Privacy Policy

How we handle your data

Privacy Policy

Effective: May 07, 2026

PRIVACY POLICY

Effective Date: May 07, 2026

1. Introduction

This Privacy Policy describes how RetailMind AI, operated by Amuzara AI ("Company," "we," "us," or "our"), collects, uses, processes, stores, and protects personal and business information when Users access the System.

By registering for and using the System, Users consent to the practices described in this Policy. If you do not agree with this Policy, you must discontinue use of the System.

This Policy is issued in compliance with the Ghana Data Protection Act, 2012 (Act 843) and applicable international data protection standards.

2. Information We Collect

We collect the following categories of information:

Account Information: Full name, email address, phone number, login credentials, role within the organization, and profile details.

Business Information: Business name, type, registration details, branch locations (including GPS coordinates), operating hours, and organizational structure.

Transaction Data: Sales records, refund records, payment details, receipt data, product quantities, pricing, discounts applied, and payment method used.

Inventory Data: Product catalogs, stock levels, batch records, expiry dates, stock movements, and supplier information.

Staff Data: Employee profiles, attendance logs (including GPS clock-in/clock-out coordinates), shift schedules, performance metrics, and off-day requests.

Financial Data: Subscription payments, payment gateway references, fee calculations, and billing history.

Technical Data: IP addresses, browser type and version, device information, operating system, access timestamps, and usage patterns.

AI Interaction Data: Chat conversations with the AI agent, voice input transcriptions, uploaded images and documents, and AI-generated responses.

3. How We Use Your Information

We use collected information for the following purposes:

To provide, operate, and maintain the Services, including POS processing, inventory management, staff management, and analytics.

To generate business reports, analytics dashboards, AI insights, and fraud detection alerts.

To process payments and manage subscriptions through integrated payment gateways.

To verify staff attendance through GPS location comparison with registered branch coordinates.

To train and improve AI and machine learning models for fraud detection, anomaly detection, and business recommendations.

To communicate important updates, security alerts, and service notifications via email and SMS.

To enforce subscription limits and feature access controls.

To maintain system security, prevent unauthorized access, and investigate potential fraud.

4. Legal Basis for Processing

Under the Ghana Data Protection Act, 2012 (Act 843), we process personal data based on the following legal grounds:

Consent: Users provide explicit consent upon registration and acceptance of these terms.

Contractual Necessity: Processing is necessary to fulfill the subscription agreement and deliver the Services.

Legitimate Interest: Processing for fraud detection, system security, and service improvement.

Legal Obligation: Processing required to comply with applicable laws, regulations, or lawful requests from authorities.

5. Automated Decision-Making and Profiling

The System uses automated decision-making and profiling in the following contexts:

Fraud Detection: Machine learning models (Isolation Forest and Random Forest algorithms) analyze transaction patterns to generate fraud risk scores and alerts. These scores are used to flag potentially suspicious activity for human review by business owners and managers.

Staff Risk Profiling: Automated analysis of transaction patterns, discount usage, refund frequency, and attendance records to generate staff risk scores.

AI Chat Agent: Natural language processing to interpret user queries and generate business insights and recommendations.

All automated fraud alerts and risk scores are advisory in nature and are subject to human review. No automated decision results in adverse action against any individual without human oversight by the User (business owner or manager).

6. Cookies and Tracking Technologies

The System uses cookies and similar technologies for the following purposes:

Session Cookies: Essential for maintaining authenticated user sessions and preventing unauthorized access. These expire when the browser is closed.

Authentication Tokens: JSON Web Tokens (JWT) stored in browser localStorage for API authentication.

Service Worker Cache: The Progressive Web App (PWA) caches application assets and data locally for offline functionality.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies.

7. Data Sharing and Third-Party Processors

We do not sell, rent, or trade User data to third parties under any circumstances.

We share data with the following third-party service providers solely for the purpose of delivering the Services:

Paystack (Paystack Payments Limited) — Payment processing for card and mobile money transactions. Paystack receives transaction amounts, customer payment details, and branch subaccount codes. Paystack is PCI DSS compliant.

KoraPay — Pan-African payment processing. Receives transaction amounts and payment details.

OpenAI (OpenAI, LLC) — AI-powered chat responses, fraud alert explanations, and report narratives. Receives anonymized business queries and contextual data. OpenAI's data usage policies apply.

