Ghana Data Protection Act 2012 (Act 843)
The Ghana Data Protection Act 2012 (Act 843) is the primary legislation governing how personal data must be collected, stored, processed, and shared in Ghana. Crearea is fully committed to compliance with Act 843.
Key principles we uphold
- Accountability: We take responsibility for the personal data we process and have designated a Data Protection contact to oversee compliance.
- Lawfulness: We only process personal data where we have a lawful basis — primarily consent (when you create an account) and contractual necessity (to provide the Service you signed up for).
- Purpose limitation: We only collect and use data for the specific purposes stated in our Privacy Policy. We do not repurpose data for incompatible uses.
- Data minimisation: We collect only the minimum data necessary to provide the Service. We do not collect data "just in case".
- Accuracy: We take reasonable steps to keep your data accurate. You can update your account information at any time.
- Storage limitation: We retain data only as long as necessary. See our Privacy Policy for specific retention periods.
- Security: We implement technical and organisational measures to protect data against unauthorised access, loss, or destruction.
Individuals have the right to access, correct, delete, or port their data, and to object to processing. These rights can be exercised by contacting hello@crearea.app.
Student Data Protection
Crearea is designed exclusively as an educational tool for students. We take student data protection seriously and apply the following principles:
Age and consent
Crearea requires users to be at least 13 years of age. We are aware that many of our users are minors and treat their data with heightened care. We align our student data practices with internationally recognised standards including US Children's Online Privacy Protection Act (COPPA) principles, applied as guidance for users under 18.
No advertising to students
We do not display advertisements, serve advertising to, or build advertising profiles for any user — including minors. Our revenue comes from subscriptions only.
Minimum necessary data
For students, we collect only: name, email, education level, and school (optional). We do not collect financial information directly, GPS location, biometric data, or any data beyond what is needed to provide the educational service.
Parental access
Parents or guardians of users under 18 may contact hello@crearea.app to request access to, correction of, or deletion of their child's account data. We will process such requests within 30 days.
Security Measures
We implement the following technical and organisational security measures:
Technical measures
- Encryption in transit: All data between your device and our servers is encrypted using TLS 1.3.
- Encryption at rest: Data stored in Firebase Firestore and Firebase Storage is encrypted at rest using AES-256.
- Authentication: Two factor authentication is available for all accounts. Firebase Authentication manages session tokens with automatic expiry.
- Access control: Production systems are accessible only to authorised team members with role based permissions. All access is logged.
- API security: All AI calls go through authenticated Cloud Functions — never directly from the client. API keys are stored as Cloud Function secrets, never in the app.
- Dependency management: We regularly update dependencies and review for security vulnerabilities.
Organisational measures
- Only team members with a legitimate need to know can access user data
- Team members are trained on data protection responsibilities
- We conduct regular reviews of our data handling practices
- Contracts with sub-processors include data protection obligations
Third-Party Data Processors
We use a limited number of carefully selected sub-processors. We have data processing agreements in place with each:
- Google Firebase (Google LLC) — database, authentication, storage, cloud functions. Firebase's data centres are in the US; data is transferred under standard contractual clauses. Firebase is compliant with ISO 27001, SOC 2, and GDPR.
- Paystack (Paystack Inc.) — payment processing. PCI DSS Level 1 certified, operating under the Bank of Ghana regulatory framework.
- Google Gemini API (Google LLC) — AI inference for AI features. Google does not use API submitted data to train models.
We do not share data with any other third parties for commercial purposes.
Incident Response
In the event of a data breach or security incident:
- Detection: We maintain monitoring that alerts us to unusual activity.
- Containment: We isolate affected systems within hours of detection.
- Assessment: We assess the nature, scope, and impact of the incident.
- Notification: If a breach poses a risk to individuals' rights, we notify the Data Protection Commission of Ghana within 72 hours and affected users without undue delay.
- Remediation: We address the root cause and implement measures to prevent recurrence.
- Post incident review: We document lessons learned and update our security practices.
To report a security vulnerability, email hello@crearea.app with the subject line "Security Report". We commit to acknowledging reports within 48 hours.
Data Protection Contact
ATIGHLID LIMITED has designated a data protection contact responsible for overseeing compliance with the Ghana Data Protection Act 2012.
Company: ATIGHLID LIMITED
Location: Kumasi, Ghana
Phone: 0599840213 / 0530205538
Email: hello@crearea.app
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana.