Legal · Everyone
Privacy Policy
What personal data we collect, why, where it goes, how long we keep it, and how you exercise your rights under the Ghana Data Protection Act 2012.
- Version
- v0.1-draft
- Last updated
- 2026-05-16
- Jurisdiction
- Ghana
- Status
- Draft
Working draft — pending final legal review. This page describes how Glydr intends to operate during our Accra pilot. We are finalising review with Ghana-qualified counsel and will publish the signed-off version before the public launch. Questions or feedback: legal@glydr.africa.
1. Who is the data controller?
For the purposes of the Data Protection Act, 2012 (Act 843), the data controller is Glydr Ltd (registration pending), registered office at Accra, Ghana — full address to be confirmed before public launch.
Our Data Protection Supervisor (DPS) is responsible for data protection matters. You can reach the DPS at dpo@glydr.africa.
DPC registration: our registration with the Data Protection Commission of Ghana is in progress. Once registered, our DPC certificate number will be published here.
2. What this policy covers
This Privacy Policy covers personal data that Glydr collects when you use the Glydr website (glydr.africa), the Glydr mobile apps, and related services. It explains what we collect, why, who else processes it, where it lives, how long we keep it, and how you exercise your rights.
We are committed to making this policy a truthful description of what we actually do — not a wish-list of safeguards.
3. What personal data we collect
We collect data in five categories. Account & contact data includes your phone number (used for OTP login), full name as it appears on your Ghana Card, optional email address, and an optional emergency-contact name and phone number. KYC data is the identity-verification material Smile Identity captures on our behalf: a photo of your Ghana Card (front and back), a face-liveness selfie, and, for Drivers, a photo of your driving licence. Smile Identity holds these raw images and gives Glydr only a job reference and the verification verdict — Glydr does not store the Ghana Card images themselves on the Smile path. Vehicle & documents data (Drivers only) includes vehicle registration plate, make, model, year, colour, vehicle photos (front/rear/sides/plate/interior), and the National Insurance Commission’s response when we verify your motor insurance. Trip & location data includes the trips you list or book, origin and destination labels and coordinates, the live GPS stream while a Trip is active, in-app chat messages tied to a booking, post-trip ratings and comments, and any incident reports. Payment metadata is the payment-method label (MTN MoMo, Telecel Cash, AirtelTigo Money, card) and the opaque transaction reference Flutterwave returns. We do not store card numbers, card PINs, or mobile-money wallet PINs.
Two further categories sit alongside the above. Device data includes the Firebase Cloud Messaging token your device generates for push notifications, plus diagnostic information sent to Sentry if the app encounters an error (we configure Sentry to mask phone numbers, emails, and IDs). Operator interaction data includes any messages or forms you send to Glydr support and any audit-log entries our operators create on your account.
4. Why we use your data, and on what legal basis
Section 20 of the Data Protection Act, 2012 sets out the lawful bases on which we may process your personal data. The table below maps each processing purpose to its basis.
| Purpose | Lawful basis (DPA 2012 s.20) |
|---|---|
| Creating and operating your account; matching Drivers and Passengers; running Trips; processing payments and escrow | Performance of a contract (s.20(b)) |
| Identity verification (KYC) to comply with anti-fraud and applicable financial regulations | Legal obligation (s.20(c)) and legitimate interest (s.20(f)) |
| The safety stack — live location, SOS, destination check-in, operator escalation | Vital interests (s.20(d)) and performance of a contract (s.20(b)) |
| Fraud detection, abuse prevention, security telemetry, audit logging | Legitimate interest (s.20(f)) |
| Service announcements (e.g. terms updates, safety advisories) | Performance of a contract (s.20(b)) and legitimate interest (s.20(f)) |
| Optional marketing emails / SMS | Consent (s.20(a)) — opt-in only, revocable any time |
| Response to a court order, subpoena, or lawful regulator request | Legal obligation (s.20(c)) |
5. Who processes your data on our behalf
Glydr relies on the third-party processors listed below. Each processor is bound by a Data Processing Agreement with Glydr (or is in the process of being onboarded under one). Where data leaves Ghana, the transfer is made under section 47 of the Data Protection Act, 2012, on the basis of contractual necessity and the safeguards each processor maintains.
