Legal

Privacy Policy

Last updated: 2026-06-13 · Draft for legal review.

1. Data controller

Taafpay Limited Company is the data controller for personal data processed via the Block2Pay service. Registered with the Ghana Data Protection Commission under the Data Protection Act, 2012 (Act 843).

2. What we collect

From sellers (mandatory):

  • Full legal name (as on Ghana Card)
  • Ghana Card number — verified via Prembly against the NIA registry
  • Date of birth (for age verification, ≥ 18)
  • Phone number (E.164)
  • Payout Mobile Money number + network
  • Live selfie for biometric match against the Ghana Card photo

From buyers (minimum):

  • Mobile Money number (E.164)
  • Name (optional, captured if your Mobile Money provider returns it)
  • Note to seller (only what you choose to type)

We deliberately do not collect: buyer addresses, government IDs, email, or any other identity data. The buyer experience is intentionally minimal.

3. Lawful basis

  • Sellers: contract (operating the service)
  • Buyers: legitimate interest (executing the transaction you initiated) + legal obligation (Anti-Money Laundering Act 2020, Act 1044)

4. How long we keep it

  • Seller KYC records: 6 years after deactivation (Act 1044 minimum)
  • Transaction data: 6 years from completion
  • Webhook delivery logs: 90 days hot, 6 years archived
  • Audit logs: 6 years
  • Dispute evidence: 6 years from resolution

5. Who we share with

  • Flutterwave (Ghana): processes the Mobile Money transactions
  • Prembly: performs Ghana Card biometric verification
  • Cloudinary: stores dispute evidence + shipping photos
  • Supabase (EU): database + authentication
  • Meta (WhatsApp): delivers transaction notifications
  • Bank of Ghana / Financial Intelligence Centre: AML/CFT reporting as required by law

6. Your rights

Under Act 843, you can request access to, correction of, or deletion of your personal data. Sellers can export their data via the dashboard. Buyers can request deletion for marketing data — transaction records are retained as legally mandated regardless.

To exercise your rights, email privacy@getblock2pay.com.

7. Security

Ghana Card numbers, phone numbers, payout numbers, and bank details are encrypted at rest using AES-256. All traffic is over TLS 1.3. Access to personal data is limited to authorized personnel with role-based access.

This policy is a working draft pending review by Ghana data-protection counsel. Final version goes live with the DPC registration.