Privacy Policy
How FuturePath collects, uses, and protects your personal data in accordance with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana.
Contents
- Introduction
- Data controller
- Definitions
- Who this policy applies to
- Personal data we collect
- Purposes of processing
- Legal bases for processing
- Data protection principles
- Disclosure to third parties
- Foreign transfer of personal data
- Retention and deletion
- Security safeguards
- Cookies and similar technologies
- Your rights as a data subject
- Consent and its withdrawal
- Processing of children's data
- Breach notification
- Changes to this policy
- Contact and complaints
1. Introduction
FuturePath (“we”, “us”, or “the Company”) provides an online platform that helps students explore universities, submit applications, upload supporting documents, book consultations with advisors, and communicate with our team (the “Service”). This Privacy Policy explains what personal data we collect when you use the Service, why we collect it, how we use and protect it, and the rights you have over it.
This Policy is issued in accordance with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana and reflects the related requirements of the Electronic Transactions Act, 2008 (Act 772), the Cybersecurity Act, 2020 (Act 1038), and the Children's Act, 1998 (Act 560). By using the Service, you confirm that you have read and understood this Policy.
2. Data controller
- Name: FuturePath
- Registered address: Sunyani, Ghana
- Email: [email protected]
- Phone: [to be provided]
- Data Protection Officer (DPO): reachable at the email above, subject line “Data Protection”.
- Registration: where required by sections 46–55 of Act 843, the Company is registered with the Data Protection Commission of Ghana. The registration certificate number is available on request.
3. Definitions
Unless stated otherwise, the terms below carry the meanings given in section 96 of Act 843:
- Personal data — data about an individual who can be identified from the data, or from the data together with other information in the possession of, or likely to come into the possession of, the data controller.
- Processing — any operation carried out on personal data, whether automated or not, including collection, organisation, retrieval, use, disclosure, erasure, or destruction.
- Special personal data — data revealing race, colour, ethnic origin, political opinion, religious or philosophical belief, trade union membership, physical or mental health, sex life, or criminal behaviour (section 37 of Act 843).
- Data subject — the individual to whom personal data relates.
- Foreign transfer — transmission of personal data to a recipient located outside Ghana.
4. Who this policy applies to
- Visitors to our website.
- Registered users (students and applicants) and, where applicable, their parents or guardians.
- Advisors, counsellors, and contractors engaged by the Company.
- Persons who contact us through forms, email, telephone, or messaging channels.
5. Personal data we collect
We collect only data that is adequate, relevant, and not excessive for the purpose for which it is processed.
- Identification data: full name, date of birth, nationality, Ghana Card / passport details as they appear on documents you submit.
- Contact data: email address, telephone number, postal address, messaging-app identifiers.
- Account data: username, password (stored as a one-way hash), login and authentication logs.
- Academic and application data: educational history, transcripts, test scores, essays, references, target universities and programmes, application status.
- Uploaded documents: certificates, diplomas, recommendation letters, financial statements, and other files you upload.
- Communication data: messages to advisors, contact-form submissions, consultation notes.
- Technical data: IP address, browser and device identifiers, operating system, referring URL, timestamps, and usage events.
- Payment data: transaction status and masked card or mobile-money details received from the payment provider; full card numbers are not stored by us.
We do not intentionally collect special personal data. Where such data appears in documents you upload (for example, a medical certificate), it is processed only with your explicit consent and only to the extent needed for the agreed purpose, as required by section 37 of Act 843.
6. Purposes of processing
- Creating and managing your account and delivering the Service you request;
- Matching you with advisors, scheduling consultations, and facilitating communication;
- Preparing, reviewing, and transmitting application materials to universities and admissions partners you choose;
- Sending transactional messages (for example, password resets, booking confirmations, application updates);
- Responding to enquiries and providing customer support;
- Complying with obligations under Ghanaian law, including tax, accounting, anti-money-laundering, and consumer-protection requirements;
- Securing the Service, preventing fraud or abuse, and enforcing our Terms of Service;
- Improving the Service through analytics on aggregated or anonymised data;
- Sending you news, educational content, and marketing messages where you have separately opted in.
7. Legal bases for processing
We rely on one or more of the lawful grounds set out in section 20 of Act 843:
- Consent of the data subject;
- Performance of a contract to which the data subject is a party, or to take steps at the data subject's request before entering into a contract;
- Compliance with a legal obligation to which we are subject;
- Protection of the vital interests of the data subject;
- Performance of a task carried out in the public interest or in the exercise of official authority;
- Legitimate interests pursued by us or a third party, except where those interests are overridden by the rights and freedoms of the data subject.
8. Data protection principles
We apply the eight principles set out in sections 17–27 of Act 843:
- Accountability — we take responsibility for the personal data we hold.
- Lawfulness of processing — we process data only on a valid legal basis.
- Specification of purpose — we collect data for specific, explicitly defined, and lawful purposes.
- Compatibility of further processing — we do not further process data in a way that is incompatible with those purposes.
- Quality of information — we take reasonable steps to keep data accurate, complete, and up to date.
- Openness — we are transparent about what data we hold and why, including through this Policy.
- Data security safeguards — we apply appropriate technical and organisational measures.
- Data subject participation — we uphold your rights to access, correct, and otherwise control your data.
9. Disclosure to third parties
We do not sell personal data. We disclose it only where necessary for the stated purposes and on a lawful basis. Recipients may include:
- universities, admissions bodies, and educational partners chosen by you;
- assigned advisors and counsellors, acting under a confidentiality obligation;
- service providers we engage for hosting, email and SMS delivery, analytics, customer support, and payment processing, who act on our written instructions and are required to maintain appropriate security;
- professional advisers (auditors, lawyers) under a duty of confidentiality;
- public authorities, regulators, and courts where disclosure is required by law or to establish, exercise, or defend legal claims.
