Data Retention Policy

The following schedule applies to all data processed through DREWQ:

Each retention period reflects a specific operational or legal purpose:

• Citizen records are retained to avoid re-scanning the same card on repeat visits and to provide operators with a searchable identity record for their service interactions
• Scan logs are retained for audit, accountability, and fraud investigation purposes. The 12-month period aligns with standard audit trail requirements in Ghanaian financial regulations.
• API access logs are retained to support security investigations and to detect anomalous usage patterns
• Operator account data is retained for a short period after termination to support billing reconciliation and dispute resolution

Operators can delete citizen records at any time through the operator dashboard or via the API. Deletion is permanent and irreversible. The associated facial photo and MRZ data are removed together with the record.

Operators are responsible for deciding when to delete citizen records consistent with their stated purpose for the scan and their obligations under the Ghana Data Protection Act 2012. We recommend operators establish their own internal retention policies and use the API to automate deletion when records are no longer needed.

Scan logs associated with a deleted citizen record are anonymised (citizen fields are nulled) rather than deleted outright, so that the audit trail of scan activity remains intact for the minimum 12-month period.

Individuals whose data has been processed have the right to request erasure under the Ghana Data Protection Act 2012. Because operators are the data controllers for the scans they perform, erasure requests should in the first instance be directed to the operator organisation that performed the scan.

If the operator cannot be identified or is unresponsive, individuals may contact us directly. We will:

• Verify the identity of the person making the request
• Locate the relevant citizen record using the personal ID number
• Delete the record and associated photo data within 30 days of a verified request
• Confirm deletion in writing to the requestor

Note that anonymised scan log entries may be retained even after citizen record deletion, as they do not identify the individual once anonymised.

When an operator account is terminated (whether by the operator or by us for policy violations):

• API keys associated with the account are revoked immediately
• Citizen records are scheduled for deletion within 30 days of account closure
• Scan logs are retained for the remainder of their 12-month window from the date of each scan, then deleted
• Operator account data is retained for 60 days for billing and dispute purposes, then permanently deleted

Operators may request an export of their citizen records before account closure by contacting support. Exports are provided in JSON format and are available for 7 days after generation.

We may retain data beyond the standard retention periods where we are subject to a legal obligation to do so, including:

• Court orders or preservation demands from law enforcement or regulatory bodies
• Ongoing investigations into suspected fraud, identity theft, or abuse of DREWQ
• Active litigation or formal disputes in which the data is relevant evidence

We will notify affected operators of any legal hold unless prohibited from doing so by law or court order.