NoxManage Comprehensive Privacy Policy

Protecting Your Data Across the NoxMall Ecosystem

🔒 Ghana Data Protection Act 2012 Compliant🌍 21 African Countries Coverage🛡️ Enterprise-Grade Security

📜

Comprehensive Privacy Commitment

Welcome to NoxManage's comprehensive Privacy Policy. As part of the NoxMall ecosystem, we are committed to protecting your privacy and ensuring the highest standards of data protection. This document explains in detail how we collect, use, store, share, and protect your personal information across our platform serving businesses in 21 African countries.

We believe transparency is fundamental to trust. This policy outlines our practices in compliance with Ghana's Data Protection Act 2012, regional data protection frameworks, and international best practices. By using our services, you acknowledge that you have read and understood this comprehensive privacy policy.

1. Comprehensive Data Collection: Categories & Purposes

Identity & Verification Data

Required for Account Creation

•Full Legal Name: As appears on government-issued identification
•Date of Birth: For age verification and compliance purposes
•Nationality & Residency: For tax and regulatory compliance
•Government ID Numbers: Ghana Card or equivalent national identification

Business Verification Data

•Business Registration: Certificate of incorporation/registration
•Tax Identification: Taxpayer identification numbers
•Business Address: Physical location verification
•Beneficial Ownership: For corporate entities as per anti-money laundering regulations

Contact & Communication Data

Primary Contact

• Verified email addresses
• Mobile phone numbers (SMS verified)
• Alternative contact numbers

Business Communications

• Customer service interactions
• Transaction notifications
• Marketing preferences

Location Data

• Store location coordinates
• Delivery/service areas
• IP address for security

Financial & Transaction Data

Payment Information

•Bank Account Details: For earnings transfers and payouts
•Mobile Money Accounts: MTN, Vodafone, AirtelTigo registered numbers
•Payment History: Complete transaction records
•Settlement Records: Earnings and commission calculations

Business Operations

•Product/Service Listings: Inventory and catalog data
•Customer Interactions: Order history and communication logs
•Performance Metrics: Sales analytics and business insights
•Dispute Records: Resolution documentation and evidence

2. Third-Party Service Providers: Detailed Integration Framework

Core Service Providers & Data Flow

Authentication & Infrastructure Services

🔥

Google Firebase

Primary Functions:

• User authentication and session management
• Encrypted document storage (IDs, certificates)
• Real-time database for transaction processing
• Analytics data processing (anonymized)

Data Location: May be stored in US/EU regions with encryption

☁️

Amazon Web Services

Primary Functions:

• Primary application hosting and infrastructure
• Backup and disaster recovery systems
• Content delivery network services
• Email server infrastructure

Data Location: Regional data centers with local compliance

Payment & Financial Services

💳

Paystack (Flutterwave)

Data Shared:

• Transaction amount and currency
• Customer email (for receipts)
• Merchant identification codes
• Payment method details (tokenized)

Compliance: PCI-DSS Level 1 Certified

📱

Mobile Money Providers

Providers:

• MTN Mobile Money Ghana
• Vodafone Cash Ghana
• AirtelTigo Money Ghana
• Country-specific mobile money operators

Data Shared: Transaction reference numbers only

Communication & Analytics Services

✉️

Twilio & SendGrid

Functions:

• SMS notifications for transactions
• Email marketing and updates
• Two-factor authentication codes
• Customer service communications

Data Shared: Phone numbers and email addresses only

📊

Google Analytics

Data Collected:

• Anonymized usage statistics
• Platform performance metrics
• User interaction patterns (aggregated)
• Feature adoption rates

No personally identifiable information shared

3. Data Retention: Detailed Schedule & Protocols

Data Category	Retention Period	Legal Basis	Post-Retention Action
Account Registration Data	5 years after last activity	Contract fulfillment & legal claims	Secure deletion with 7-pass overwrite
Financial Transactions	10 years	Ghana Revenue Authority requirements	Archived with military-grade encryption
Identity Documents	90 days after verification	KYC/AML compliance	Only encrypted hash retained
Communication Logs	3 years	Dispute resolution & quality assurance	Anonymization after 1 year
Marketing Data	Until consent withdrawal	User consent	Immediate deletion upon request
Backup Data	90 days	Business continuity	Automatic secure deletion

Data Deletion Protocols

Standard Deletion Process

• Automated data lifecycle management
• Secure overwrite of storage media
• Verification of complete deletion
• Third-party data deletion requests

Emergency Deletion

• Immediate processing for legal requests
• 24-hour response for security incidents
• Certificate of data destruction provided
• Audit trail maintained for compliance

4. International Data Transfers: Comprehensive Safeguards

Transfer Mechanisms & Legal Frameworks

Standard Contractual Clauses (SCCs)

• EU-approved data transfer agreements
• Comprehensive data protection commitments
• Third-party beneficiary rights
• Regular compliance audits

Binding Corporate Rules (BCRs)

• Internal data protection policies
• Consistent standards across NoxMall entities
• Employee training and certification
• Cross-border compliance monitoring

Country-Specific Compliance

Ghana

Data Protection Act 2012 compliance with DPC registration

Nigeria

Nigeria Data Protection Regulation (NDPR) 2019 alignment

Kenya

Data Protection Act 2019 & Office of the Data Protection Commissioner

5. Advanced Security Measures: Multi-Layered Protection

Technical Security Controls

Encryption Implementation

• AES-256 encryption for data at rest
• TLS 1.3 with perfect forward secrecy for data in transit
• End-to-end encryption for sensitive communications
• Hardware Security Modules (HSMs) for key management
• Quantum-resistant cryptography protocols

Network & Infrastructure Security

• Web Application Firewalls with machine learning
• Distributed Denial of Service (DDoS) protection
• Intrusion Detection & Prevention Systems (IDPS)
• Regular penetration testing by CREST-certified firms
• Zero-trust network architecture

Organizational Security Measures

Access & Identity Management

• Multi-factor authentication (MFA) for all accounts
• Role-Based Access Control (RBAC) with least privilege
• Biometric authentication for high-privilege operations
• Regular access right reviews and recertification
• Session management and timeout controls

Monitoring & Incident Response

• 24/7 Security Operations Center (SOC) monitoring
• Security Information & Event Management (SIEM)
• Automated threat detection and response
• Breach notification procedures within 72 hours
• Digital forensics and investigation capabilities

6. Your Rights: Comprehensive Exercise Procedures

Right to Access & Portability

Data Access Request

Submit request through account settings or email to dpo@noxmanage.com

Processing Timeline

Response within 30 days, complex requests may take up to 60 days

Format Options

CSV, JSON, PDF, or other machine-readable formats

Right to Rectification & Erasure

Correction Requests

Self-service updates for non-critical data via account dashboard

Document Verification

Identity corrections require supporting documentation

Deletion Process

Complete data deletion within 30 days, except where legal obligations require retention

Right to Restriction & Objection

Processing Restrictions

• Temporary suspension of data processing
• Verification of data accuracy periods
• Legal claim evaluation periods
• Objection evaluation periods

Automated Decision Objection

• Human review of automated decisions
• Explanation of algorithmic logic
• Opportunity to provide additional information
• Appeal process for automated decisions

Data Protection Office

Email: dpo@noxmanage.com

Phone: +233 50 250 3934

Address: Data Protection Office, NoxManage Ltd., Accra Digital Center, Ring Road Central, Accra, Ghana

Office Hours: Monday-Friday, 8:30am-5:00pm GMT

Response Commitments

• Request acknowledgment within 24 hours
• Substantive response within 30 calendar days
• Complex requests completed within 60 days
• No fees for standard rights requests
• Appeal process for denied requests

Regulatory Authorities

Ghana:

Data Protection Commission (DPC)
P.O. Box CT 7197, Cantonments, Accra
Email: info@dataprotection.org.gh

You have the right to lodge complaints with relevant data protection authorities in your country of residence

Policy Updates & User Notification

This Privacy Policy is reviewed quarterly and updated as necessary to reflect changes in our practices, services, or legal requirements. Significant changes will be communicated through:

Email Notification

30 days before changes take effect

Platform Notification

In-app banners and announcements

Version Control

Archive of previous versions available

Current Version Effective Date: 1 March 2026
Next Scheduled Review: 1 June 2026

NoxManage Comprehensive Privacy Policy

Protecting Your Data Across the NoxMall Ecosystem

🔒 Ghana Data Protection Act 2012 Compliant🌍 21 African Countries Coverage🛡️ Enterprise-Grade Security

📜

Comprehensive Privacy Commitment

1. Comprehensive Data Collection: Categories & Purposes

Identity & Verification Data

Required for Account Creation

•Full Legal Name: As appears on government-issued identification
•Date of Birth: For age verification and compliance purposes
•Nationality & Residency: For tax and regulatory compliance
•Government ID Numbers: Ghana Card or equivalent national identification

Business Verification Data

•Business Registration: Certificate of incorporation/registration
•Tax Identification: Taxpayer identification numbers
•Business Address: Physical location verification
•Beneficial Ownership: For corporate entities as per anti-money laundering regulations

Contact & Communication Data

Primary Contact

• Verified email addresses
• Mobile phone numbers (SMS verified)
• Alternative contact numbers

Business Communications

• Customer service interactions
• Transaction notifications
• Marketing preferences

Location Data

• Store location coordinates
• Delivery/service areas
• IP address for security

Financial & Transaction Data

Payment Information

•Bank Account Details: For earnings transfers and payouts
•Mobile Money Accounts: MTN, Vodafone, AirtelTigo registered numbers
•Payment History: Complete transaction records
•Settlement Records: Earnings and commission calculations

Business Operations

•Product/Service Listings: Inventory and catalog data
•Customer Interactions: Order history and communication logs
•Performance Metrics: Sales analytics and business insights
•Dispute Records: Resolution documentation and evidence

2. Third-Party Service Providers: Detailed Integration Framework

Core Service Providers & Data Flow

Authentication & Infrastructure Services

🔥

Google Firebase

Primary Functions:

• User authentication and session management
• Encrypted document storage (IDs, certificates)
• Real-time database for transaction processing
• Analytics data processing (anonymized)

Data Location: May be stored in US/EU regions with encryption

☁️

Amazon Web Services

Primary Functions:

• Primary application hosting and infrastructure
• Backup and disaster recovery systems
• Content delivery network services
• Email server infrastructure

Data Location: Regional data centers with local compliance

Payment & Financial Services

💳

Paystack (Flutterwave)

Data Shared:

• Transaction amount and currency
• Customer email (for receipts)
• Merchant identification codes
• Payment method details (tokenized)

Compliance: PCI-DSS Level 1 Certified

📱

Mobile Money Providers

Providers:

• MTN Mobile Money Ghana
• Vodafone Cash Ghana
• AirtelTigo Money Ghana
• Country-specific mobile money operators

Data Shared: Transaction reference numbers only

Communication & Analytics Services

✉️

Twilio & SendGrid

Functions:

• SMS notifications for transactions
• Email marketing and updates
• Two-factor authentication codes
• Customer service communications

Data Shared: Phone numbers and email addresses only

📊

Google Analytics

Data Collected:

• Anonymized usage statistics
• Platform performance metrics
• User interaction patterns (aggregated)
• Feature adoption rates

No personally identifiable information shared

3. Data Retention: Detailed Schedule & Protocols

Data Category	Retention Period	Legal Basis	Post-Retention Action
Account Registration Data	5 years after last activity	Contract fulfillment & legal claims	Secure deletion with 7-pass overwrite
Financial Transactions	10 years	Ghana Revenue Authority requirements	Archived with military-grade encryption
Identity Documents	90 days after verification	KYC/AML compliance	Only encrypted hash retained
Communication Logs	3 years	Dispute resolution & quality assurance	Anonymization after 1 year
Marketing Data	Until consent withdrawal	User consent	Immediate deletion upon request
Backup Data	90 days	Business continuity	Automatic secure deletion