Google Cloud Platform (Google LLC) — Application hosting, compute infrastructure, and Cloud Scheduler. Receives all application data in transit and at rest on their servers.

Supabase (Supabase, Inc.) — PostgreSQL database hosting. Stores all application data including User accounts, transactions, and business records.

Cloudinary (Cloudinary Ltd.) — Media file storage for product images, logos, and uploaded documents.

Resend (Resend, Inc.) — Transactional email delivery. Receives email addresses and email content.

Arkesel — SMS notification delivery in Ghana. Receives phone numbers and message content.

Each third-party processor is selected for their security practices and compliance standards. We maintain contractual obligations with these processors regarding data protection.

8. Data Retention

We retain data for the following periods:

Transaction and Financial Data: 7 years from the date of the transaction, to comply with applicable accounting and tax regulations.

Account and Profile Data: For the duration of the active account plus 1 year following account closure or termination.

AI Chat Conversations: Up to 3 months from creation, or 50 conversations per user (whichever limit is reached first). Users may delete conversations at any time.

Attendance and GPS Logs: 2 years from the date of the log entry.

Fraud Alerts and Investigation Records: 3 years from the date of creation.

System Logs and Technical Data: 90 days from the date of collection.

Media Uploads: For the duration of the active account. Deleted within 30 days of account termination.

Upon expiration of the retention period, data is permanently deleted or irreversibly anonymized.

9. International Data Transfers

The System is hosted on Google Cloud Platform infrastructure located in the United States (us-central1 region). User data collected in Ghana and other African countries is transferred to and processed in the United States.

Database services are provided by Supabase with servers located in the European Union (eu-central-1 region).

We rely on the data protection commitments and security certifications of our infrastructure providers (Google Cloud SOC 2, ISO 27001; Supabase SOC 2) to ensure adequate protection of transferred data.

By using the System, Users consent to the transfer and processing of their data in these jurisdictions.

10. Data Security

We implement the following security measures to protect User data:

Encrypted data transmission via TLS/HTTPS for all communications between User devices and our servers.

Role-based access controls (RBAC) with a 9-level permission hierarchy ensuring Users can only access data appropriate to their role.

JWT-based authentication with token expiration and refresh mechanisms.

HMAC-SHA512 webhook signature verification on all payment gateway callbacks.

Server-side validation of all financial transactions and permission-sensitive operations.

Audit logging of all sensitive actions including payments, refunds, admin overrides, and account changes.

Multi-tenant data isolation ensuring organizations cannot access each other's data.

While we take reasonable measures to protect data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

The System is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child under 18, we will take immediate steps to delete such information.

12. User Rights

Under the Ghana Data Protection Act, 2012 (Act 843) and applicable data protection laws, Users have the following rights:

Right of Access: Users may request a copy of the personal data we hold about them.

Right to Rectification: Users may request correction of inaccurate or incomplete personal data.

Right to Erasure: Users may request deletion of their personal data, subject to legal retention requirements and contractual obligations.

Right to Data Portability: Users may request export of their data in a structured, machine-readable format.

Right to Object: Users may object to specific types of data processing, including automated profiling.

Right to Withdraw Consent: Users may withdraw consent at any time by contacting us, though this may affect their ability to use certain features.

To exercise any of these rights, please contact us at [email protected]. We will respond to valid requests within 30 days.

13. Data Breach Notification

In the event of a confirmed data breach affecting personal data, we will notify affected Users within 72 hours of becoming aware of the breach, in compliance with the Ghana Data Protection Act, 2012 (Act 843).

We will also notify the Data Protection Commission of Ghana where required by law.

Notification will include the nature of the breach, the categories of data affected, the estimated number of individuals affected, the likely consequences, and the measures taken or proposed to mitigate the breach.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.

Material changes will be communicated to Users via email or in-app notification at least 14 days before they take effect.

Continued use of the System after the effective date of changes constitutes acceptance of the updated Policy.

15. Governing Law

This Privacy Policy shall be governed by the laws of the Republic of Ghana, including the Data Protection Act, 2012 (Act 843).

16. Contact Information

For privacy-related inquiries, data access requests, or complaints, please contact:

Amuzara AI

Email: [email protected]

Phone: +233204737363

Location: Accra, Ghana