10. Foreign transfer of personal data
Because the Service helps you apply to institutions and engage providers outside Ghana, personal data may be transferred to recipients in other countries. In accordance with section 47 of Act 843, we will transfer personal data outside Ghana only where at least one of the following applies:
- the recipient is subject to a law, binding corporate rules, or a binding agreement that provides an adequate level of protection comparable to Act 843;
- the transfer is necessary for the performance of a contract with you, or for pre-contractual steps taken at your request (for example, submitting your application to a university);
- the transfer is necessary for the conclusion or performance of a contract concluded in your interest;
- the transfer is for your benefit and it is not reasonably practicable to obtain your consent, and if it were, you would be likely to give it; or
- you have given your explicit consent to the transfer after being informed of the possible risks.
11. Retention and deletion
As required by section 24 of Act 843, we keep personal data only for as long as is necessary for the purpose for which it was collected, unless a longer period is required by law. Indicative periods:
- account and service data — for the term of the agreement and up to 6 (six) years after termination, consistent with the general limitation period for contract claims in Ghana;
- application documents — for the duration of the admissions cycle and up to 1 (one) year after its completion, unless you request earlier deletion;
- accounting, tax, and payment records — 6 (six) years, in line with the Companies Act, 2019 (Act 992) and the Revenue Administration Act, 2016 (Act 915);
- records of consent and communications — for the term of the relationship plus 6 (six) years.
After the applicable period, or upon a valid deletion request, we will securely erase or anonymise the data unless we are required to retain it by law or to establish, exercise, or defend legal claims.
12. Security safeguards
In line with section 28 of Act 843 and the requirements of the Cybersecurity Act, 2020 (Act 1038), we apply reasonable technical and organisational measures to protect personal data against loss, damage, unauthorised access, alteration, and disclosure, including:
- encrypted connections (HTTPS/TLS) for data in transit;
- hashed passwords and role-based access controls;
- restriction of access to staff and contractors who need it, subject to confidentiality undertakings;
- logging of system activity and monitoring for anomalies;
- regular backups, patching, and vulnerability management;
- staff training and periodic review of the effectiveness of our controls.
No online system is fully secure, so we cannot guarantee absolute security. Please use a strong, unique password and notify us immediately if you suspect unauthorised use of your account.
13. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and protect against cross-site request forgery. With your consent, we also use analytics and preference cookies to understand how the Service is used and to remember your settings. You can accept or reject non-essential cookies through our cookie banner and can withdraw consent at any time through your browser settings. Where data collected via cookies allows you to be identified directly or indirectly, it is treated as personal data under this Policy.
14. Your rights as a data subject
Under sections 32–41 of Act 843 you have the right to:
- be informed about the collection and use of your personal data (this Policy);
- access the personal data we hold about you and receive a copy;
- request the correction, completion, updating, or deletion of inaccurate, incomplete, misleading, or out-of-date data;
- object to the processing of your personal data on reasonable grounds, including processing for direct marketing;
- prevent the use of your data for direct marketing at any time, free of charge;
- not be subject to a decision based solely on automated processing that significantly affects you, without a right to request human review;
- withdraw any consent you have given;
- complain to the Data Protection Commission if you believe your rights have been infringed.
To exercise any of these rights, please contact us using the details in section 19 below. We may ask for information to verify your identity. We will respond within a reasonable period and in any event no later than 40 days from receipt of a valid request, as provided by section 35 of Act 843. Where permitted, a fee may be charged in accordance with the Data Protection (Fees and Charges) Regulations.
15. Consent and its withdrawal
Where we rely on your consent, it is given freely, specifically, and on the basis of clear information. You may withdraw consent at any time by writing to the contact details below. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Separate explicit consent is obtained where required by law, for example for special personal data or for certain foreign transfers.
After you withdraw consent, we will stop the relevant processing and delete or anonymise the data within a reasonable period, unless we have another lawful basis to continue (such as complying with a legal obligation or defending a legal claim), in which case processing is limited to that basis.
16. Processing of children's data
Under the Children's Act, 1998 (Act 560), a child is any person below the age of 18. The Service is intended for users aged 18 and above, and for applicants aged 13–17 acting with the consent of a parent or guardian. We do not knowingly collect personal data from a child under 13. If you become aware that a child's data has been provided without appropriate parental or guardian consent, please contact us and we will delete it.
17. Breach notification
In the event of a personal data breach that is likely to cause harm to affected data subjects, we will, in line with section 31 of Act 843 and the Cybersecurity Act, 2020, notify the Data Protection Commission and, where required, the affected data subjects, as soon as reasonably practicable after becoming aware of the breach, and take appropriate steps to contain and remediate it.
18. Changes to this policy
We may update this Policy from time to time. The current version is always available on this page with the “Last updated” date. Where changes are material, we will also notify registered users by email or through an in-product message. Continued use of the Service after the effective date of the changes constitutes acceptance of the updated Policy.
19. Contact and complaints
For any question about this Policy, to exercise your rights, or to withdraw consent, please contact our Data Protection Officer:
- Email: [email protected] (subject: “Data Protection”)
- Postal address: Sunyani, Ghana
- Online form: contact us.
You also have the right to lodge a complaint with the supervisory authority:
- Data Protection Commission of Ghana, No. 33 Boundary Road, East Legon, Accra. Website: www.dataprotection.org.gh.