Privacy Policy

Last updated: 4 June 2026

This Privacy Policy explains how NeoGH ("we", "our", "us") collects, uses, discloses, and protects your personal data. We are committed to compliance with the Ghana Data Protection Act (Act 843), the UK Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR) where applicable.

1. Data Controller

NeoGH is the data controller for your personal data. For all privacy-related matters, contact:
Email: admin@neogh.org

2. Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Consent — you actively agree to data collection when creating an account and accepting our cookie preferences
• Contractual necessity — processing is required to deliver our services (account management, progress tracking, leaderboards)
• Legitimate interests — platform improvement, security monitoring, and aggregate analytics
• Legal obligation — compliance with applicable laws and regulatory requirements

3. Information We Collect

Information you provide

• Name — to personalise your profile and leaderboard
• Email address — for login, account recovery, and service communications
• WhatsApp phone number — for optional community engagement
• Pillar interests and goals — to tailor your learning experience
• Quiz and mission progress — to track your learning and calculate XP
• Payment information — if you purchase certificates, processed by Flutterwave (we do not store card details)

Information collected automatically

• Device and usage data — browser type, operating system, pages visited, time spent
• IP address — for security, rate limiting, and analytics
• Session token — stored as an httpOnly cookie for authentication

4. Cookies and Similar Technologies

NeoGH uses the following cookies and local storage:

• session (httpOnly cookie) — essential for authentication. Set after login/registration. Expires after 30 days or on logout.
• neogh_token / neogh_user (localStorage) — stores your session reference and profile cache for seamless browsing. Not shared with third parties.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No data is sold to advertisers.

You can manage cookie preferences through your browser settings. Blocking essential cookies will prevent you from using the platform.

5. How We Use Your Data

• Operate and maintain your account
• Display leaderboard rankings (name and XP only — never email or phone)
• Improve the platform based on aggregate usage patterns
• Send essential service communications (password resets, policy changes)
• Process certificate payments through Flutterwave
• Prevent fraud, abuse, and security incidents

6. Data Storage, Transfer & Security

Your data is stored in Cloudflare D1 databases hosted in the European Union. Cloudflare is certified under the EU-US Data Privacy Framework and UK Extension, providing adequate safeguards for international data transfers under GDPR Article 45.

We implement:

• Encrypted connections (HTTPS/TLS 1.3)
• Session-based authentication with 30-day token expiry
• httpOnly, Secure, SameSite cookies
• Rate limiting and IP-based abuse prevention
• Strict API access controls
• Content Security Policy (CSP) headers to prevent XSS

7. Data Retention

We retain your personal data for as long as your account is active. If your account is inactive for 24 months, we may delete your data after providing notice. Quiz attempts and XP records may be retained in anonymised form for aggregate analytics.

Upon account deletion, we delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., transaction records for tax purposes — retained for 6 years).

8. Data Sharing and Third-Party Processors

We never sell your personal data. We may share data with the following processors under strict Data Processing Agreements (DPAs):

• Cloudflare Inc. — hosting, CDN, D1 database, email routing (Privacy Shield certified)
• Flutterwave Inc. — payment processing for certificate purchases (PCI-DSS compliant)
• Google LLC — optional Google OAuth sign-in (only if you choose to use it)

We may disclose information if required by law or to protect our legal rights.

9. Your Rights (GDPR & Ghana Data Protection Act)

You have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — request deletion of your data
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint — complain to your local data protection authority

To exercise any of these rights, contact admin@neogh.org. We will respond within 30 days. If you are in the EU/UK, you may also contact your local Data Protection Authority (e.g., the ICO in the UK).

10. Children and Minors

NeoGH is designed for youth aged 15–35. If you are under the age of 16, you must have parental or guardian consent to use the platform. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us immediately and we will delete it.

11. International Users

If you access NeoGH from outside Ghana, your data may be transferred to and processed in Ghana and the European Union (where our hosting provider is located). By using the platform, you consent to this transfer. We ensure appropriate safeguards are in place through Cloudflare's Privacy Shield certification and Standard Contractual Clauses.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

13. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you.

14. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be notified via email (if you have an account) and a notice on the platform. Continued use after changes constitutes acceptance.

15. Contact

Data Controller: NeoGH
Email: admin@neogh.org

For EU/UK data subjects, you may also contact our representative at the same email address.

Supervisory authority: Data Protection Commission (Ghana) / Information Commissioner's Office (UK).