Privacy

Privacy, written plainly

Xtiitch handles sensitive business and customer data, including measurements. The product is being built with tenant isolation, limited data access and Ghana data-protection review in mind.

This is a launch-draft privacy notice for implementation and legal review. Final privacy terms must be approved before public launch.

Who is responsible for your data (controller vs processor)

For account, waitlist and platform data, Xtiitch (XCreativs Technologies) is the data controller. For the customer, order and measurement records a business records inside its own store, that business is the data controller and Xtiitch acts as its data processor — handling the data only on the business’s instructions to run the service. This follows the controller/processor roles set out in the Data Protection Act, 2012 (Act 843).

What we collect

Waitlist: the name, business name, phone, optional email, town or city and any message you submit. In the product: business setup details; customer contact details; order, catalogue and measurement information; delivery and booking choices; payment metadata (never raw card details); and technical data such as device, log and usage information needed for security and reliability.

Why we use it and our lawful basis

We process data to deliver the contract you or your business asked for (set up stores, process orders, show tracking, support payments, send service notifications); for our legitimate interest in keeping the service secure and preventing misuse; with your consent for optional marketing or non-essential contact; and to meet legal, tax and accounting obligations. You can withdraw consent for marketing at any time.

Payments

Paystack collects payments on its own PCI-compliant surfaces. Xtiitch never receives or stores raw card details and does not operate a wallet or hold customer funds in escrow — it only records payment state.

Tenant isolation

Each business’s data is scoped to that business and enforced at the database layer (row-level security). Tenant isolation across customer, order, measurement, catalogue and money records is a release-blocking security requirement; one business can never read another’s data.

How we keep data secure

Data is encrypted in transit (TLS); passwords are hashed with bcrypt, never stored in plain text; access follows least-privilege principles; sensitive operator actions are audit-logged; and the platform applies conservative security headers, request limits and dependency-vulnerability scanning.

How long we keep it

We keep personal data only as long as needed to provide the service and to meet legal, tax and accounting obligations, after which it is deleted or anonymised. Waitlist contacts are removed on request. Exact retention periods per data category are being finalised and will be published before public launch.

Your rights under Act 843

Subject to the Data Protection Act, 2012, you may request access to your personal data, ask us to correct or delete it, object to or restrict certain processing, ask for a portable copy, and withdraw consent. For data a business holds in its store, we forward such requests to that business as the controller. We will respond within the time the law allows.

Service providers and international transfers

We rely on vetted providers to run the service — for example Paystack (payments), Cloudinary (image hosting), an email delivery provider and cloud infrastructure. Some of these process data outside Ghana; where they do, we use providers that apply appropriate security and contractual safeguards.

Children

Xtiitch is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 18; if you believe a child’s data has been shared with us, contact us and we will remove it.

Contact and complaints

For privacy questions or to exercise your rights, contact Xtiitch’s data-protection point of contact (published with the final policy before launch). You also have the right to lodge a complaint with the Data Protection Commission of Ghana.

Before launch

What still needs final legal review

The final privacy policy must confirm Xtiitch’s data controller/processor roles, retention periods, support contacts, international service providers, incident process and user rights under applicable Ghana law.