Bantuhive Logo

Data Protection Policy

Last Updated: January 14, 2025
BantuHive Ltd

1. Introduction

BantuHive Ltd ("the Company," "we," "us," or "our") is committed to protecting the personal data of all individuals who interact with our donations and investment crowdfunding platform. This Data Protection Policy outlines our commitment to data protection and explains how we ensure compliance with the Data Protection Act, 2012 (Act 843) of Ghana and other applicable data protection laws.

As a licensed crowdfunding platform operating in Ghana, we recognize that the proper handling of personal data is essential to maintaining trust with our users, donors, investors, and fundraisers. This policy applies to all personal data processed by BantuHive Ltd in the course of our business operations.

1.1 Purpose of This Policy

This Data Protection Policy aims to:

  • Ensure compliance with the Data Protection Act, 2012 (Act 843) and related regulations
  • Protect the rights and freedoms of data subjects
  • Establish clear procedures for handling personal data
  • Define responsibilities for data protection within the organization
  • Provide guidance to employees on data protection matters

2. Definitions

For the purposes of this policy, the following definitions apply:

  • Personal Data: Any information relating to an identified or identifiable natural person (data subject), including but not limited to name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Sensitive Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation.
  • Data Subject: An identified or identifiable natural person whose personal data is processed by BantuHive Ltd.
  • Data Controller: BantuHive Ltd, which determines the purposes and means of processing personal data.
  • Data Processor: Any natural or legal person who processes personal data on behalf of BantuHive Ltd.
  • Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

3. Scope of Policy

3.1 Applicability

This policy applies to:

  • All personal data processed by BantuHive Ltd
  • All employees, contractors, and third parties acting on behalf of BantuHive Ltd
  • All systems, services, and processes used to handle personal data
  • All locations where personal data is processed, including our offices, remote work environments, and cloud services

3.2 Categories of Data Subjects

We process personal data relating to the following categories of individuals:

  • Registered platform users (donors and investors)
  • Fundraisers and campaign organizers
  • Beneficiaries of campaigns
  • Website visitors
  • Business partners and service providers
  • Employees and job applicants

4. Data Protection Principles

BantuHive Ltd adheres to the following data protection principles as mandated by the Data Protection Act, 2012 (Act 843):

4.1 Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner. We ensure that data subjects are informed about how their data is collected and used.

4.2 Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

4.3 Data Minimization

Personal data collected shall be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

4.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. We take reasonable steps to ensure inaccurate data is rectified or erased without delay.

4.5 Storage Limitation

Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

4.6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4.7 Accountability

BantuHive Ltd is responsible for and must be able to demonstrate compliance with these principles.

5. Lawful Basis for Processing

BantuHive Ltd processes personal data only when there is a lawful basis to do so. The lawful bases we rely on include:

5.1 Consent

Where the data subject has given clear consent for us to process their personal data for a specific purpose. Consent can be withdrawn at any time.

5.2 Contractual Necessity

Processing is necessary for the performance of a contract with the data subject or to take steps at their request before entering into a contract.

5.3 Legal Obligation

Processing is necessary for compliance with a legal obligation to which BantuHive Ltd is subject, including anti-money laundering regulations and tax requirements.

5.4 Legitimate Interests

Processing is necessary for the purposes of legitimate interests pursued by BantuHive Ltd or a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject.

6. Data Subject Rights

Under the Data Protection Act, 2012 (Act 843), data subjects have the following rights which BantuHive Ltd is committed to upholding:

6.1 Right to Access

Data subjects have the right to request access to their personal data and to obtain information about how it is processed.

6.2 Right to Rectification

Data subjects have the right to request correction of inaccurate personal data without undue delay.

6.3 Right to Erasure

Data subjects have the right to request the deletion of their personal data in certain circumstances, subject to legal retention requirements.

6.4 Right to Restrict Processing

Data subjects have the right to request restriction of processing of their personal data in certain circumstances.

6.5 Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

6.6 Right to Object

Data subjects have the right to object to processing of their personal data in certain circumstances, including for direct marketing purposes.