Data Deletion Protocols

Standard Deletion Process

• Automated data lifecycle management
• Secure overwrite of storage media
• Verification of complete deletion
• Third-party data deletion requests

Emergency Deletion

• Immediate processing for legal requests
• 24-hour response for security incidents
• Certificate of data destruction provided
• Audit trail maintained for compliance

4. International Data Transfers: Comprehensive Safeguards

Transfer Mechanisms & Legal Frameworks

Standard Contractual Clauses (SCCs)

• EU-approved data transfer agreements
• Comprehensive data protection commitments
• Third-party beneficiary rights
• Regular compliance audits

Binding Corporate Rules (BCRs)

• Internal data protection policies
• Consistent standards across NoxMall entities
• Employee training and certification
• Cross-border compliance monitoring

Country-Specific Compliance

Ghana

Data Protection Act 2012 compliance with DPC registration

Nigeria

Nigeria Data Protection Regulation (NDPR) 2019 alignment

Kenya

Data Protection Act 2019 & Office of the Data Protection Commissioner

5. Advanced Security Measures: Multi-Layered Protection

Technical Security Controls

Encryption Implementation

• AES-256 encryption for data at rest
• TLS 1.3 with perfect forward secrecy for data in transit
• End-to-end encryption for sensitive communications
• Hardware Security Modules (HSMs) for key management
• Quantum-resistant cryptography protocols

Network & Infrastructure Security

• Web Application Firewalls with machine learning
• Distributed Denial of Service (DDoS) protection
• Intrusion Detection & Prevention Systems (IDPS)
• Regular penetration testing by CREST-certified firms
• Zero-trust network architecture

Organizational Security Measures

Access & Identity Management

• Multi-factor authentication (MFA) for all accounts
• Role-Based Access Control (RBAC) with least privilege
• Biometric authentication for high-privilege operations
• Regular access right reviews and recertification
• Session management and timeout controls

Monitoring & Incident Response

• 24/7 Security Operations Center (SOC) monitoring
• Security Information & Event Management (SIEM)
• Automated threat detection and response
• Breach notification procedures within 72 hours
• Digital forensics and investigation capabilities

6. Your Rights: Comprehensive Exercise Procedures

Right to Access & Portability

Data Access Request

Submit request through account settings or email to dpo@noxmanage.com

Processing Timeline

Response within 30 days, complex requests may take up to 60 days

Format Options

CSV, JSON, PDF, or other machine-readable formats

Right to Rectification & Erasure

Correction Requests

Self-service updates for non-critical data via account dashboard

Document Verification

Identity corrections require supporting documentation

Deletion Process

Complete data deletion within 30 days, except where legal obligations require retention

Right to Restriction & Objection

Processing Restrictions

• Temporary suspension of data processing
• Verification of data accuracy periods
• Legal claim evaluation periods
• Objection evaluation periods

Automated Decision Objection

• Human review of automated decisions
• Explanation of algorithmic logic
• Opportunity to provide additional information
• Appeal process for automated decisions

Data Protection Office

Email: dpo@noxmanage.com

Phone: +233 50 250 3934

Address: Data Protection Office, NoxManage Ltd., Accra Digital Center, Ring Road Central, Accra, Ghana

Office Hours: Monday-Friday, 8:30am-5:00pm GMT

Response Commitments

• Request acknowledgment within 24 hours
• Substantive response within 30 calendar days
• Complex requests completed within 60 days
• No fees for standard rights requests
• Appeal process for denied requests

Regulatory Authorities

Ghana:

Data Protection Commission (DPC)
P.O. Box CT 7197, Cantonments, Accra
Email: info@dataprotection.org.gh

You have the right to lodge complaints with relevant data protection authorities in your country of residence

Policy Updates & User Notification

This Privacy Policy is reviewed quarterly and updated as necessary to reflect changes in our practices, services, or legal requirements. Significant changes will be communicated through:

Email Notification

30 days before changes take effect

Platform Notification

In-app banners and announcements

Version Control

Archive of previous versions available

Current Version Effective Date: 1 March 2026
Next Scheduled Review: 1 June 2026