Privacy Policy

This Privacy Policy explains how EdoMatch ("EdoMatch", "we", "us" or "our") collects, uses, stores, shares and protects personal data through the EdoMatch HR Suite human resources and payroll platform (the "Platform"), and the rights you have over that data.

The Platform is offered to employers and organisations operating in West Africa. This policy is written to comply with the data protection laws of the countries we serve, including the Ghana Data Protection Act, 2012 (Act 843), the Togo Law No. 2019-014 on the protection of personal data, the Cote d'Ivoire Law No. 2013-450 of 19 June 2013, the Benin Digital Code (Law No. 2017-20), and the ECOWAS Supplementary Act A/SA.1/01/10 on Personal Data Protection.

The Platform is operated by EdoMatch. For matters relating to this policy you can reach us at [email protected].

EdoMatch operates through two registered entities. The entity responsible for your data depends on the country in which your employer operates:

• Edomatch Ghana Limited is the responsible entity for Ghana. Registered address: Westland Boulevard Road, Madina, Accra, Ghana (digital address MD-020-5454). It is registered as a data controller with the Ghana Data Protection Commission.
• Edomatch SARL is the responsible entity for the French-speaking countries we serve (Togo, Cote d'Ivoire and Benin). Registered address: BP 61544, Quartier Hedzranawoe, Lome, Togo (RCCM No. TG-L FW-01-2024-B12-00579).

Our role depends on the type of data:

• As a data processor. When an employer uses the Platform to manage its staff, the employer is the data controller of its employees' personal data and decides why and how that data is processed. We process that data on the employer's behalf and on its documented instructions.
• As a data controller. For the account, billing and usage data of the administrators and managers who sign in to the Platform, and for the operation, security and improvement of the Platform itself, we act as the data controller.

If you are an employee whose data is held in the Platform by your employer, please direct requests about that data to your employer in the first instance. We will assist your employer in responding.

Depending on how the Platform is used, we process the following categories of personal data.

Account and login data (for users who sign in)

• First and last name, work email address and role.
• Password (stored only in hashed form) or Google sign-in identifier, and password-reset tokens.
• Preferred language and basic account settings.

Employee records (entered by the employer)

• Identity and contact details: name, email, phone number, date of birth, profile photograph, position, department, branch and reporting line.
• Government and statutory identifiers specific to each country we support: the Ghana Card number, SSNIT number and TIN (Ghana); the national identity card number, CNSS number and NIF (Togo); the CNI number, CNPS number and NCC (Cote d'Ivoire); and the personal identity card number, CNSS number and IFU (Benin).
• Employment information: hire date, worker category, contract terms, and where relevant termination date, reason and notes.
• Emergency contact name, phone number and relationship.

Payment and payroll data

• Bank details (bank name, branch code, account number and account name) or mobile-money details (provider and number) used to pay salaries.
• Salary, allowances, deductions, payslips, payroll runs and tax and statutory contributions (for example PAYE, SSNIT and pension contributions).

Leave, time and attendance data

• Leave requests, leave type, dates, reasons, approvals and return dates.
• Timesheets, clock-in and clock-out records and time entries.

Documents and notes

• Files uploaded to the Platform such as contracts, policies and employee documents.
• HR notes added to an employee record.

Technical and usage data

• Email delivery logs and email-notification preferences.
• Product-usage analytics and cookies used to keep the Platform secure, working and improving (see PolicySection 12).

Some data we process is sensitive and receives extra protection under West African data protection law. This includes medical certificates uploaded to support sick-leave requests, which reveal information about a person's health.

Sensitive data is processed only where it is necessary to administer employment, leave and statutory entitlements, where the employer has a lawful basis to do so, and subject to appropriate safeguards. We do not use sensitive data for any purpose other than the HR function it was provided for.

• Directly from administrators and managers who use the Platform.
• From employees who are invited to complete their own profile or onboarding.
• Through bulk import (for example CSV upload) carried out by the employer.
• Automatically, through cookies and analytics, when the Platform is used.

