Legal

Privacy Policy

Last updated: 30 April 2026

1. Introduction

This Privacy Policy explains how HOVA ("we", "us", "our") collects, uses, stores, and shares personal data when you use our communications platform at app.hovagh.com or any related services (collectively, the "Service").

We comply with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana. By using the Service, you agree to the practices described in this policy.

2. Who we are

HOVA is operated by Abrefa Carl, an individual operator based in Ghana. We are not currently registered as a limited liability company. As we grow, we intend to register HOVA as a Ghanaian Ltd entity, and this policy will be updated to reflect that change.

For all privacy-related questions, contact us at hovaunplugged@gmail.com.

3. What we collect

We collect the following categories of personal data:

  • Account information: name, email, phone number, password (stored as a one-way hash), business name, and country of operation.
  • Communications data: SMS, voice call, WhatsApp, email, TikTok DM, and Instagram DM content sent or received through the Service. This includes recipient phone numbers, sender IDs, message bodies, delivery status, and call recordings (when you have enabled recording).
  • Contact list data: phone numbers, names, email addresses, and any custom fields you upload to your HOVA contacts.
  • Billing data: wallet balance, transaction history, payment method details (we do not store full card numbers — these are tokenized by our payment provider, Paystack).
  • Technical data: IP address, browser type, device information, and timestamps of actions you take, recorded for security and debugging purposes.
  • Third-party platform data: when you connect a TikTok Business, Instagram, Meta WhatsApp Business, or Google account, we receive an authorization token and the account data those platforms make available to us under your granted permissions.

4. Why we collect it

We use personal data for the following purposes:

  • To provide the Service — sending and receiving messages, routing calls, billing your account.
  • To detect and prevent fraud, abuse, and unauthorized access.
  • To comply with legal obligations, including responses to lawful requests from Ghanaian authorities.
  • To improve the Service through aggregated, non-identifying analytics on our infrastructure performance.
  • To send you service announcements, billing notices, and security alerts. We do not send marketing emails without your consent.

5. Third-party platforms

The Service integrates with several third-party platforms to deliver messages and authenticate users. When you use these features, your data is shared with the relevant provider under their own privacy policies:

  • Arkesel — for SMS delivery in Ghana. We share recipient phone numbers and message bodies.
  • Hubtel and Africa's Talking — for voice calling and SMS. We share recipient numbers and call audio.
  • Brevo — for transactional email. We share recipient emails and message bodies.
  • Meta Platforms (WhatsApp Business, Instagram) — when you connect a Meta-owned account, we exchange authorization tokens and message data. Your use of these integrations is also governed by Meta's terms.
  • TikTok for Business — when you connect a TikTok Business account, we exchange OAuth tokens, and may receive direct message and comment data subject to scopes you approve. Your use of this integration is also governed by TikTok's terms.
  • Google — when you sign in with Google, we receive your email address, name, and profile picture. We do not access your Gmail, Drive, or Calendar without explicit additional consent.
  • Paystack — for payment processing. Card details are tokenized by Paystack; we never see them.
  • Supabase — for database hosting (Postgres). All HOVA data is stored on Supabase infrastructure.
  • Railway — for application hosting.

We use only Generative AI services from Google AI (Gemini) and Groq for AI text generation. Message content sent through these services is processed in their infrastructure but is not used to train their models when accessed via paid API keys.

6. How we share data

We share personal data only in the following situations:

  • With the third-party providers listed in Section 5, strictly to operate the Service.
  • With law enforcement or government bodies, only when required by valid legal process under Ghanaian law.
  • With your explicit consent for any other sharing.

We do not sell personal data to anyone, ever. We do not use customer data to train any AI models.

7. How long we keep data

  • Account data: retained while your account is active, plus 90 days after closure to handle billing reconciliation.
  • Message content: retained for 180 days by default. You can request shorter retention by contacting us.
  • Call recordings: retained for 90 days, then auto-deleted.
  • Billing records: retained for 6 years to comply with Ghanaian tax law (Internal Revenue Act).
  • Security logs: retained for 90 days.

8. How we protect data

We use the following measures to protect your data:

  • TLS 1.2+ encryption for all data in transit between your browser and our servers.
  • Encryption at rest for our Supabase Postgres database, managed by Supabase.
  • Passwords hashed using bcrypt — we never store plain-text passwords.
  • API keys hashed with one-way SHA-256 — we cannot recover them after issuance.
  • Two-factor authentication (TOTP) available on all accounts.
  • Audit logs of all administrative actions.

Honesty note: HOVA is currently a small, individually-operated service. We are not ISO 27001, SOC 2, or PCI DSS certified. Card payments are processed by Paystack, which is PCI DSS certified. As HOVA grows we plan to pursue formal certifications.

9. Your rights under Ghana's DPA

Under the Data Protection Act, 2012, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data, subject to our legal retention obligations.
  • Object to specific uses of your data.
  • Withdraw consent for any processing that relies on your consent.
  • Lodge a complaint with Ghana's Data Protection Commission (dataprotection.org.gh).

To exercise any of these rights, email hovaunplugged@gmail.com. We respond within 14 days.

10. Children's privacy

The Service is intended for use by businesses and individuals aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us so we can delete it.

11. Cookies and tracking

We use a small number of strictly-necessary cookies to keep you logged in (session token) and remember your dashboard preferences. We do not use Google Analytics, Facebook Pixel, Mixpanel, or any third-party tracking tools. We do not run advertising cookies. We do not sell visitor data.

12. International transfers

Some of the third-party services we depend on (Supabase, Railway, Brevo, Google AI, Groq) store or process data outside Ghana. We rely on those providers' standard contractual safeguards. If you would prefer your data not leave Ghana, contact us — for sensitive workloads we can discuss self-hosted alternatives.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we will email account holders at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

Questions about this policy? Email us at hovaunplugged@gmail.com.