Your data, held carefully.

Celebrate Right is a gifting and celebration concierge service based in Osu, Accra. We're the data controller for information collected through celebrateright.gh and any orders placed with us by WhatsApp, phone, or in person.

Registered business name: [YOUR REGISTERED BUSINESS NAME]
Business registration number: [YOUR RGD NUMBER]
Registered address: [YOUR REGISTERED ADDRESS], Osu, Accra, Ghana
Contact: [email protected]

We collect only what we need to deliver gifts and stay in touch:

• Identity & contact data — your name, phone number, email address, and (if you create an account) sign-in credentials managed by our authentication provider.
• Recipient data — the name, phone number, and delivery address of the person you're sending a gift to.
• Order data — what you bought, when, where it's going, the message you'd like on the card, any delivery instructions.
• Reminder data — the dates, recipients, and occasions you've asked us to remember for you.
• Payment data — we don't store card numbers. Payments are processed by Paystack, which is PCI-DSS certified. We keep only the transaction reference, amount, and status.
• Custom request content — the brief you send via our custom-order form, including the budget range and any photos or links you share.
• QR Memory Card content — the photos, video, and written message attached to a memory card you create.
• Device & usage data — IP address, browser type, device type, pages visited, and timestamps. Collected via our hosting provider and basic analytics.

We do not knowingly collect any special personal data as defined in §60 of the Act (race, political opinion, religion, health, sexual orientation, biometric data). If you include such information voluntarily in a custom request or a memory card message, we'll treat it with the elevated care the Act requires.

• To fulfil and deliver your orders.
• To send you order confirmations, delivery updates, and receipts.
• To send you the date reminders you specifically signed up for — and nothing else by default.
• To respond to custom-order briefs and quote you back.
• To process payments via Paystack and handle refunds.
• To keep records required by Ghanaian tax and consumer law.
• To improve the site (which pages people use, where they get stuck).
• To prevent fraud and abuse of the service (suspicious activity, repeated chargeback attempts).

We will not use your data for marketing without your explicit consent. If you sign up for reminders, that's what you get — we won't add you to a promotional list as a side-effect.

Under the Act, we need a lawful basis to process your data. Ours are:

• Contract performance — when you place an order, we process your data to deliver it.
• Your consent — for reminder subscriptions, QR memory cards, and any marketing emails you opt into. You can withdraw consent at any time.
• Legal obligation — to comply with Ghanaian tax, consumer-protection, and anti-money-laundering law.
• Legitimate interest — to keep the service running, prevent fraud, and improve our product, in ways that don't override your rights.

We don't sell your data. We share only with the providers we need to operate, each contractually bound to protect it:

• Paystack (Lagos, Nigeria) — payment processing.
• WhatsApp / Meta (Ireland / USA) — delivery of order updates and reminders via the WhatsApp Business API.
• Hubtel (Accra, Ghana) — SMS fallback when WhatsApp delivery fails.
• Resend (USA) — transactional emails (order confirmations, blueprint downloads, receipts).
• Clerk (USA) — authentication for admin users.
• Cloudflare (USA) — frontend hosting, CDN, DDoS protection.
• DigitalOcean (USA / UK regions) — backend hosting.
• Neon (USA / UK regions) — database hosting.
• Cloudinary (USA) — image hosting for products and QR memory cards.
• Our delivery riders — recipient name, phone, and address, only for the duration of the delivery run.

We may also disclose data when required by law — to comply with a court order, a regulatory investigation, or a request from the Data Protection Commission or the Ghana Revenue Authority.

• Order records — six (6) years, to comply with Ghanaian tax record-keeping requirements.
• Reminder subscriptions — until you cancel, plus 30 days for backup purposes.
• Custom request briefs — 12 months from the date of the brief, then anonymised.
• QR memory cards — for as long as the recipient holds the card, or until the buyer requests deletion. The buyer owns the right to delete.
• Account data — until you ask us to delete it.
• Marketing email lists — until you unsubscribe.
• Web analytics — 14 months in aggregated form, then deleted.

Some of our providers (Clerk, Resend, Cloudflare, Cloudinary, DigitalOcean, Neon) are based outside Ghana, primarily in the United States and the United Kingdom. Under §47 of the Act, we transfer your data internationally only when:

• the receiving country has adequate data-protection law (the UK and EU member states), OR
• the provider has agreed to contractual safeguards equivalent to Ghana's Act (typically Standard Contractual Clauses), OR
• you've given specific consent for the transfer.

We choose providers with strong security practices and we minimise the data we send to each.

Under §35 of the Act, you have the right to:

• Access — ask for a copy of the personal data we hold about you.
• Correction — ask us to fix data that's wrong or out of date.
• Deletion — ask us to delete your data, subject to our legal record-keeping obligations.
• Objection — object to processing based on legitimate interest, including marketing.
• Restriction — ask us to stop using your data while a dispute is resolved.
• Portability — receive a machine-readable copy of data you've given us.
• Withdraw consent — for anything we're doing on the basis of your consent.
• Lodge a complaint — with the Data Protection Commission of Ghana if you think we're mishandling your data.

To exercise any of these rights, email [email protected] with “Data request” in the subject. We'll respond within 30 days (usually much sooner). No fee for reasonable requests.

We use a small number of essential cookies and similar technologies:

• Session cookies set by our authentication provider (Clerk), only when you sign in to the admin area.
• Security cookies set by Cloudflare to mitigate attacks and verify legitimate traffic.
• Analytics — basic, aggregated page-view stats. We do not use cross-site tracking pixels (Facebook Pixel, Google Ads remarketing, etc.) for behavioural advertising.

You can disable cookies in your browser, but the admin sign-in flow won't work without them.

Celebrate Right is not directed at children under 18. We do not knowingly collect personal data from anyone under 18 without a parent or guardian's consent. If you believe we've collected data from a minor, contact us and we'll delete it promptly.

We may update this policy from time to time — for example, when we add a new feature or change a provider. We'll always update the “Last updated” date at the top, and if the change is significant we'll notify you by email or WhatsApp (whichever we have for you).

Questions, concerns, or want to exercise a right? The fastest path is WhatsApp; the most formal is email.

• Email: [email protected]
• WhatsApp: +233 [YOUR WHATSAPP NUMBER]
• Post: [YOUR REGISTERED ADDRESS], Osu, Accra, Ghana

If you're not satisfied with our response, you can complain to the Data Protection Commission of Ghana at dataprotection.org.gh or by email at [email protected].