Legal

Privacy Policy

Version 2.1 · Last updated 16 June 2026

Effective: 27 May 2026 · Version: 2.0 · Data Controller: QUANTUM BITS

This Privacy Policy explains how QUANTUM BITS ("SMESS", "we") collects, uses, shares and protects your personal data when you use our messaging API and dashboards. We comply with the Ghana Data Protection Act 2012 (Act 843), the EU General Data Protection Regulation (GDPR) where applicable to EU/EEA-based clients or recipients, and the UK Data Protection Act 2018.

1. Who We Are

QUANTUM BITS is the data controller for personal data you submit when registering an account, and the data processor for messages you transmit through the API on behalf of your recipients. We are incorporated in the Republic of Ghana.

2. Data We Collect

Account data: client name, business name, email, phone, country.
Authentication data: hashed password (bcrypt), 2FA secret (encrypted), session tokens, login IP & user-agent for the last 30 days, and API key SHA-256 hashes (plaintext keys are never retained; only a short masked preview is stored for identification).
Payment data: tokenised card reference (last 4 digits, brand, expiry), payment authorisation code, transaction reference, amount and currency. We never see or store full PANs or CVVs; full card details are handled exclusively by Paystack, a PCI-DSS Level 1 certified processor.
Usage data: API request logs (endpoint, status, latency), message metadata (recipient phone, timestamp, delivery status), connected WhatsApp session IDs.
Message content: the body of messages you send is relayed through our infrastructure; production message bodies are encrypted at rest using AES-256-GCM and are not used for analytics or model training.
Cookies: a strictly-necessary session cookie (PHPSESSID), a CSRF token cookie, and a theme-preference cookie. No advertising or third-party tracking cookies are used.

3. Legal Basis for Processing (GDPR Art. 6)

Contract (Art. 6(1)(b)) — to provide the Service you subscribed to.
Consent (Art. 6(1)(a)) — for auto-renewal of your subscription and for any marketing emails (which you may withdraw at any time).
Legal obligation (Art. 6(1)(c)) — tax record retention, anti-money-laundering checks, and lawful disclosure to Ghanaian authorities.
Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, audit logging, and abuse detection.

4. How We Use Your Data

To create and operate your account and route your API traffic.
To process payments and renew subscriptions you have authorised.
To send transactional emails (receipts, renewal reminders, security alerts).
To monitor and prevent fraud, spam, and abuse of the Service.
To meet our legal and regulatory obligations.

We do not sell your personal data, your message content, or your recipients' phone numbers to any third party. We do not use your data to train any AI or ML model.

5. Who We Share Data With

Paystack (payment processing) — card tokens, amounts, customer email.
Hosting and infrastructure providers — encrypted database backups stored in Africa region by default.
Upstream messaging providers (WhatsApp / Meta) — recipient number and message payload, as strictly required to deliver the message.
Law enforcement — only on receipt of a valid Ghanaian court order, subpoena or equivalent lawful instrument; we will notify you unless legally prohibited.

6. International Data Transfers

Where data is transferred outside Ghana or the EEA (for example to Paystack's processors or to a CDN), the transfer is protected by Standard Contractual Clauses and equivalent safeguards required by Section 47 of Act 843 and GDPR Chapter V.

7. Data Retention

Active account data: retained for the life of your account.
Deleted accounts: personal data is soft-deleted on request and permanently purged after 90 days via an automated cron, unless a longer retention is required by law.
Payment / tax records: retained for 7 years in line with the Ghana Revenue Authority requirements (Section 27 of the Revenue Administration Act 2016).
Audit and security logs: hash-chained, append-only, retained for 12 months in hot storage and archived for a further 6 years.
Message content: not permanently stored; metadata is kept for 90 days for delivery reconciliation.

8. Your Rights

Under Act 843 and the GDPR you have the right to:

Access the personal data we hold about you;
Rectify inaccurate data;
Erase your data ("right to be forgotten") subject to Section 7 above;
Restrict or object to processing;
Data portability — receive your data in a machine-readable format;
Withdraw consent at any time, including for auto-renewal;
Lodge a complaint with the Ghana Data Protection Commission (dataprotection.org.gh) or, if you are in the EU/EEA, with your local supervisory authority.

To exercise any of these rights email sales@smess.io. We respond within 30 days.

9. Security

We protect your data with: TLS 1.2+ on all endpoints, AES-256-GCM for message bodies and card tokens at rest, bcrypt for passwords, time-based 2FA for client and admin logins, SHA-256 hashing for API keys so plaintext keys cannot be recovered by us or an attacker, hash-chained tamper-evident audit logs, role-based access controls, automated daily encrypted backups, vulnerability scanning, and rate limiting. No system is completely secure; if a breach is likely to result in high risk to your rights we will notify you and the Data Protection Commission within 72 hours as required by Section 31 of Act 843 and GDPR Art. 33-34.

10. Children

The Service is not directed to, and we do not knowingly collect data from, persons under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 30 days before they take effect.

12. Contact & Data Protection Officer

For any privacy enquiry, data-subject request, or breach report:
QUANTUM BITS
Email: sales@smess.io

Questions about this document? Email sales@smess.io.