Your Privacy,
Our Responsibility

SnappX is a digital savings platform designed for Ghanaians. We operate under Ghanaian data protection laws and are committed to handling your personal information responsibly and transparently.

This Privacy Policy applies to all SnappX services, including our web application and APIs. By creating a SnappX account, you agree to the practices described in this policy.

We collect only the information necessary to provide our savings services and comply with Ghanaian financial regulations.

Account & Identity Information

• Full legal name (as registered on your MoMo account)
• Email address
• Date of birth (for age verification)
• Ghana POST Digital Address
• User type (student or worker)

Payment & MoMo Details

• Mobile Money provider (MTN, Telecel, or AirtelTigo)
• Mobile Money phone number. Stored encrypted, never in plain text
• Name registered on the MoMo account

KYC / Identity Verification (Group Admins Only)

• Ghana Card front and back images
• Live selfie photo
• All KYC documents are stored in a private, access-controlled cloud storage with time-limited signed URLs

What We Do NOT Collect

• Your MoMo PIN or bank account passwords. We never ask for these.
• Social media profiles or browsing history.
• Contact lists or device files.

• To create and maintain your SnappX account
• To process group contributions and trigger payouts via Paystack to your registered MoMo number
• To verify your identity via OTP before sensitive actions (phone verification, password reset, MoMo number changes)
• To enforce contribution deadlines and send goal reminders via email
• To generate your personalized savings analytics dashboard
• To detect and prevent fraud, abuse, and unauthorized access using rate limiting and audit logs
• To comply with Anti-Money Laundering (AML) regulations applicable to Ghanaian fintech operators
• To provide in-app AI financial coaching. Your chat messages are processed in real-time and not stored permanently

Your data is stored on Neon PostgreSQL with TLS 1.3 in transit. Sensitive fields like your Mobile Money number are additionally protected with application-level AES-256 field encryption and a one-way salted hash. Meaning database access alone is not sufficient to expose your financial identifiers.

How we protect your MoMo number

Your MoMo number is processed through a two-layer security model: the raw number is encrypted using AES-256 via our field-level encryption library before database storage. A separate salted SHA-256 one-way hash is stored for fast identity matching (login, uniqueness checks). This means even in the event of a database breach, your MoMo number cannot be recovered by any party.

KYC Document Security

Ghana Card images and selfies uploaded during KYC verification are stored in a private-type Cloudinary bucket. These files are never publicly accessible. Admin access generates time-limited signed URLs (30-minute expiry) that are not shareable or cacheable.

Authentication Security

• JWT access tokens expire after 5 minutes; refresh tokens after 30 days
• OTP codes for phone verification expire after 10 minutes and are single-use (invalidated immediately after successful verification)
• Repeated failed login attempts trigger automatic lockouts with 30-minute cooldown periods
• All state-changing requests (contributions, cashouts, profile updates) require a unique idempotency key to prevent duplicate transactions

We share your data only with trusted service providers who are contractually bound to protect it:

We do not share your data with group members beyond what is necessary for group management. Other members can see your display name and contribution status within shared groups, but never your MoMo number or personal financial details.

Under Ghana's Data Protection Act (2012), you have the following rights:

• Right of Access: Under Sections 32 and 35 of the Act, you have the right to request confirmation of whether we hold personal data about you, a description of that data, and the purpose for which it is being processed. We are required to comply within 40 days of receiving your request. We may ask you to verify your identity before responding. A prescribed fee may apply.
• Right to Correction and Deletion: Under Sections 33 & 44, you may request that we correct or delete personal data about you that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully. You may also request deletion of records we no longer have authorization to retain. We will either comply or provide you with credible evidence justifying why the data is accurate. Where we correct data, we are required to notify any third parties to whom it was previously disclosed.
• Right to Object to Processing: Under Sections 20(2) & 39, you may at any time give us written notice requiring us to stop processing your personal data if that processing is causing or is likely to cause you unwarranted damage or distress. We must respond within 21 days, either confirming compliance or stating our reasons for not complying. Under Section 20(2), a general right to object to processing also exists unless the processing is required by law or contract.
• Right to Complain to the Data Protection Commission: Under Section 77, you may request the Data Protection Commission (DPC) to assess whether our processing of your data complies with Act 843. The Commission may investigate and issue an enforcement notice requiring us to comply.

• Account data: Retained for the lifetime of your account, plus 90 days after deletion request
• Financial transaction records (LedgerEntries): Retained for 7 years in compliance with Ghanaian financial regulations. These are immutable audit records and cannot be deleted on request
• KYC documents: Retained for 5 years after account closure
• OTP records: Purged immediately upon invalidation
• AI chat messages: Not stored, processed in real-time only

We use only essential session cookies required for authentication. We do not use advertising cookies, tracking pixels, or third-party analytics that send your data to external companies.

• Auth session cookie: Stores your login session securely (HttpOnly, Secure, SameSite=Strict)
• Theme preference: Stores your dark/light mode preference locally, never sent to our servers

When we make material changes to this policy, we will notify you via email and via in-app notification at least 14 days before the changes take effect. Continued use of SnappX after that date constitutes acceptance of the updated policy.

For privacy-related questions, data requests, or to report a concern, reach our Data Protection Officer through any of the channels below: