Privacy Policy

We use your information to create and maintain your CediDrop account, authenticate your identity during login, manage your profile settings, and process loan applications from submission through approval, disbursement, and ongoing account servicing.

We process identity documents, facial images, and related verification data to confirm that you are who you claim to be, satisfy Know Your Customer (KYC) obligations, and comply with anti-money laundering and fraud-prevention requirements applicable to financial services in Ghana.

We analyse information you provide together with relevant device, application, and financial signals — including permitted SMS data — to evaluate your credit profile, repayment capacity, and overall lending risk, and to determine whether you qualify for a loan and under what terms.

We use personal and technical data to detect suspicious activity, prevent duplicate or fraudulent applications, identify anomalous device or location patterns, and protect both individual users and the integrity of the CediDrop platform from misuse or unauthorised access.

We process your bank or mobile-wallet account details and transaction-related information to transfer approved loan amounts to your nominated account, track repayment schedules, send payment reminders, and manage collections in accordance with your loan agreement.

We use your contact information and account records to respond to enquiries, resolve complaints, provide technical assistance, and send service-related notifications that are necessary for the proper functioning of your account and our lending services.

We may analyse aggregated usage patterns and performance data to troubleshoot technical issues, improve app stability, refine user experience, and enhance the quality and reliability of CediDrop's features and lending processes.

We process and retain certain information as necessary to comply with obligations under Ghanaian law, respond to lawful requests from regulators and government authorities, enforce our terms of service, and defend our legal rights in connection with disputes or investigations.

Assess your financial profile and determine whether you meet the eligibility criteria for a loan based on the information and signals available at the time of application.

Calculate appropriate loan amounts, interest rates, fees, and repayment schedules based on your assessed risk profile and our internal lending policies.

Identify applications that exhibit patterns consistent with potential fraud, identity misuse, or other high-risk behaviour, triggering further review or rejection where warranted.

We may disclose information when required by applicable laws in Ghana, valid court orders, regulatory instructions, or lawful requests from authorised government or law-enforcement bodies.

We may share limited information where reasonably needed to investigate fraud, enforce our terms, protect CediDrop users, or defend our legal rights and platform security.

Whenever personal information travels between your device and our servers — whether during registration, loan applications, identity verification, or account management — it is protected using industry-standard TLS encryption. This helps guard against interception, eavesdropping, and tampering while data is in transit across networks.

Personal data is hosted on controlled, access-restricted infrastructure and protected with AES-256 encryption where appropriate. By encrypting stored information, we aim to ensure that even in the unlikely event of unauthorised system access, the data remains difficult to read or exploit without proper decryption keys.

Access to personal information is limited to authorised employees, contractors, and partners who require such access to perform their duties. We apply role-based access principles, maintain activity logs, and review access patterns to detect and respond to inappropriate or unauthorised use of customer data.

We employ secure authentication and session management mechanisms to help verify user identity and protect accounts from unauthorised login attempts. These measures are designed to reduce the risk of account takeover and to ensure that sensitive actions within CediDrop are performed by the legitimate account holder.

Our security posture is maintained through ongoing monitoring, periodic risk assessments, penetration testing, and vulnerability scanning. When potential weaknesses are identified, we take reasonable steps to investigate, remediate, and strengthen our systems in a timely manner.

For as long as you maintain an active CediDrop account or continue to use our services, we retain the personal information needed to manage your profile, process loan applications, facilitate disbursements and repayments, communicate with you, and maintain the security and integrity of our platform. You may request account closure at any time, subject to applicable legal and contractual requirements.

Once your account is closed, we generally initiate deletion or anonymisation of personal data within 30 days, unless we are legally required or reasonably permitted to retain certain records for longer. Examples of extended retention may include information needed for tax reporting, financial audits, fraud investigations, dispute resolution, or compliance with regulatory obligations.

In some circumstances, we must keep specific categories of data for extended periods to comply with Ghanaian laws, directives from regulatory authorities, valid court orders, or formal requests from government agencies. When such retention applies, we limit the data to what is strictly necessary and protect it with appropriate security measures for the duration of the legal requirement.

We conduct periodic reviews of the information we store to determine whether it remains relevant, accurate, and necessary for our business operations and legal obligations. Data that is no longer required is securely deleted or anonymised using methods designed to make recovery impractical, while ensuring that essential records are preserved where retention is mandated by law.

You have the right to request confirmation of whether we process your personal information and, where we do, to obtain meaningful details about the categories of data held, the purposes of processing, the recipients or categories of recipients, and the retention period, subject to applicable legal limitations and identity verification requirements.

If you believe that any personal information we hold about you is inaccurate, incomplete, or no longer up to date, you may request that we correct or supplement the relevant records. We will review your request and take reasonable steps to update the information where appropriate and permitted by law.

In certain circumstances, you may request the deletion of your personal information — for example, where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other legal basis applies, or where the processing is found to be unlawful. Deletion requests may be subject to exceptions where retention is required by law or for legitimate business purposes such as fraud prevention. Registered CediDrop users may also submit an account closure request after identity verification.

Where processing is based on legitimate interests or certain other legal grounds, you may have the right to object to specific processing activities based on your particular situation. We will assess such objections in accordance with applicable law and inform you of the outcome, including whether we are required or permitted to continue processing your data.