| Processor | Role | Region |
|---|---|---|
| Smile Identity | KYC / identity verification (Ghana Card + face liveness + driving licence). Holds raw images on its own infrastructure. | Kenya / United States (cloud) |
| Flutterwave | Mobile-money and card payments; escrow rails. | Ghana / Nigeria |
| Cloudflare R2 | Object storage for any KYC images / vehicle photos held on the legacy upload path, and for driver licence and vehicle imagery. | European Union |
| Firebase Cloud Messaging (Google) | Push notifications. | United States (Google) |
| mnotify | Ghana SMS gateway (OTP delivery, trip-start safety SMS, SOS fan-out). | Ghana |
| Resend | Transactional email (KYC decisions, support replies). | United States |
| Sentry | Crash and error reporting from the mobile app (scrubbed). Backend Sentry is not yet wired. | United States |
| National Insurance Commission (NIC) Ghana | Public API used to verify Driver vehicle insurance status. | Ghana (regulator) |
| Vercel | Hosting for glydr.africa and the operator console. | Global edge network |
| Railway | Hosting for the backend service and PostgreSQL database. | United States (provider default) |
6. How long we keep your data
We aim to keep data only as long as we need it. The table below reflects current practice. Some entries say indefinite because we have not yet implemented an automated purge job — we are honest about that, and we list those gaps as a security backlog. We will tighten retention windows before public launch.
| Data category | Retention |
|---|---|
| Account & contact data | For as long as your account is open; up to 7 years after closure for AML/financial-records purposes. |
| KYC verdict and Smile job references | For the life of your account. |
Live Trip GPS stream (trip_locations) | Currently indefinite (append-only); target retention 30 days after Trip completion. |
| OTP attempt records | Currently indefinite; target retention 24 hours after OTP consumption. |
| In-app chat messages | Read-only after Trip completion or cancellation; retained 24 months. |
| Ratings and comments | Indefinite (these inform Driver and Passenger trust). |
| Operator audit log | 5 years (regulatory good practice). |
| Sentry error reports (mobile) | Per Sentry default; typically 90 days. |
7. Your rights
The Data Protection Act, 2012 gives you the following rights. To exercise any of them, contact dpo@glydr.africa — we will respond within 30 days.
- Right to be informed (s.32) — what this policy exists to do.
- Right of access (s.33) — a copy of your data in a portable format.
- Right to correction (s.34) — to fix anything we have wrong.
- Right to block / object (s.35) — to stop specific processing.
- Right to erasure (s.37) — limited; we may decline where we have a legal obligation to retain the data (KYC records under AML rules, for instance).
- Right not to be subject to a solely automated decision (s.41) — Glydr does not currently take consequential decisions about you using purely automated processing.
- Right to compensation for harm (s.42).
8. International transfers
Several processors above operate outside Ghana. Each transfer is made under section 47 of the Data Protection Act, 2012 on the basis of contractual necessity, the recipient’s published privacy and security practices, and (where signed) our Data Processing Agreement with that recipient. We treat transfers to any non-Ghana jurisdiction as requiring the safeguards above regardless of the recipient country’s status.
9. Cookies and tracking on glydr.africa
Today, the glydr.africa website sets no cookies, runs no analytics, and loads no third-party scripts. Web fonts are self-hosted by Next.js at build time, so your browser never connects to Google for fonts at runtime. See the full Cookie & Tracking Notice.
10. Children
Glydr is for adults. You must be at least 18 to register. We do not knowingly collect personal data from children. If you become aware that a child has registered, contact dpo@glydr.africa and we will close the account.
11. Security
Our infrastructure providers (Railway for PostgreSQL, Cloudflare R2 for object storage) encrypt data at rest using their platform-default encryption. Data in transit is protected by HTTPS / TLS. Access to production data is restricted to engineering staff with multi-factor authentication. Authentication tokens on your mobile device live in iOS Keychain or Android Keystore (your local PIN is stored hashed and salted on the device — it never leaves your device).
We do not currently operate end-to-end encryption of chat or location streams, application-level field encryption, or customer-managed encryption keys. If we add any of these, we will update this section.
12. Breach notification
Section 31 of the Data Protection Act, 2012 requires us to notify the Data Protection Commission and any affected data subjects of a personal-data breach as soon as reasonably practicable. We target notification within 72 hours of confirmed material breach. Where the breach falls within the scope of sections 41 to 43 of the Cybersecurity Act, 2020, we will also report to the Cyber Security Authority.
13. How to complain
If you have a concern about how Glydr handles your data, contact dpo@glydr.africa first — we will investigate and reply within 30 days.
You also have the right to complain to the Data Protection Commission of Ghana:
Data Protection Commission, Ghana
Address and contact details are published at dataprotection.org.gh.
14. Country appendices
As Glydr expands to additional African markets, country-specific appendices for Nigeria (NDPA 2023), Kenya (DPA 2019), and South Africa (POPIA) will be added below. Today, the core policy above applies.
15. Updates to this Privacy Policy
We update this policy when our processing, the law, or our third-party processors change. Material updates will be notified to you by in-app notification or email at least 14 days before they take effect. The version number and last-updated date at the top of this page are authoritative.