Privacy Policy
Last updated: March 2026
Who We Are
WHY-S Security & Intelligence Services Ltd is a private security and intelligence firm registered in the Republic of Ghana. Our registered office is located at Osu Badu Street (Opp. Royal Habit), Dzorwulu, Plot No. 10, Accra, Ghana (Digital Address: GA-156-2528).
This privacy policy explains how we collect, use, store, and protect personal data when you interact with our website, client portal, and services. We are committed to processing personal data in accordance with the Data Protection Act, 2012 (Act 843) of Ghana and, where applicable, the principles of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
What Data We Collect
We collect and process the following categories of personal data:
Contact Form Submissions — Name or identifier, organisation, email address or phone number, service requirement, and any information you include in your message.
Client Portal — Client ID, passkey (stored as a bcrypt hash, never in plain text), two-factor authentication secrets, session tokens, IP addresses recorded during login and document uploads.
Document Uploads — File metadata (name, size, type, upload timestamp), ClamAV scan results, and the files themselves stored in encrypted-at-rest cloud storage (Backblaze B2).
Incident Reports — Classification, location, severity, description, and any associated file attachments.
Consultation Requests — Objective, notes, and scheduling preferences.
Secure Messages — Message content, timestamps, file attachments, and read status within the client portal messaging system.
Automatically Collected Data — IP addresses, browser type, access timestamps, and pages visited. We use session cookies for authentication but do not use tracking cookies or third-party analytics.
How and Why We Use Your Data
We process personal data on the following legal bases:
Contractual Necessity — To deliver security, intelligence, and consultancy services you have engaged us for; to manage your client portal account; and to process document exchanges and incident reports.
Legitimate Interest — To maintain the security and integrity of our systems; to detect, prevent, and respond to threats; to log audit trails for operational accountability; and to improve our services.
Consent — Where you voluntarily submit a contact form enquiry or request a strategic assessment. You may withdraw consent at any time by contacting us.
Legal Obligation — To comply with applicable laws, regulatory requirements, and lawful requests from authorities.
We do not sell, rent, or trade personal data to third parties. We do not use your data for automated decision-making or profiling.
How We Protect Your Data
We implement appropriate technical and organisational measures to protect personal data:
In Transit — All data transmitted between your browser and our servers is protected by TLS (Transport Layer Security) encryption via Cloudflare Full Strict SSL.
At Rest — Uploaded documents are stored in Backblaze B2 cloud storage with server-side encryption enabled. Database records are held in a managed PostgreSQL instance with encrypted connections.
Access Control — Portal access requires a unique Client ID, passkey, and two-factor authentication (TOTP). Role-based access control restricts data visibility to authorised personnel only.
Malware Scanning — All uploaded files are scanned by ClamAV before storage. Files that fail scanning are rejected and not retained.
Infrastructure — Our application is hosted on a hardened server environment protected by a web application firewall (Cloudflare), intrusion prevention (Fail2Ban), and firewall rules (UFW).
Audit Logging — All significant actions (logins, uploads, downloads, status changes) are logged with timestamps and user identifiers for accountability and incident response.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
Contact form submissions are retained for 12 months unless a client relationship is established, in which case they form part of the client record.
Client portal data (account details, documents, incidents, messages) is retained for the duration of the client engagement plus 7 years, in line with standard commercial record-keeping obligations.
Audit logs are retained for a minimum of 7 years for compliance and accountability purposes.
Session data and cookies expire at the end of your browser session or upon logout.
Upon expiry of the retention period, data is securely deleted or anonymised.
Your Rights
Under the Data Protection Act, 2012 (Act 843) and, where applicable, UK GDPR, you have the following rights:
Right of Access — You may request a copy of the personal data we hold about you.
Right to Rectification — You may request correction of inaccurate or incomplete data.
Right to Erasure — You may request deletion of your data where there is no compelling reason for its continued processing, subject to our legal retention obligations.
Right to Restrict Processing — You may request that we limit how we use your data in certain circumstances.
Right to Data Portability — Where technically feasible, you may request your data in a structured, commonly used, machine-readable format.
Right to Object — You may object to processing based on legitimate interest.
To exercise any of these rights, contact us using the details below. We will respond within 30 days. We may request identification to verify your identity before processing your request.
Cookies
Our website uses only essential cookies required for authentication and session management:
Session Cookie — A secure, HTTP-only session cookie is set when you log in to the client portal. This cookie is required for the portal to function and expires when you log out or close your browser.
CSRF Token — A cross-site request forgery protection token is used to secure form submissions.
Cloudflare Cookies — Cloudflare may set cookies for security and performance purposes (e.g., bot detection). These are strictly necessary and do not track your browsing activity.
We do not use advertising cookies, social media tracking pixels, or third-party analytics services.
Contact & Complaints
For any questions, concerns, or requests relating to this privacy policy or how we handle your personal data, contact us at:
WHY-S Security & Intelligence Services Ltd
Osu Badu Street (Opp. Royal Habit), Dzorwulu, Plot No. 10
Accra, Ghana
Digital Address: GA-156-2528
Email: [email protected]
Phone: +233 26 847 4747
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana (www.dataprotection.org.gh).