Privacy Policy

1. Introduction

Cauta Solutions Group Limited ("we", "us", or "our"), a company incorporated in Ghana with its registered office in Accra, Ghana, operates the CautaReside facility management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, website, and mobile applications.

This Privacy Policy is drafted in accordance with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana and is subject to the oversight of the Ghana Data Protection Commission (DPC).

By accessing or using CautaReside, you agree to this Privacy Policy. If you do not agree, please discontinue use of our services.

1.1 Data Controller and Processor

The facility (estate, residential complex, or property management entity) that subscribes to CautaReside is the data controller — it determines the purposes and means of processing personal data of its residents, staff, and visitors. Cauta Solutions Group Limited acts as a data processor, processing personal data on behalf of and under the instructions of the facility, in accordance with Section 1 of Act 843.

Cauta Solutions Group Limited is registered with the Ghana Data Protection Commission as a data processor. Facility administrators (data controllers) are responsible for registering their own data processing activities with the DPC where required under Section 46 of Act 843, and for ensuring that data entered into the platform is collected and used in compliance with applicable data protection laws.

1.2 Data Protection Supervisor

Cauta Solutions Group Limited has designated a Data Protection Supervisor responsible for overseeing compliance with Act 843 and coordinating with the Ghana Data Protection Commission. For data protection inquiries or complaints, contact our Data Protection Supervisor at privacy@cautareside.com.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, phone number, and password when you create an account.
• Facility data: estate/facility name, address, unit details, and configuration settings.
• Resident and staff records: names, contact details, unit assignments, and role information entered by facility administrators.
• Financial data: billing accounts, charges, payment records, and invoicing details managed within the platform.
• Communications: messages sent through broadcast features, maintenance requests, and contact form submissions.
• Vehicle information: license plate numbers and vehicle details for parking permit management.
• Visitor records: visitor names, contact details, and check-in/check-out times.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, and actions taken within the platform.
• Device information: browser type, operating system, device type, and screen resolution.
• Log data: IP addresses, access times, and referring URLs.
• Cookies and similar technologies: session cookies for authentication and preferences.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the CautaReside platform.
• Process transactions and manage billing accounts.
• Send notifications via email, SMS, Telegram, and push notifications as configured by facility administrators.
• Generate parking permits, visitor passes, and related documents.
• Provide customer support and respond to inquiries.
• Monitor and analyze usage to improve our services.
• Detect, prevent, and address security issues and fraud.
• Comply with legal obligations.

3.1 Legal Basis for Processing

Under Act 843, we process personal data on the following lawful bases (Sections 18–20):

• Performance of a contract: processing necessary to provide the CautaReside platform as agreed in the subscription terms (e.g., billing, permit issuance, visitor management).
• Consent: where explicitly obtained — for example, when a resident opts in to receive Telegram or SMS notifications, or when a facility administrator enables AI-powered features.
• Legitimate interest: processing necessary for security monitoring, fraud prevention, audit logging, and platform improvement, where such interests are not overridden by the data subject's rights.
• Legal obligation: processing required to comply with applicable Ghanaian laws, regulations, or court orders.

3.2 Sensitive Personal Data

The platform may process certain categories of sensitive personal data as defined under Section 37 of Act 843, including:

• National identification numbers (Ghana Card, passport, driver's licence) — collected during visitor check-in and resident registration for identity verification purposes.
• Photographs of identification documents — captured optionally during walk-in visitor check-in for security records.

This data is processed only with the data subject's knowledge and for the specific purpose of facility security. Facility administrators are responsible for ensuring that appropriate consent is obtained before collecting sensitive personal data through the platform.

