PRIVACY POLICY

SAI Technology

Effective Date: December 15, 2025

Last Updated: December 15, 2025

1. INTRODUCTION

SAI Technology ("we," "our," or "us") is a Ghanaian-based technology studio providing managed technology services and digital platform solutions to institutional clients. We are registered with the Data Protection Commission of Ghana and committed to protecting the privacy and personal data of all individuals whose information we process.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when providing managed services to our clients and their end users.

2. REGULATORY COMPLIANCE

SAI Technology complies with:

• The Data Protection Act, 2012 (Act 843) of Ghana
• Regulations issued by the Data Protection Commission (DPC) of Ghana
• General Data Protection Regulation (GDPR) principles where applicable to international data transfers
• Industry best practices for technology services

DPC Registration: SAI Technology is registered with the Data Protection Commission of Ghana under Registration Number 0006285.

3. SCOPE AND APPLICATION

This Privacy Policy applies to:

• Personal data processed through digital platforms and systems we manage
• Data collected during service delivery, support, and maintenance
• Information gathered through our website and communication channels
• Data processed on behalf of our institutional clients (as Data Processor)

4. DATA CONTROLLER AND PROCESSOR ROLES

4.1 When We Act as Data Processor

When managing digital platforms and systems for institutional clients, we act as a Data Processor. Our client institutions are the Data Controllers who determine the purposes and means of processing personal data of their users (which may include students, employees, customers, or other end users depending on the client's operations).

4.2 When We Act as Data Controller

We act as a Data Controller for:

• Data of our direct business contacts and client representatives
• Website visitors and marketing communications recipients
• Employment applicants and employee records
• Service usage analytics and system logs we independently collect

5. TYPES OF PERSONAL DATA PROCESSED

5.1 End User Data (Processed on Behalf of Clients)

The types of personal data we process depend on the specific services we provide to each client. This may include:

• Identity Information: Names, user ID numbers, date of birth, photographs, titles
• Contact Information: Email addresses, phone numbers, physical addresses
• Account Information: Usernames, authentication credentials, user preferences, profile information
• Activity Data: Login times, system access patterns, usage statistics, interaction records
• Technical Data: IP addresses, browser types, device information, session data
• Communication Records: Messages, posts, submissions, notifications, feedback
• Transaction Data: For systems handling transactions or commerce
• Content Data: User-generated content, uploads, documents, files
• Performance Data: Analytics, reports, assessment data (where applicable)

5.2 Client Institution Data

• Employee contact information (administrators, IT staff)
• Institutional billing and contract information
• Service usage and performance metrics
• Support ticket communications

5.3 Website and Marketing Data

• Contact form submissions and inquiry information
• Newsletter subscription details
• Website analytics and cookies

6. PURPOSES OF DATA PROCESSING

6.1 Service Delivery Purposes

We process personal data to:

• Operate and maintain digital platforms and systems for our clients
• Provide user authentication and access control
• Enable the core functionality of client platforms
• Facilitate communication and collaboration (where applicable)
• Generate reports and analytics as requested by client institutions
• Provide technical support and troubleshooting
• Monitor system performance and security

6.2 Legal Basis for Processing

Our processing is based on:

• Contract Performance: Fulfilling our service agreements with client institutions
• Legitimate Interests: System security, service improvement, fraud prevention
• Legal Obligations: Compliance with Ghanaian data protection laws, tax requirements, and regulatory mandates
• Consent: Where specifically obtained for marketing communications or optional services

7. DATA SHARING AND DISCLOSURE

7.1 Third-Party Service Providers

We may engage carefully vetted subprocessors to assist in service delivery:

• Cloud Infrastructure Providers: For hosting and storage
• Security Services: For monitoring and threat detection
• Backup Services: For data redundancy and disaster recovery
• Support Tools: For ticketing and communication

All subprocessors are bound by written agreements requiring data protection standards equivalent to this policy.

7.2 Client Access

Client institutions have full access to data within their managed platform instances and may export, modify, or delete data as Data Controllers.

7.3 Legal Disclosures

We may disclose personal data when required by:

• Court orders or legal processes
• Ghanaian law enforcement or regulatory authorities
• Protection of our legal rights or safety of individuals
• Data Protection Commission investigations

7.4 No Sale of Personal Data

SAI Technology does not sell, rent, or trade personal data to third parties for marketing purposes.

8. INTERNATIONAL DATA TRANSFERS

Our primary data processing occurs within Ghana. Where international transfers are necessary (such as cloud infrastructure hosted abroad), we implement appropriate safeguards including:

• Standard Contractual Clauses approved by relevant authorities
• Adequacy determinations by the Data Protection Commission
• Documented transfer impact assessments
• Encryption and security measures during transit and at rest

We obtain client approval before transferring data outside Ghana when acting as Data Processor.

9. DATA SECURITY MEASURES

SAI Technology implements comprehensive technical and organizational measures to protect personal data:

9.1 Technical Safeguards

• End-to-end encryption for data in transit (TLS 1.3)
• Encryption at rest using industry-standard algorithms
• Multi-factor authentication for administrative access
• Regular security patching and vulnerability assessments
• Intrusion detection and prevention systems
• Automated backup systems with encryption

9.2 Organizational Measures

• Role-based access controls with least privilege principles
• Mandatory security awareness training for all staff
• Background checks for personnel with data access
• Confidentiality agreements with employees and contractors
• Documented security policies and procedures
• Regular security audits and compliance reviews

9.3 Physical Security

• Secure data center facilities with restricted access
• Environmental controls and redundant power systems
• 24/7 monitoring and surveillance

10. DATA RETENTION

10.1 Client Data Retention

As Data Processor, we retain client data according to:

• Terms specified in our service agreements
• Instructions from client institutions as Data Controllers
• Minimum retention periods required by Ghanaian educational regulations

Upon contract termination, we securely return or destroy client data as instructed.

10.2 Our Business Data Retention

• Contract and billing records: 7 years after contract end
• Support tickets and communications: 3 years
• System logs: 12 months (security incidents retained longer)
• Marketing data: Until consent withdrawn or 5 years of inactivity

11. DATA SUBJECT RIGHTS

Under the Data Protection Act of Ghana, individuals have the right to:

11.1 Rights for End Users

For individuals whose data is processed on behalf of our clients, these requests should be directed to the relevant client institution as the Data Controller. We will assist institutions in fulfilling these requests within our role as Data Processor:

• Right of Access: Obtain confirmation and copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion in certain circumstances
• Right to Restriction: Limit processing under specific conditions
• Right to Data Portability: Receive data in structured, machine-readable format
• Right to Object: Contest processing based on legitimate interests

11.2 Rights Regarding SAI Technology's Direct Processing

For data where we are the Data Controller (business contacts, website visitors):

• Submit requests to: https://www.saitechnology.co/support
• We will respond within 21 days as required by Ghanaian law
• Identity verification may be required to protect against fraudulent requests

11.3 Right to Lodge a Complaint

You may file a complaint with:

Data Protection Commission (Ghana)

Address: P.O. Box CT 692, Cantonments, Accra, Ghana

Phone: +233 (0)302 906 003

Email: info@dataprotection.org.gh

Website: www.dataprotection.org.gh

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 Platform Cookies

Our managed platforms use:

• Essential cookies: For authentication and session management (cannot be disabled)
• Functional cookies: To remember user preferences
• Analytics cookies: To understand usage patterns (can be disabled)

The specific cookies used depend on the platform and services provided.

12.2 Website Cookies

Our corporate website uses cookies for:

• Analytics and website performance measurement
• Marketing and advertising (with consent)

You can control cookies through browser settings. Disabling essential cookies may affect service functionality.

13. CHILDREN'S PRIVACY

When managing systems for clients that serve minors (under 18 in Ghana):

• Client institutions are responsible for obtaining parental consent where required
• We process children's data only as instructed by client institutions
• Enhanced security measures apply to systems serving minors
• We do not knowingly collect data from children for marketing purposes

14. DATA BREACH NOTIFICATION

In the event of a personal data breach:

• We will notify affected client institutions within 72 hours of discovery
• Client institutions will be provided with breach details, impact assessment, and remediation steps
• We will notify the Data Protection Commission as required by law
• Affected individuals will be notified when legally required or when the breach poses high risk

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically to reflect:

• Changes in data protection laws
• New service offerings or technologies
• Feedback from the Data Protection Commission
• Industry best practice developments

Material changes will be communicated to client institutions with 30 days' notice. The "Last Updated" date at the top of this document indicates the most recent revision.

16. CONTACT INFORMATION

For privacy-related inquiries, requests, or concerns:

Data Protection Officer

Alvin Yeboah

Email: operations@saitechnology.co

Phone: 0243945815

Website: www.saitechnology.co

Business Hours: Monday - Friday, 8:00 AM - 5:00 PM GMT

17. SPECIFIC COMMITMENTS TO CLIENT INSTITUTIONS

When managing your systems and platforms, SAI Technology commits to:

• Processing data only on documented instructions
• Ensuring personnel are bound by confidentiality
• Implementing appropriate technical and organizational measures
• Engaging subprocessors only with prior written consent
• Assisting with data subject rights requests and impact assessments
• Deleting or returning all data at contract termination
• Making available all information necessary to demonstrate compliance
• Allowing for and contributing to audits and inspections

Acknowledgment: By engaging SAI Technology's managed services or using systems we operate, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of information as described herein.