Acceptable Use Policy

The DREWQ API is authorised for use in legitimate identity verification workflows, including:

• In-person identity verification at physical service points (e.g. bank branches, government offices, border checkpoints)
• Know Your Customer (KYC) and Customer Due Diligence (CDD) processes required under financial regulations
• Employee or visitor access control where the individual presents their card in person
• Enrolment and onboarding into government or enterprise services where identity verification is a requirement
• Building developer tools, integrations, or internal systems that use DREWQ data for the above purposes

In all cases, the card must be physically presented by the cardholder and the operator must have a lawful basis for the scan under the Ghana Data Protection Act 2012 (Act 843).

The following uses are strictly prohibited and will result in immediate API key revocation and potential legal action:

Consent & Data Use

• Scanning a card without the cardholder's knowledge or against their will
• Using scan data for any purpose beyond the stated reason at the time of scanning
• Retaining citizen data beyond the period required for the stated purpose without a lawful basis
• Using the facial photo data stored from DG2 for automated facial recognition, biometric matching, or cross-referencing against external databases

Resale & Distribution

• Reselling, sublicensing, or redistributing access to the API or scan data to third parties without prior written authorisation
• Aggregating or selling citizen identity data to data brokers, advertisers, or any commercial third party

Technical Abuse

• Automated bulk scanning, scraping, or harvesting of citizen records in excess of legitimate operational volumes
• Attempting to extract BAC key material, reverse-engineer chip authentication, or bypass the card's security mechanisms
• Sharing API keys across multiple organisations or using a single key to service third-party operators
• Probing, testing, or attacking DREWQ's infrastructure or other operators' data

Legal & Regulatory

• Using the Service in a manner that violates applicable law, including the Ghana Data Protection Act 2012, the Electronic Transactions Act 2008, or any anti-money laundering regulation
• Impersonating another operator or using a compromised API key knowing it to be compromised

API rate limits exist to ensure fair access for all operators and to protect platform stability. Current limits are documented in the API Reference.

Operators must not design integrations that deliberately circumvent rate limits through techniques such as distributed API key pools, request batching, or IP rotation. If your legitimate operational volume requires higher limits, contact us to discuss an enterprise arrangement.

We monitor usage patterns for anomalies. Sustained usage that is inconsistent with the stated purpose of an account may trigger a review and temporary suspension pending investigation.

By using the Service, you accept full responsibility for ensuring that your use, and the use of any downstream systems you build, complies with this AUP. This includes:

• Training staff who operate card readers on the lawful basis for scanning and the rights of cardholders
• Displaying appropriate notices to individuals at scan points where required by law
• Implementing access controls so that only authorised staff can initiate scans or view citizen records
• Securing API keys and rotating them promptly if compromised
• Promptly responding to data subject access and erasure requests relating to data your organisation has scanned

We reserve the right to investigate any suspected violation of this AUP. Upon confirmation of a violation, we may take one or more of the following actions without prior notice:

• Issue a warning and require remediation
• Temporarily suspend API access
• Permanently revoke API keys and terminate the account
• Report the matter to the Ghana Data Protection Commission, the relevant financial regulator, or law enforcement
• Pursue civil or criminal remedies where damage has occurred

We will make reasonable efforts to notify you before taking action unless the severity of the violation warrants immediate suspension.

If you become aware of a violation of this AUP, whether by your own systems or by another operator, please report it promptly. Reports of AUP violations are treated confidentially.