Data Protection

1. Our Commitment

Identra Technologies Bureau LTD ("ITB") is registered with the Data Protection Commission of Ghana and operates in compliance with the Data Protection Act, 2012 (Act 843).

The protection of personal data — including biometric data — is fundamental to how ITB designs, builds, and operates its platform and services. ITB applies a privacy-by-design and security-by-design approach across its systems to ensure that personal data is processed lawfully, securely, and responsibly.

This policy explains how ITB collects, processes, stores, and protects personal data in the course of operating the ITB Platform.

2. Data We Process

In the course of operating the Platform, ITB may process the following categories of personal data:

• Identity data — full name, date of birth, nationality, national identification numbers
• Contact data — email address, phone number
• Biometric data — facial images and facial recognition templates (embeddings)
• Document data — images or records of identity documents (e.g. national ID, driver's licence)
• Vehicle data — licence plate numbers, vehicle registration details, VIN numbers
• Operational data — verification queries, system logs, audit trails, and usage metadata

3. Legal Basis for Processing

ITB processes personal data on the following legal bases under the Data Protection Act, 2012:

• Consent — where individuals voluntarily submit their data for enrollment or verification
• Legitimate interest — where processing is necessary for authorised institutional verification and fraud prevention workflows
• Legal obligation — where processing is required to support lawful regulatory or law enforcement functions
• Vital interests — where processing is necessary to protect the safety or security of individuals or the public

4. Biometric Data

Biometric data — including facial images and facial recognition templates — is treated as sensitive personal data and is subject to enhanced safeguards.

ITB applies the following controls:

• Biometric data is collected only with explicit consent or under a lawful institutional mandate
• Facial recognition results are provided as decision-support outputs (e.g. confidence scores) and are not intended to replace human judgment
• Biometric data is protected using industry-standard encryption at rest and in transit
• Access to biometric data is restricted to authorised and authenticated personnel
• Biometric data is not sold or disclosed to third parties except where there is a lawful basis

5. Data Security

ITB implements a range of technical and organisational measures designed to protect personal data and system integrity, including:

• Industry-standard encryption for data in transit (TLS) and at rest (AES-256 or equivalent)
• Role-based access control ensuring that only authorised users can access sensitive data
• Secure authentication and session management mechanisms
• Comprehensive audit logging of system activity and data access events
• Infrastructure hosted on enterprise-grade cloud platforms with controlled access and security configurations
• Secure management of secrets and credentials using dedicated secret management systems

ITB continuously reviews and improves its security controls in line with evolving industry standards and regulatory expectations.

6. Data Sovereignty

ITB stores and processes personal data using secure cloud infrastructure with defined data residency and access controls.

ITB does not transfer personal data outside applicable jurisdictions without a lawful basis and appropriate safeguards. Where cross-border processing is required, ITB ensures that adequate data protection measures are in place.

7. Data Retention

ITB retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law and institutional agreements.

Retention principles include:

• Enrollment records — retained for the duration of the relationship and for a defined period thereafter
• Verification logs — retained for audit, compliance, and security monitoring purposes
• Investigation data — retained only as long as required for legitimate investigative or operational purposes
• Biometric data — subject to periodic review and deletion based on consent status, contractual obligations, or lawful requirements

8. Your Rights

Under the Data Protection Act, 2012, individuals have the following rights:

• Right of access — to request information about personal data held about you
• Right to rectification — to request correction of inaccurate or incomplete data
• Right to erasure — to request deletion of personal data where there is no lawful basis for continued processing
• Right to object — to object to processing in certain circumstances
• Right to withdraw consent — where processing is based on consent

Requests can be made using the contact details below. ITB will respond within applicable legal timelines.

9. Data Protection Commission

ITB is registered with and regulated by the Data Protection Commission of Ghana.

If you believe your data protection rights have been violated, you may lodge a complaint with:

10. Contact Our Data Protection Officer