Privacy Policy

TrustGH, referred to as "we," "us," or "our," is a digital trust and verification platform that allows users to verify phone numbers, businesses, and social media accounts before engaging in transactions. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with Ghana's Data Protection Act, 2012, which is Act 843, and the Cybersecurity Act, 2020, which is Act 1038. By using TrustGH, whether through our web application, mobile application, or API, you consent to the practices described in this policy.

We collect information in three main ways: information you provide directly to us, information we collect automatically when you use our service, and information we obtain from third parties.

When you provide information directly to us, this includes your user account data such as your name, phone number, email address, and one-time password verification details. If you register your business with us, we collect business registration data including your business name, registration documents, identification cards, official phone numbers, and social media handles. When you submit scam reports, we collect the phone number being reported, a description of the scam, any screenshots you provide, and the category of scam. Additionally, when you communicate with our support team, we collect the messages you send to us.

We also collect information automatically when you use TrustGH. This includes usage data such as the phone numbers you search for, how frequently you search, and which pages you visit. We collect device data including your IP address, device type, browser type, and operating system. We also collect approximate location data based on your IP address.

Finally, we obtain information from third parties. This includes publicly available records, user-generated reports that are crowd-sourced, and in the future, we may integrate with telcos such as MTN, Telecel, and AirtelTigo, but only with your explicit consent.

We use your information strictly for specific purposes that are permitted under the Data Protection Act. We provide phone number risk scores based on a legitimate interest in fraud prevention. We verify and badge legitimate businesses based on contractual necessity because you have requested our verification service. We build and maintain our scam report database in the public interest of cybersecurity. We generate risk scores ranging from zero to one hundred based on legitimate interest. We send alerts about flagged numbers only when you have given us your consent. We comply with legal requests from law enforcement and courts based on our legal obligation. We also improve our fraud detection algorithms based on legitimate interest.

It is important to note that we do not sell your personal data to third parties under any circumstances.

Under Sections forty-two through forty-six of the Cybersecurity Act of 2020, TrustGH operates as a platform supporting critical information infrastructure protection in Ghana.

We comply with the Act by reporting significant cyber incidents, such as scam patterns and mass fraud, to the Cyber Security Authority as required by law. We maintain a transparent risk scoring system that is clearly explained to users. We ensure that our scam reporting engine does not facilitate false reporting or vigilante action against innocent individuals or businesses. We cooperate fully with the Cyber Security Authority on investigations of cyber fraud, including SIM impersonation, WhatsApp scams, and mobile money fraud.

Users who knowingly submit false scam reports may be reported to the Cyber Security Authority and may face legal consequences under Act 1038.

Under Act 843, we adhere to eight data protection principles.

Accountability: We have designated a Data Protection Officer who is responsible for our compliance.

Lawfulness: We collect data only with your consent or on another valid legal basis.

Purpose specification: We collect data only for the purpose of fraud prevention and verification.

Data minimization: We collect only what is necessary to provide our service.

Storage limitation: We retain data for a maximum of seven years or as otherwise legally required.

Integrity and confidentiality: We use encrypted storage and strict access controls.

Openness: This Privacy Policy is publicly available on our website and application.

Data subject participation: Users can access, correct, or delete their data as described in this policy.

TrustGH is registered with the Data Protection Commission of Ghana. Our registration number can be obtained by contacting us. You may also contact the Data Protection Commission directly at info@dataprotection.org.gh for any complaints.

We share your information only in very limited circumstances.

We share information with the Cyber Security Authority when reporting major fraud patterns, and this sharing is based on our legal obligation under Act 1038.

We share information with law enforcement agencies such as the Ghana Police Service and the Economic and Organised Crime Office only in response to a valid court order.

In the future, we may share information with telcos including MTN, Telecel, and AirtelTigo for fraud detection integrations, but only with your explicit consent.

We share aggregate and anonymized risk data with fintech and API partners, but we never share personal data in these cases.