We process personal data to:

• provide and operate the Platform and its HR, payroll, leave and time features;
• authenticate users and keep accounts and data secure;
• process and record salary payments and statutory contributions;
• send service and notification emails;
• provide customer support;
• administer subscriptions and billing for employers;
• maintain, troubleshoot and improve the Platform;
• comply with legal, tax and regulatory obligations.

Our lawful bases for processing, depending on the activity and the applicable national law, are: the performance of a contract (including the employment relationship managed by the employer); compliance with a legal obligation; the consent of the data subject where consent is required; and our or the employer's legitimate interests in running an HR operation, balanced against the rights of data subjects. Where a country's law requires the data subject's consent for a specific processing activity, that consent is obtained before the activity takes place.

We do not sell personal data. We share it only as needed to run the Platform, with the following categories of recipients:

• The employer and its authorised administrators and managers, who control their organisation's data.
• Service providers (sub-processors) that help us run the Platform under contract and confidentiality obligations:
  • MongoDB Atlas, for secure database hosting.
  • Google, for optional Google sign-in and for address lookup (Google Maps).
  • Resend, for sending transactional and notification emails.
  • Paystack and Flutterwave, to process and disburse salary payments to employees.
  • Stripe, to process employer subscription billing.
  • OpenAI, for optional AI-assisted features.
  • PostHog, for privacy-conscious product analytics.
• Authorities and advisers where we are required by law, or to establish, exercise or defend legal claims.

Some of our service providers store or process data on servers located outside the country where it was collected, including outside the ECOWAS region. Where this happens, we take steps required by the applicable national law and the ECOWAS Supplementary Act to ensure the data continues to be adequately protected, including contractual safeguards with each provider. Where a country's law requires prior authorisation or consent for a cross-border transfer, we obtain it.

We keep personal data only for as long as it is needed for the purposes set out in this policy, for as long as the employer maintains an active account, and for any further period required by employment, tax and accounting law in the relevant country. When data is no longer needed, it is deleted or anonymised. Employers can also ask us to delete data, subject to any legal retention requirement.

We use technical and organisational measures appropriate to the sensitivity of the data, including encryption of sensitive stored data, hashing of passwords, access controls and role-based permissions, audited administrator actions, and secure, access-controlled hosting. No system can be guaranteed completely secure, but we work to protect personal data against unauthorised access, loss, misuse or alteration.

Subject to the conditions of the data protection law that applies to you, you have the right to:

• access the personal data we hold about you;
• have inaccurate or incomplete data corrected;
• request deletion of your data where the law allows;
• object to or ask us to restrict certain processing;
• withdraw consent where processing is based on consent;
• ask to receive your data in a portable form, where applicable;
• lodge a complaint with your national data protection authority.

If your data is held by an employer using the Platform, please send your request to that employer, who is the controller. For data for which EdoMatch is the controller, contact us at [email protected]. We respond within the timeframe set by the applicable law.

The relevant supervisory authorities include:

• Ghana: Data Protection Commission.
• Togo: Instance de Protection des Donnees a Caractere Personnel (IPDCP).
• Cote d'Ivoire: Autorite de Regulation des Telecommunications/TIC (ARTCI).
• Benin: Autorite de Protection des Donnees a Caractere Personnel (APDP).

The Platform uses cookies and similar technologies that are necessary to keep you signed in and to keep the service secure, and, with your agreement where required, analytics cookies that help us understand how the Platform is used so we can improve it. You can control non-essential cookies through your browser settings and any cookie controls we provide.

The Platform is intended for use by employers and working adults. It is not directed at children, and we do not knowingly collect data from children except where it forms part of lawful employment records provided by an employer.

We may update this policy from time to time. When we make material changes we will update the date at the top of this page and, where appropriate, notify account administrators. Please review this page periodically.

For any question about this policy or your personal data, contact us at [email protected] or [email protected].