Privacy Policy

We collect personal data from two sources:

From DREWQ scans: When an operator uses the DREWQ API to scan an ECOWAS identity card, we process and store the following data read from the card chip:

• Personal ID Number (GHA-XXXXXXXXXX-X format)
• Card number and document number
• Surname and given names
• Date of birth, nationality, and sex
• Card expiry date
• Facial photograph: the JPEG image stored on the card chip (DG2 data group). This constitutes biometric data under the Ghana Data Protection Act 2012. It is used solely to display the cardholder's image to the operator during verification and is not used for automated facial recognition or biometric matching.

From platform usage: We collect operator account information (name, email address, organisation), API access logs, and scan audit trail data including station IDs, timestamps, and scan outcomes.

Personal data collected from DREWQ scans is processed exclusively on behalf of the operator organisation that performed the scan. We do not use this data for our own commercial purposes, share it with advertisers, or use it to profile individuals.

Specifically, we use collected data to:

• Store and return citizen records to authorised operators for identity verification purposes
• Maintain a complete, tamper-evident audit trail of all card scans for accountability
• Generate aggregate statistics (total scans, active readers) that do not identify individuals
• Improve the reliability and security of DREWQ
• Respond to legitimate law enforcement requests where required by applicable law

Citizen records are stored in a PostgreSQL database hosted in a secure environment. Access is restricted to authenticated API clients using Bearer token authentication. We implement the following security measures:

• All data in transit is encrypted using TLS 1.2 or higher
• Field-level encryption at rest: sensitive personal data fields — surname, given names, nationality, MRZ lines, and facial photo data — are individually encrypted in the database using AES-256-GCM before storage. Even in the event of unauthorised database access, these fields cannot be read without the encryption key.
• Database credentials and encryption keys are managed via environment variable isolation and are never committed to source code
• API keys can be revoked instantly from the operator dashboard
• Access logs are retained for a minimum of 12 months for audit purposes
• BAC (Basic Access Control) key material (document number, date of birth, expiry date) is used only for card authentication and is not stored persistently

While we implement industry-standard security measures, no system is completely secure. Operators are responsible for securing their own API keys and workstation environments.

We do not sell, rent, or share citizen personal data with third parties for marketing, advertising, or commercial purposes.

We may share data with third parties only in the following limited circumstances:

• Service providers: Hosting, database, and infrastructure providers who process data on our behalf under data processing agreements
• Legal obligations: Where required by law, regulation, court order, or national security directive
• With your consent: Where you or the relevant operator has explicitly authorised a specific disclosure

Individuals whose data has been processed through the DREWQ Reader API may have the following rights, subject to applicable national law and the Ghana Data Protection Act 2012 (Act 843):

• Right of access: Request a copy of the personal data held about you
• Right to rectification: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your data where there is no legitimate basis for continued processing
• Right to object: Object to processing of your data in certain circumstances

To exercise these rights, contact the operator organisation that performed the card scan, as they are the data controller. You may also contact us directly using the details below.

For privacy-related questions, data subject requests, or to report a security concern, use our contact form. We respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Ghana Data Protection Commission.