4. Data Sharing and Disclosure

We do not sell your personal information. We may share data in the following circumstances:

• Within your facility: Facility administrators can view and manage data for users within their estate as required for facility operations.
• Service providers: We use third-party services for email delivery (SMTP), SMS, Telegram messaging, payment processing (Paystack, Hubtel), and push notifications (Firebase). These providers only receive the data necessary to perform their services.
• Cloud sync: For facilities using on-premise deployments (a custom feature available only by separate arrangement), data is synced to the central cloud server as configured by the facility administrator.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

5. Data Storage and Security

Your data is stored on secure servers. We implement industry-standard security measures including:

• Encryption in transit (TLS/HTTPS) for all communications.
• Industry-standard password hashing algorithms.
• Secure session management with encrypted, HTTP-only cookies.
• Cross-site request forgery (CSRF) protection on all state-changing operations.
• Role-based access control to limit data access.
• Rate limiting and brute-force protection.
• Input validation and sanitisation to prevent injection attacks.
• Automated daily database backups.
• Comprehensive audit logging of all significant actions.
• Webhook signature verification for all third-party integrations.

5.1 Data Breach Notification

In the event of a data breach that affects your personal data, we will notify affected facility administrators without undue delay, and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address the breach. Facility administrators are responsible for notifying affected individuals as required by applicable law.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Facility administrators may delete records within the platform. Upon account termination, we will delete or anonymize your data within 90 days, unless retention is required by law.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Export your data in a portable format.
• Withdraw consent where processing is based on consent.

Under Section 34 of Act 843, you also have the right to compensation for damage suffered as a result of unlawful processing of your personal data.

To exercise these rights, contact our Data Protection Supervisor at privacy@cautareside.com. If you are not satisfied with our response, you have the right to lodge a complaint with the Ghana Data Protection Commission:

• Website: dataprotection.org.gh
• Email: info@dataprotection.org.gh

8. Cookies

We use essential cookies for authentication and session management. These cookies are strictly necessary for the platform to function and cannot be disabled. We do not use advertising or tracking cookies.

9. Third-Party Services

Our platform integrates with the following third-party services, each of which receives only the data necessary to perform its function:

• Paystack — for online payment processing.
• Hubtel — for mobile money payment processing.
• Telegram — for Telegram bot notifications.
• SMS providers — for SMS notifications (provider varies by region).
• Firebase (Google) — for push notifications.
• Anthropic — for optional AI-powered features, where enabled (see section 10).

Each service has its own privacy policy. We encourage you to review their policies.

10. AI and Automated Processing

The platform may include optional AI-powered features for facility administrators. When enabled:

• User queries and relevant facility context may be sent to Anthropic's API for processing.
• We do not use your facility data to train AI models. Anthropic's commercial API terms prohibit use of input data for model training.
• AI conversation history (user queries and assistant responses) is stored in the platform database to allow users to review past interactions. Conversations can be deleted by the user at any time.
• Facility administrators can enable or disable AI features at any time via module settings.
• AI features are not exposed to residents or tenants — they are internal management tools only.

11. Children's Privacy

CautaReside is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

12. International Data Transfers

Your data may be processed in countries other than your country of residence. Specifically:

• Push notifications (Firebase/Google) — notification tokens and delivery metadata may be processed in the United States and other countries where Google operates data centres.
• AI features (Anthropic) — when enabled by the facility administrator, user queries and relevant facility context are sent to Anthropic's API servers in the United States for processing.
• Payment processing (Paystack, Hubtel) — transaction data is processed within their respective infrastructure, which may include servers outside Ghana.

In accordance with Act 843, we ensure that each third-party processor provides a level of protection for personal data that is adequate and consistent with Ghana's data protection standards. We achieve this through:

• Contractual obligations requiring the processor to protect data to at least the standard required by Act 843.
• Selecting processors who maintain industry-standard security certifications (SOC 2, ISO 27001, or equivalent).
• Limiting the data transferred to the minimum necessary for the specific function.

Where a sub-processor is not domiciled in Ghana, Cauta Solutions Group Limited ensures that the sub-processor complies with the relevant laws of its country, as required by Act 843.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes at least 30 days in advance by posting the updated policy on our website with a revised "Last updated" date and notifying facility administrators by email.

14. Contact Us

If you have questions about this Privacy Policy, contact us at:

• Operating entity: Cauta Solutions Group Limited, Accra, Ghana
• Email: privacy@cautareside.com (data protection) · sales@cautareside.com (general)