Privacy Policy

This short summary is provided for convenience and does not replace the full Policy below. In short:

• What we collect. Information you give us (name, phone, Ghana Card, MoMo wallet, photos), information generated as you use the Services (transactions, balances, device and log data), and information from third parties (mobile-money providers and identity-verification partners).
• Why we collect it. To operate the Services, to comply with Bank of Ghana directives and the anti-money-laundering regime, to keep the platform secure, to communicate with you, and to improve the product.
• Who we share it with. Service providers acting on our instructions, regulators and law enforcement where required, and other users only with respect to the information you choose to expose (such as your name and Code when you join a Cell).
• Your rights. You can ask for a copy of your data, ask us to correct it, ask us to delete it subject to our legal obligations, and withdraw consent where consent is what we relied on.
• Retention. We keep most account data for the life of your account, and for a period after closure as required by Bank of Ghana, anti-money-laundering, and tax laws — typically five years from the date of the last transaction.

Alt Solutions Micro-Credit is the data controller for personal information collected through the Services. We determine why and how your personal information is processed and we accept the obligations of a data controller under the Ghana Data Protection Act, 2012 (Act 843) and any successor legislation.

You can reach our team at:

• Email: inquiries@altsolutionsgh.com
• Phone: +233256124455 or +233256124456
• Office: Asylum Down, Accra, Greater Accra, Ghana

We have appointed an internal data-protection officer who is accessible through the email above by writing “Attn: Data Protection Officer” in the subject line.

In this Policy:

• “Personal data” means any information that identifies, or could reasonably be used to identify, you as a natural person.
• “Processing” means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and erasure.
• “Services” means the Jenga Jar mobile applications, website, APIs, and any related communication channels through which you interact with us.
• “Cell” means a user-created group on the platform (including but not limited to Susu, Group Savings, Crowdfunding, and Donation Cells).
• “KYC” means know-your-customer identity-verification information, including your Ghana Card details and any selfie or liveness capture used to confirm that you are the holder of that card.
• “MoMo” means mobile-money wallets operated by MTN MoMo, Telecel Cash, AT Money, and any other mobile-money provider integrated with the Services.
• “Act 843” means the Data Protection Act, 2012 of Ghana, as amended.

We collect personal data in three ways: from you directly, automatically as you use the Services, and from third parties acting at our request.

Information you give us

• Account-creation data: your phone number, your chosen display name, your e-mail address (optional), and a transaction PIN.
• Identity-verification data: your full legal name as printed on your Ghana Card, your Ghana Card number, your date of birth, your Ghana Card images, and a liveness selfie taken at the time of verification.
• Mobile-money information: the MoMo wallet you nominate for deposits and payouts, the account-holder name registered against that wallet at your mobile-money operator (collected via Xcel for name confirmation), and any verification metadata supplied by the operator.
• Profile content: a profile photo, if you choose to upload one; any biographical text you supply; and Cell photos that you, as a Cell administrator, upload on behalf of a Cell.
• Communication content: messages you send to other users through the in-app chat, comments you post inside a Cell, support tickets you raise with us, and any attachments to either.
• Financial activity you initiate: deposits, withdrawals, top-ups, transfers, Cell contributions, payout requests, disbursement decisions, and Cell creation parameters.

Information collected automatically

• Device and connection data: IP address, device type, operating system, app version, browser type (where applicable), language, time zone, and crash logs.
• Usage data: the screens you view, the buttons you tap, the timing of those interactions, and similar product-analytics telemetry.
• Session data: session tokens, sign-in timestamps, and the device identifiers associated with each session, so we can show you your active sessions and sign you out remotely.
• Push tokens: the opaque identifiers issued by Apple, Google, or Web Push so we can deliver notifications to a specific device.
• Cookies and similar technologies: we use cookies, local storage, and similar technologies as described in our Cookie Policy.

Information from third parties

• Mobile-money operators (and their aggregators, including Xcel, Harpoon, and Chipper) share with us the registered name on a wallet, the status of any payment attempt, and any failure code we need to resolve the transaction.
• Identity-verification providers may share back to us the outcome of an automated check or a risk score on the documents we submitted on your behalf.
• Public registers and sanctions lists (including the lists maintained by the Bank of Ghana, the Financial Intelligence Centre, and applicable international sanctions bodies) are screened against your account information as part of our compliance obligations.
• Cell administrators who invite you to their Cell may pre-populate your phone number and the name they have for you in their contacts; you can overwrite the name at any time from your profile.

We process your personal data only where we have a lawful basis under Act 843. The bases we rely on are set out below alongside the purposes they support.

To perform the contract we have with you

• Creating and maintaining your account, including signing you in, holding your balances, and recording every credit or debit on your accounts.
• Executing deposits, withdrawals, transfers, Cell contributions, payouts, and any other transaction you initiate.
• Operating Cell-specific mechanics: scheduling cycles, tracking contributions, processing payouts, and applying admin fees.
• Providing customer support, responding to your enquiries, and resolving disputes.
• Communicating service notices, transaction receipts, and other operational messages.