6.7 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer at dpo@bantuhive.com. We will respond to all legitimate requests within 30 days.

7. Data Security Measures

BantuHive Ltd implements appropriate technical and organizational measures to ensure the security of personal data:

7.1 Technical Measures

  • 256-bit SSL/TLS encryption for data in transit
  • AES-256 encryption for data at rest
  • Multi-factor authentication for system access
  • Regular security assessments and penetration testing
  • Intrusion detection and prevention systems
  • Regular software updates and security patches
  • Secure backup and disaster recovery procedures

7.2 Organizational Measures

  • Role-based access controls limiting data access to authorized personnel
  • Regular data protection training for all employees
  • Confidentiality agreements with employees and contractors
  • Documented security policies and procedures
  • Regular audits of data processing activities
  • Vendor due diligence and data processing agreements

8. Data Breach Procedures

8.1 Breach Identification

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

8.2 Breach Response

In the event of a data breach, BantuHive Ltd will:

  • Immediately investigate and contain the breach
  • Assess the risk to affected individuals
  • Notify the Data Protection Commission within 72 hours where required
  • Notify affected data subjects without undue delay where there is a high risk to their rights and freedoms
  • Document all breaches and remedial actions taken
  • Implement measures to prevent future breaches

8.3 Reporting a Breach

All employees must report suspected data breaches immediately to the Data Protection Officer at dpo@bantuhive.com or through our internal incident reporting system.

9. International Data Transfers

BantuHive Ltd may transfer personal data to countries outside Ghana in the course of our business operations. When we do so, we ensure appropriate safeguards are in place:

  • Transfers to countries with adequate data protection laws as determined by the Data Protection Commission
  • Standard contractual clauses approved by the Data Protection Commission
  • Binding corporate rules for intra-group transfers
  • Explicit consent from the data subject after being informed of the risks

We primarily use cloud service providers with data centers in US, Europe, and other jurisdictions that provide adequate protection for personal data.

10. Data Retention

BantuHive Ltd retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Account Information: Retained for the duration of the account plus 7 years after closure for regulatory compliance
  • Transaction Records: Retained for 7 years as required by tax and anti-money laundering regulations
  • Campaign Data: Retained for 7 years after campaign completion
  • Communication Records: Retained for 3 years unless required longer for legal purposes
  • Website Analytics: Retained for 2 years in anonymized form

When personal data is no longer required, it is securely deleted or anonymized in accordance with our data destruction procedures.

12. Data Protection Officer

BantuHive Ltd has appointed a Data Protection Officer (DPO) who is responsible for overseeing data protection compliance. The DPO can be contacted for any questions regarding this policy or our data protection practices:

  • Email: dpo@bantuhive.com
  • Address: BantuHive Ltd, 27 Independence Avenue, Synergy Office Space, Takoradi Mall, Gate 2, Takoradi | Ghana
  • Phone: +233 551 563 081

11.1 Responsibilities of the DPO

  • Advising on data protection obligations and compliance
  • Monitoring compliance with data protection laws and internal policies
  • Providing guidance on data protection impact assessments
  • Serving as the contact point for the Data Protection Commission
  • Handling data subject requests and complaints

13. Complaints Procedure

If you have concerns about how BantuHive Ltd handles your personal data, we encourage you to raise them with us first:

13.1 Internal Complaints

Contact our Data Protection Officer at dpo@bantuhive.com. We will investigate your complaint and respond within 30 days.

13.2 Regulatory Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana:

  • Data Protection Commission
  • No. 7 Olusegun Obasanjo Way
  • Airport Residential Area, Accra
  • Website: www.dataprotection.org.gh

14. Policy Review

This Data Protection Policy is reviewed annually or whenever there are significant changes to our data processing activities, legal requirements, or regulatory guidance. All updates will be communicated to relevant stakeholders and published on our website.

Version: 1.0
Effective Date: January 14, 2025
Next Review Date: January 14, 2026
Approved By: Board of Directors, BantuHive Ltd