Privacy Policy

1.1 Personal Information

We collect personal information that you voluntarily provide when using the Platform, including:

• Identity Information: Full name, employee identification number, government agency affiliation, job title, and professional credentials.
• Contact Information: Official email address, telephone number, and office address.
• Authentication Credentials: Username, encrypted password, multi-factor authentication tokens, and biometric data (where applicable).
• Professional Information: Department, role, security clearance level, and authorized access permissions.

1.2 Automatically Collected Information

When you access the Platform, we automatically collect:

• Usage Data: Pages visited, features accessed, searches performed, reports generated, and actions taken within the Platform.
• Device Information: IP address, browser type, operating system, device identifiers, and network information.
• Audit Logs: Timestamped records of all activities, including logins, data access, modifications, and exports.
• Session Information: Login timestamps, session duration, and geographic location of access.

1.3 Regulatory Data

In the course of regulatory supervision, the Platform processes:

• VASP Information: Registration details, compliance records, and operational data of licensed Virtual Asset Service Providers.
• Transaction Data: Blockchain transaction records, wallet addresses, and associated metadata for regulatory analysis.
• Intelligence Reports: Suspicious Activity Reports (SARs), investigation findings, and risk assessments.

We use the collected information for the following purposes:

2.1 Regulatory Functions

• Supervision and monitoring of licensed Virtual Asset Service Providers
• Detection and investigation of suspicious financial activities
• Enforcement of Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations
• Risk assessment and compliance evaluation
• Generation of regulatory reports and statistics

2.2 Platform Operations

• User authentication and access control
• Maintenance of audit trails for accountability
• System security monitoring and incident response
• Technical support and user assistance
• Platform improvement and feature development

2.3 Legal Compliance

• Compliance with Ghana Data Protection Act, 2012 (Act 843)
• Adherence to Anti-Money Laundering Act, 2020 (Act 1044)
• Response to lawful requests from judicial authorities
• International cooperation with foreign regulatory bodies under applicable treaties

We may share personal and regulatory information with:

3.1 Government Agencies

• Bank of Ghana: For monetary policy and financial stability oversight
• Securities and Exchange Commission: For securities-related crypto activities
• Ghana Police Service: For criminal investigations involving financial crimes
• Economic and Organised Crime Office (EOCO): For complex financial crime investigations
• Attorney General's Office: For prosecution of financial crimes

3.2 International Bodies

• Financial Action Task Force (FATF) member jurisdictions under mutual legal assistance treaties
• Inter-Governmental Action Group against Money Laundering in West Africa (GIABA)
• Egmont Group of Financial Intelligence Units

3.3 Third-Party Service Providers

We engage trusted service providers who assist in platform operations, including:

• Blockchain analytics providers (Chainalysis, Elliptic, TRM Labs)
• Cloud infrastructure providers with appropriate data protection certifications
• Security audit and penetration testing firms

All third-party providers are bound by strict data processing agreements and confidentiality obligations.

We implement comprehensive security measures to protect your information:

4.1 Technical Safeguards

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Multi-Factor Authentication: Required for all user accounts
• Intrusion Detection: Real-time monitoring for unauthorized access attempts
• Penetration Testing: Regular security assessments by certified professionals

4.2 Organizational Safeguards

• Security awareness training for all personnel
• Background checks for employees with system access
• Incident response procedures and business continuity plans
• Regular security audits and compliance reviews

4.3 Compliance Certifications

The Platform maintains compliance with:

• ISO/IEC 27001:2022 - Information Security Management
• SOC 2 Type II - Service Organization Controls
• GDPR - General Data Protection Regulation (for EU data subjects)
• Ghana Data Protection Act, 2012 (Act 843)

We retain personal and regulatory data according to the following schedules:

• User Account Data: Retained for the duration of employment plus 7 years
• Audit Logs: Retained for a minimum of 10 years as required by AML regulations
• Investigation Records: Retained permanently for ongoing and closed cases
• Transaction Data: Retained for 10 years from the date of transaction
• VASP Registration Data: Retained for the duration of license plus 10 years

Under the Ghana Data Protection Act, 2012 (Act 843), you have the following rights:

• Right of Access: You may request access to the personal data we hold about you
• Right to Rectification: You may request correction of inaccurate personal data
• Right to Erasure: You may request deletion of personal data, subject to legal retention requirements
• Right to Object: You may object to processing of your personal data in certain circumstances
• Right to Complain: You may lodge a complaint with the Data Protection Commission of Ghana

To exercise these rights, please contact our Data Protection Officer at dpo@fic.gov.ghor submit a request through the Platform's Help Center.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify users of any material changes through the Platform and update the "Last updated" date at the top of this policy. We encourage you to review this policy periodically.