Privacy Policy

Edwadzi ("we", "us", "our") operates a service marketplace platform that connects clients with service providers for event planning, photography, catering, and other professional services. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Edwadzi platform ("Platform"), including our website and mobile applications.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

This Policy should be read alongside our Terms & Conditions, which govern your use of the Platform.

Edwadzi is the data controller responsible for your personal data processed through the Platform. For questions about this Policy or your data rights, contact us at the details provided in Section 14.

We process your personal data for the following purposes:

• Account creation, authentication, and role management
• Provider identity verification, credential review, and profile display
• Matching clients with providers based on category, location, and availability
• Processing payments, managing escrow, and issuing refunds
• Facilitating real-time messaging, file sharing, and booking coordination between users
• Sending transactional notifications (booking confirmations, payment receipts, dispute updates)
• Sending marketing communications where you have opted in (event tips and recommendations)
• Displaying reviews and ratings to build marketplace trust
• Resolving disputes between clients and providers
• Detecting and preventing fraud, abuse, and violations of our Terms
• Improving Platform functionality, performance, and user experience
• Complying with legal obligations and responding to lawful requests

We process your data on the following legal grounds:

• Contract performance: processing necessary to provide Platform services, manage bookings, and process payments
• Legitimate interests: fraud prevention, Platform security, service improvement, and business analytics (where these do not override your rights)
• Consent: marketing communications and optional data collection (you may withdraw consent at any time)
• Legal obligation: compliance with tax, anti-money laundering, and other regulatory requirements

We do not sell your personal data. We share data only in the following circumstances:

• Between clients and providers: profile information, booking details, messages, and reviews necessary to facilitate service delivery
• Payment processors: transaction data is shared with our third-party payment processor to process payments and manage escrow
• Authentication provider: Auth0 processes your login credentials and social provider tokens on our behalf
• Cloud infrastructure: data is hosted on secure cloud servers operated by our infrastructure providers
• Legal requirements: we may disclose data to comply with applicable law, regulation, legal process, or enforceable government request
• Business transfers: in the event of a merger, acquisition, or sale of assets, user data may be transferred to the successor entity
• With your consent: we may share data for purposes not listed here, but only with your explicit consent

We retain your data for as long as your account is active and as needed to provide Platform services. Specific retention periods:

• Account data: retained while your account is active and for 12 months after deletion to allow for account recovery and resolve outstanding obligations
• Transaction and payment records: retained for 7 years to comply with financial record-keeping and tax obligations
• Messages and communication data: retained while the associated booking is active; deleted 24 months after booking completion unless required for dispute resolution
• Provider verification documents: retained while the provider account is active; securely deleted within 90 days of account closure
• Server logs: retained for up to 90 days for security and debugging purposes
• Marketing consent records: retained for the duration of consent plus 12 months after withdrawal for compliance evidence

We implement industry-standard technical and organisational measures to protect your data:

• Passwords are hashed using strong one-way algorithms and are never stored in plain text
• Authentication tokens (JWT) are used for session management, with short-lived access tokens and secure refresh token rotation
• Payment data is processed by PCI DSS-compliant third-party processors; we do not store full card numbers on our servers
• Data in transit is encrypted using TLS/HTTPS
• Access to personal data is restricted to authorised personnel on a need-to-know basis
• Regular security reviews and monitoring for unauthorised access or data breaches

While we take reasonable steps to protect your data, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your data (subject to legal retention obligations)
• Restriction: request that we limit processing of your data in certain circumstances
• Portability: request your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests or for direct marketing
• Withdraw consent: withdraw consent for marketing or optional processing at any time without affecting prior processing

To exercise any of these rights, contact us using the details in Section 14. We will respond within 30 days. We may need to verify your identity before processing your request.

The Platform uses minimal local storage for essential functionality:

• Authentication tokens (access and refresh tokens) stored in browser local storage to maintain your signed-in session
• Active role preference (client or provider) stored locally so the Platform remembers your last-used view

We do not currently use third-party analytics cookies or advertising trackers. If this changes, we will update this Policy and implement appropriate consent mechanisms.

You can clear local storage through your browser settings, but this will sign you out and reset your role preference.

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete that data promptly. If you believe a child has provided data to us, please contact us immediately.

Your data may be processed and stored on servers located outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer data internationally, we implement appropriate safeguards such as standard contractual clauses or rely on adequacy decisions to ensure your data remains protected.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users via email or in-app notification at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when the Policy was most recently revised. Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Policy.

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your data is handled, please contact us:

This Privacy Policy is governed by the laws of the Republic of Ghana, including the Data Protection Act, 2012 (Act 843). Where applicable, we also respect the rights afforded to users under the EU General Data Protection Regulation (GDPR) and similar international data protection frameworks.