To comply with legal and regulatory obligations

• Verifying your identity in line with the anti-money-laundering, counter-terrorism-financing, and counter-proliferation-financing regime in Ghana, including the Anti-Money Laundering Act, 2020 (Act 1044) and Bank of Ghana directives.
• Screening accounts and transactions against sanctions lists and politically-exposed-person registers.
• Detecting, preventing, investigating, and reporting suspicious activity to the Financial Intelligence Centre, the Bank of Ghana, MCAG, or any other competent authority as required.
• Keeping accounting records, tax records, and audit trails required by Ghanaian law for the prescribed retention period (typically five years after the last transaction on the account).
• Responding to lawful demands from courts, regulators, or law-enforcement agencies.

For our legitimate interests

• Protecting the security and integrity of the platform, including fraud detection, abuse mitigation, and the investigation of suspected breaches of these Terms.
• Improving the Services through aggregate analytics, usability research, and quality assurance — wherever possible, in a form that does not identify you individually.
• Communicating product updates, feature announcements, and service-related news to existing users.
• Defending ourselves against claims, complaints, and legal proceedings.

Where you have given consent

• Sending you marketing communications about new features, promotions, or events. You may withdraw consent for marketing at any time without affecting any other use of your data.
• Sharing your Ghana Card details with a Cell administrator under the in-app KYC-sharing flow. This sharing is scoped, time-bounded, and revocable from your profile.
• Any other use that we tell you we will rely on consent for at the point of collection.

We disclose personal data only to the recipients described here. We never sell personal data and we never share it with third parties for their own marketing.

Service providers acting on our instructions

We rely on carefully selected service providers (data processors under Act 843) who process your data only on our written instructions, only for the purposes we authorise, and under written terms that meet our security and confidentiality standards. The categories of providers we use include:

• Mobile-money rails and aggregators for deposits, payouts, and wallet-name verification (Xcel, Harpoon, Chipper, and the underlying mobile-money operators).
• Cloud infrastructure and storage providers for hosting the platform and storing encrypted artefacts such as your Ghana Card images.
• Communications providers for delivering SMS one-time passwords, transactional emails, and push notifications.
• Analytics, monitoring, and error-tracking providers who help us keep the Services running and improve them; these providers receive only the data necessary for their narrow role.

Regulators, supervisory bodies, and law enforcement

We may disclose your personal data when:

• A regulator with jurisdiction over our Services (Bank of Ghana, MCAG, the Data Protection Commission, the Financial Intelligence Centre, or any other competent authority) requires the disclosure in writing.
• A court or tribunal of competent jurisdiction issues an order requiring disclosure.
• We are otherwise required by Ghanaian law, including the mandatory reporting of suspicious transactions under the Anti-Money Laundering Act, 2020.

Other users

Some information is shared with other users to make the Services work. Specifically:

• Your display name, your Code, your verified status, and (if you upload one) your profile photo may be shown to other users you transact with, friend, or join a Cell with.
• Members of a Cell can see other members of the same Cell unless the Cell is configured for anonymity, in which case identity is masked according to the Cell's anonymity mode.
• A Cell administrator can see contribution and disbursement history scoped to their Cell, in line with the Cell's isolation and anonymity settings.
• Sending money to another user reveals your Code and display name to that user as the sender. You are responsible for verifying the recipient before confirming a transfer.

Business transfers

If we engage in a merger, acquisition, restructuring, financing, or sale of all or part of our business, your personal data may be transferred to the acquiring or successor entity as part of that transaction, subject to customary confidentiality obligations. We will notify you before any such transfer takes effect.

With your consent

We may share your information for any other purpose that you specifically consent to at the time. You can withdraw consent at any time, though the withdrawal does not affect processing that took place before the withdrawal.

Some of our service providers maintain infrastructure outside Ghana. When personal data is transferred outside Ghana, we ensure that:

• The recipient country provides an adequate level of protection comparable to Act 843, or
• Appropriate contractual safeguards (model clauses, data-processing addenda, and confidentiality obligations) are in place between us and the recipient.

On request we will give you a high-level description of the countries in which our service providers process your data and the safeguards we rely on for those transfers.

We retain personal data only for as long as we have a lawful basis to do so. The actual period depends on the category of data and the legal obligations that apply. The principal retention periods are:

• Account and transaction records: the life of the account plus at least five (5) years from the date of the last transaction, to satisfy Bank of Ghana, anti-money-laundering, and tax-record-keeping requirements.
• KYC documents: the life of the account plus at least five (5) years from closure, after which we securely destroy the artefacts unless a specific legal hold applies.
• Communications and support tickets: three (3) years from the date of the last interaction.
• Logs, security telemetry, and audit trails: up to two (2) years on hot storage and an additional period in cold storage where regulatory or security-investigation needs require it.
• Marketing consents and preferences: for as long as you remain a user, or until you withdraw consent — whichever is sooner.