We share information with our service providers such as hosting providers like AWS and Firebase, but these providers are bound by strict non-disclosure agreements.

We never sell your phone number, your name, or your report history to advertisers or marketing platforms.

We retain different types of data for different periods of time.

User account data is retained until you delete your account, plus an additional thirty days to allow for recovery.

Scam reports are retained for seven years to support fraud pattern analysis and legal compliance.

Business verification documents are retained for five years after the business account is closed.

Searched phone numbers and logs are retained for two years, but they are anonymized after ninety days.

API request logs are retained for one year.

After each retention period expires, the data is permanently deleted or anonymized so that it can no longer be associated with you.

Under Ghana's Data Protection Act, you have several important rights.

Right to access: You can access all data we hold about you by emailing privacy@trustgh.com.

Right to rectification: You can correct any inaccurate data by updating your profile or contacting us.

Right to erasure: Also known as the right to be forgotten, allowing you to request deletion of your data, although this is subject to legal retention obligations.

Right to restrict processing: You can limit how we use your data by contacting us.

Right to object: You can object to processing that is based on legitimate interest by contacting us.

Right to data portability: You can receive your data in a portable format, available for user account data.

Right to withdraw consent: You can withdraw any prior consent you have given us by emailing privacy@trustgh.com.

We will respond to any request within thirty days as required by Act 843.

We implement several security measures to protect your data.

We use encryption for data both at rest and in transit, specifically TLS version 1.3.

We enforce strict access controls so that only authorized staff members can view scam reports.

We require one-time password verification for all user accounts.

We conduct regular security audits to identify and fix vulnerabilities.

We use fraud detection algorithms to flag potentially fake or malicious reports.

We have an incident response plan that requires us to notify the Data Protection Commission and the Cyber Security Authority of any data breach within seventy-two hours, as required by law.

TrustGH is not intended for persons under the age of sixteen. We do not knowingly collect any personal data from minors. If we discover that we have collected data from a person under sixteen years of age, we will delete that data immediately.

TrustGH operates solely within the Republic of Ghana. However, our hosting providers, including AWS and Firebase, may store data on servers located outside Ghana.

We ensure that any international transfer of data complies with Act 843 by using providers that have GDPR-level protections and by signing standard contractual clauses where applicable.

Our web application uses only essential cookies.

These cookies are used for authentication to keep you logged in, for security to prevent cross-site request forgery attacks, and for performance through caching.

We do not use any tracking cookies for advertising purposes.

We may update this Privacy Policy occasionally. When we make changes, we will notify you by email if you have an account with us, through an in-app notification, or through a banner on our web application. The effective date at the top of this policy will be updated accordingly. Your continued use of TrustGH after changes are made constitutes your acceptance of the updated policy.

If you believe your privacy rights have been violated, we have an internal complaint process for you to follow. First, contact our Data Protection Officer at dpo@trustgh.com. We will respond within fourteen days.

If your complaint is not resolved within thirty days, you may escalate the matter externally.

For external escalation, you may lodge a complaint with the Data Protection Commission of Ghana, whose website is www.dataprotection.org.gh, email is info@dataprotection.org.gh, and office is located in Accra, Ghana.

You may also lodge a complaint with the Cyber Security Authority of Ghana, whose website is www.csa.gov.gh and email is info@csa.gov.gh.

You can contact TrustGH through several email addresses.

For privacy officer or Data Protection Officer matters, email privacy@trustgh.com.

For general support, email support@trustgh.com.

For legal inquiries or law enforcement requests, email legal@trustgh.com.

Our physical business address in Ghana will be provided upon request.

TrustGH provides risk scores and scam reports based on user-generated data and available information. This does not constitute a definitive determination of fraud. Risk scores are indicators only, not guarantees.

Users are encouraged to exercise their own judgment before sending money or engaging in any transaction based on information obtained from TrustGH. TrustGH is not liable for any financial loss or other damages resulting from reliance on our risk scores or scam reports.