. Cookies
The public marketing site uses a single first-party preference cookie to remember that you have seen the cookie notice. The operator console uses a session cookie for authentication. We do not use third-party advertising or tracking cookies.
10. Changes
We will post material changes to this policy on this page and notify contracting institutions by email at least 30 days before they take effect.
Contact
CediHub · Accra, Ghana
privacy@cedihub.com