When you close your account, we replace identifying fields on the user record with neutral sentinel values so the historical ledger and Cell records you participated in remain auditable, without continuing to identify you. The rest of the data is destroyed or anonymised once retention periods expire.

Under Act 843 and this Policy you have a number of rights in relation to your personal data. You can exercise these rights free of charge, by writing to inquiries@altsolutionsgh.com with the subject line “Privacy Request”. We will respond within thirty (30) days of receiving a verified request.

The right to be informed

You have the right to be told how your personal data is collected and used. This Policy is part of how we satisfy that obligation.

The right of access

You can request a copy of the personal data we hold about you and information about how we process it.

The right to rectification

You can ask us to correct inaccurate or incomplete personal data we hold about you. Many fields (your name, email, and profile photo) can be edited directly from the app.

The right to erasure

You can ask us to delete your personal data. We will do so unless we are required to keep it under another law (for example, anti-money-laundering record-keeping or pending legal proceedings). Where we cannot delete, we will tell you which obligation prevents us from doing so.

The right to restrict processing

You can ask us to stop processing your data temporarily while we investigate a complaint, verify a correction, or determine whether we still need the data.

The right to data portability

For data you provided to us under a contract or with your consent, you can ask us to give you a structured, commonly used, machine-readable copy that you can transfer to another service.

The right to object

You can object to processing based on our legitimate interests, including profiling for service personalisation. You can object to direct marketing at any time and we will stop without further ado.

The right not to be subject to solely automated decisions

Where a decision about you (for example, a KYC outcome) is made solely by automated means and produces a significant effect, you have the right to ask for human review.

The right to withdraw consent

Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.

The right to complain to a regulator

If you believe our handling of your personal data violates Act 843, you may lodge a complaint with the Data Protection Commission of Ghana. We would prefer the opportunity to address your concern first, so please contact us before escalating where you can.

We use a layered approach to security. No system is ever perfectly secure, but we work hard to keep your data safe. The principal measures we take include:

• Encryption. Personal data is encrypted in transit (TLS) between your device and our servers, and at rest in our databases and object storage.
• Access controls. Internal access to personal data is restricted by role; every access to KYC artefacts is logged with the reason for access; and we review the access controls regularly.
• Authentication and session management. Sessions are bound to short-lived bearer tokens, kept only in memory on your device; multi-factor sign-in (one-time SMS code plus your transaction PIN for money-moving actions) is enforced; and you can review and remotely sign out of any active session from your profile.
• Velocity controls. Sensitive actions (sign-in, transfer, withdrawal, cell creation) are rate-limited to deter automated abuse.
• Segregation of funds. User balances are held in segregated accounts and are tracked on a double-entry ledger that reconciles continuously against external balances.
• Incident response. We maintain an incident-response plan, conduct after-action reviews, and remediate findings under owner-tracked timelines.

You are responsible for keeping your sign-in credentials, PIN, device, and contact details secure. Treat your PIN like a bank PIN — never share it, and never reuse it on other services.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission, the Bank of Ghana (where applicable), and the affected users without undue delay, in line with our regulatory obligations and Act 843. The notification will include a description of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate harm.

The Services are not directed at, and are not intended for, children under eighteen (18) years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us so we can investigate and, if appropriate, delete the data and close the account.

The Services may link to or interoperate with third-party websites, applications, and services that we do not control (for example, mobile-money operators, your device operating system, or external websites referenced in our help content). Those third parties have their own privacy policies, and we encourage you to read them. We are not responsible for the privacy practices of third parties.

We may send you marketing communications about features, promotions, and events related to Jenga Jar where we have your consent or where Ghanaian law permits us to do so as part of an existing customer relationship. You can opt out at any time by clicking the unsubscribe link in our emails, replying STOP to any marketing SMS, switching off marketing notifications in your profile, or contacting us directly. Opting out of marketing does not affect service messages — we will continue to send you transaction receipts, security alerts, and other operational notices.

Our website and web app use cookies, local storage, and similar technologies. See our Cookie Policy for the full breakdown of what we use, why, and how to control them.

We may update this Policy from time to time to reflect changes in the law, our practices, or the Services. When we do, we will update the “Effective” date at the top of this Policy and, where the change is material, we will notify you in advance through the Services, by email, or both. Your continued use of the Services after the updated Policy takes effect indicates your acceptance of the changes.

For any question, request, or complaint about this Policy or our handling of your personal data, please contact us at inquiries@altsolutionsgh.com. We aim to respond within five (5) business days for general queries and within thirty (30) days for formal rights requests.