Privacy Policy

1. Introduction

i. Arova Digital Enterprise ("Arova", "we", "us", "our") operates the Arova Digital Platform, a loyalty and customer relationship management system accessible at arovadigital.com. We are committed to protecting the personal data of every individual who interacts with our platform, whether as a merchant, a customer, or a visitor to our website.

ii. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how we protect it, and what rights you have over your data. It applies to all users of the Arova platform and website.

iii. By registering for or using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with how we handle your personal data, please do not use the platform.

iv. This Privacy Policy complies with the Data Protection Act 2012 (Act 843) of Ghana.

2. Who We Are — Contact Details

Arova Digital Enterprise is the data controller responsible for your personal data.

• Legal name: Arova Digital Enterprise

• Trading name: Arova Digital Platform

• Company registration number: BN020210126

• Email address: hello@arovadigital.com

• Website: arovadigital.com

• WhatsApp: +1 860 869 9899

3. What Personal Data We Collect

3.1 Data collected from merchants

When a business registers on the Arova platform, we collect:

i. Full name of the account owner.
ii. Business name and business registration details.
iii. Email address and phone number.
iv. Business category, country of operation, and currency.
v. Billing information for paid subscription plans (processed by our payment partner — we do not store card details).
vi. Login credentials (passwords are stored in encrypted form and never readable by Arova staff).
vii. Business logo and branding assets if uploaded by the merchant.
viii. Configuration settings chosen by the merchant (reward rates, rules, branch structure).

3.2 Data collected from customers (collected by merchants using our platform)

When merchants record transactions for their customers on the Arova platform, the following data is collected and stored:

i. Customer phone number (primary account identifier).
ii. Customer full name (if provided by the merchant).
iii. Purchase amounts and transaction dates.
iv. Loyalty points balance and full transaction history.
v. Redemption history.
vi. Visit frequency and lifetime spend with that merchant.
vii. Custom fields configured by the merchant (e.g. email address, date of birth, if enabled).

3.3 Technical and usage data

When you use the Arova platform or website, we may automatically collect:

i. IP address and device type.
ii. Browser type and version.
iii. Pages visited and time spent on the platform.
iv. Login timestamps and session data.
v. Error logs and system diagnostic data.

4. Why We Collect Your Data — Legal Basis

We collect and process personal data only for specific, legitimate purposes in accordance with the Data Protection Act 2012 (Act 843). The table below sets out each purpose and its legal basis:

Purpose	Data used	Legal basis
Providing the loyalty platform service to merchants	Merchant account data, customer transaction data	Contract performance
Sending transactional SMS to customers (balance updates, redemption confirmations)	Customer phone number, points balance	Legitimate interest / consent at enrollment
Sending marketing SMS campaigns on paid plans	Customer phone number, purchase history	Explicit opt-in consent — required separately from enrollment
Billing and subscription management for merchants	Merchant billing data	Contract performance
Platform security, fraud detection, and audit trail	Usage data, transaction logs, all activity logs	Legitimate interest and legal obligation
Legal compliance and record keeping	All data as required by law	Legal obligation
Responding to customer support requests	Account data, transaction history	Contract performance / legitimate interest
Improving platform performance and features	Anonymized usage data	Legitimate interest

5. How We Share Your Data

Arova does not sell, rent, or trade your personal data to any third party for commercial purposes. We share personal data only in the following limited circumstances:

5.1 With merchants (customer data)

Merchants who enroll customers on the Arova platform can view their own customers' loyalty data, including transaction history, points balance, and visit frequency. Merchants cannot view data belonging to other merchants' customers. Arova applies strict access controls to enforce this separation.

5.2 With SMS service providers

We share customer phone numbers with our licensed and NCA-compliant SMS delivery providers solely for the purpose of sending transactional and campaign messages on behalf of merchants. Our SMS providers are bound by data processing agreements prohibiting any other use of this data.

5.3 With payment processors

Merchant billing data is shared with our payment processing partner (Paystack) solely for processing subscription payments. Arova does not store full payment card details. All payment data is handled by Paystack in accordance with their own privacy and security policies.

5.4 With regulators and law enforcement

We may disclose personal data where required by Ghanaian law, a valid court order, or a lawful request from a regulatory authority, including the Data Protection Commission (DPC), the Cyber Security Authority (CSA), the National Communications Authority (NCA), or the Ghana Police Service.

5.5 Cross-border data transfers

Arova's platform infrastructure may involve servers or service providers located outside Ghana. Where personal data originating from Ghana is transferred to or processed in another jurisdiction, Arova takes appropriate steps to ensure that such data receives an equivalent level of protection, including through data processing agreements with sub-processors. We will notify affected individuals and the DPC if a cross-border transfer creates material risks to data subjects' rights.

6. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes described in this policy or as required by Ghanaian law:

Category of data	Retention period
Active merchant account data	Retained for the duration of the merchant's active subscription plus 2 years after account closure
Customer loyalty data (points, transactions, visit history)	Retained for as long as the merchant account is active, plus 1 year after the merchant closes their account
Transaction records and audit logs	7 years — for legal, tax, and regulatory compliance
SMS delivery records and consent records	5 years — required for NCA compliance
Billing records	7 years — for tax compliance under the Revenue Administration Act 2016
Website usage and technical data	12 months, then permanently deleted
Data breach records	Retained indefinitely for regulatory accountability

7. How We Protect Your Data

Arova implements technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, or disclosure, in accordance with the Cybersecurity Act 2020 (Act 1038) and the Data Protection Act 2012 (Act 843). Our security measures include:

i. Encryption of all data in transit using HTTPS/TLS protocols.

ii. Encryption of sensitive data at rest.

iii. Secure password hashing — passwords are never stored in readable form.

iv. Role-based access controls — Arova staff and merchant staff can only access data relevant to their assigned role.

v. Full audit logging of every platform action for security monitoring and fraud detection.

vi. Regular review of access permissions and system security.

vii. A documented data breach response procedure — see Section 9.

No system can guarantee absolute security. If you believe your account has been compromised, contact us immediately at hello@arovadigital.com.

8. Your Rights Under Ghana's Data Protection Act 2012 (Act 843)

You have the following rights in relation to your personal data held by Arova:

Your right	What it means
Right of access	You may request a copy of the personal data we hold about you. We will respond within 21 days.
Right to correction	You may request that inaccurate, incomplete, or outdated personal data be corrected.
Right to object	You may object to processing your personal data where that processing causes or is likely to cause you unwarranted damage or distress.
Right to prevent direct marketing	You may opt out of marketing SMS at any time by replying STOP to any message. Your request will be processed within 24 hours.
Right to erasure	You may request deletion of personal data that we are not legally required to retain. We will respond within 21 days.
Right to lodge a complaint	If you are dissatisfied with how we have handled your data, you may lodge a complaint with the Data Protection Commission of Ghana at dataprotection.org.gh.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Arova will:

i. Notify the Data Protection Commission as soon as practicable — and in no case later than 72 hours — after becoming aware of the breach.

ii. Notify affected individuals directly where the breach poses a high risk to their rights and freedoms, without undue delay.

iii. Document the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate volume of records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.

iv. Cooperate fully with the DPC in any investigation arising from the breach.

Arova maintains a Data Breach Response Plan that is reviewed annually and updated whenever material changes are made to our data processing activities.

10. SMS Communications

10.1 Transactional SMS

Arova sends transactional SMS messages as part of the loyalty service. These include balance updates after purchases, redemption confirmations, and account-related notifications. Transactional SMS is sent based on the customer's enrollment in the merchant's loyalty program and does not require a separate marketing consent.

Every transactional SMS includes opt-out instructions. Customers may reply STOP at any time to stop receiving all SMS from that merchant through Arova.

10.2 Marketing and campaign SMS

Marketing SMS campaigns — including promotional offers, win-back messages, seasonal promotions, and tier upgrade notifications — are sent only to customers who have given explicit opt-in consent to receive marketing communications from that specific merchant. This consent is separate from the enrollment consent and must be actively given by the customer.

Merchants are responsible for maintaining opt-in records for their customers. Arova provides technical controls to ensure that only opted-in customers are included in marketing campaigns.

All marketing SMS messages clearly identify the sending merchant and include unsubscribe instructions. Opt-out requests are honored immediately.

11. Cookies

The Arova website (arovadigital.com) uses cookies and similar technologies. A separate Cookie Policy will be published at arovadigital.com/cookies. You can manage cookie preferences through your browser settings at any time. Disabling certain cookies may affect website functionality.

12. Children's Privacy

The Arova platform is intended for use by businesses and adults aged 18 and over. We do not knowingly collect personal data from individuals under the age of 18. If you believe that a minor has provided personal data to Arova, please contact us immediately at hello@arovadigital.com and we will take steps to delete that data.

13. Changes to This Privacy Policy

Arova may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. When we make material changes, we will notify registered merchants by email at least 14 days before the changes take effect and update the version number and effective date at the top of this document. The current version of this Privacy Policy is always available at arovadigital.com/privacy. Continued use of the platform after the updated policy takes effect constitutes your acceptance of the revised policy.

14. Governing Law

This Privacy Policy is governed by the laws of the Republic of Ghana, including the Data Protection Act 2012 (Act 843), the Electronic Transactions Act 2008 (Act 772), and the Cybersecurity Act 2020 (Act 1038).

15. How to Contact Us

For all data protection queries, access requests, complaints, or to exercise any right described in this policy:

Data Protection Supervisor

Arova Digital Enterprise

Email: hello@arovadigital.com

Website: arovadigital.com

WhatsApp: +1 860 869 9899

Data Protection Commission of Ghana: dataprotection.org.gh