Features Pricing

Company

AboutBlogContactCareers

Legal

Privacy PolicyTerms of ServiceCookie Policy Get Started
Compliance

Data governance & compliance.

Our commitment to responsible data handling under Ghanaian and international law.

Compliant

Ghana DPA 2012

Fully compliant with the Ghana Data Protection Act, 2012 (Act 843). Registered with the Data Protection Commission of Ghana.

Aligned

Student Protection

Minimum age 12. No advertising to any users. Student data handled with extra care under educational data principles consistent with COPPA guidelines.

Certified

Payment Security

Payments processed by Paystack — PCI-DSS Level 1 certified. We never store card or MoMo numbers. All transactions encrypted in transit and at rest.

Last reviewed: May 2026 Jurisdiction: Republic of Ghana

Ghana Data Protection Act 2012 (Act 843)

The Ghana Data Protection Act 2012 (Act 843) is the primary legislation governing how personal data must be collected, stored, processed, and shared in Ghana. Crearea is fully committed to compliance with Act 843.

Key principles we uphold

  • Accountability: We take responsibility for the personal data we process and have designated a Data Protection contact to oversee compliance.
  • Lawfulness: We only process personal data where we have a lawful basis — primarily consent (when you create an account) and contractual necessity (to provide the Service you signed up for).
  • Purpose limitation: We only collect and use data for the specific purposes stated in our Privacy Policy. We do not repurpose data for incompatible uses.
  • Data minimisation: We collect only the minimum data necessary to provide the Service. We do not collect data "just in case."
  • Accuracy: We take reasonable steps to keep your data accurate. You can update your account information at any time.
  • Storage limitation: We retain data only as long as necessary. See our Privacy Policy for specific retention periods.
  • Security: We implement technical and organisational measures to protect data against unauthorised access, loss, or destruction.

Individuals have the right to access, correct, delete, or port their data, and to object to processing. These rights can be exercised by contacting privacy@crearea.app.

Student data protection

Crearea is designed exclusively as an educational tool for students. We take student data protection seriously and apply the following principles:

Age and consent

Crearea requires users to be at least 12 years of age. We are aware that many of our users are minors and treat their data with heightened care. While Ghanaian law sets 18 as the age of majority for contract, educational platforms serving students aged 12 and above are commonplace. We align our student data practices with internationally recognised standards including the US Children's Online Privacy Protection Act (COPPA) principles, applied as guidance for users under 18.

No advertising to students

We do not display advertisements, serve advertising to, or build advertising profiles for any user — including minors. Our revenue comes from subscriptions only.

Minimum necessary data

For students, we collect only: name, email, education level, and school (optional). We do not collect financial information directly, GPS location, biometric data, or any data beyond what is needed to provide the educational service.

Parental access

Parents or guardians of users under 18 may contact privacy@crearea.app to request access to, correction of, or deletion of their child's account data. We will process such requests within 30 days.

Security measures

We implement the following technical and organisational security measures:

Technical measures

  • Encryption in transit: All data between your device and our servers is encrypted using TLS 1.3.
  • Encryption at rest: Data stored in Firebase Firestore and Firebase Storage is encrypted at rest using AES-256.
  • Authentication: Multi-factor authentication is available and recommended for all accounts. Firebase Authentication manages session tokens with automatic expiry.
  • Access control: Production systems are accessible only to authorised team members with role based permissions. All access is logged.
  • API security: All AI calls go through authenticated Cloud Functions — never directly from the client. API keys are stored as Cloud Function secrets, never in the app.
  • Dependency management: We regularly update dependencies and review for security vulnerabilities.

Organisational measures

  • Only team members with a legitimate need to know can access user data
  • Team members are trained on data protection responsibilities
  • We conduct regular reviews of our data handling practices
  • Contracts with sub-processors include data protection obligations

Third-party data processors

We use a limited number of carefully selected sub-processors. We have data processing agreements in place with each:

  • Google Firebase (Google LLC) — database, authentication, storage, cloud functions. Firebase's data centres are in the US; data is transferred under standard contractual clauses. Firebase is compliant with ISO 27001, SOC 2, and GDPR.
  • Paystack (Paystack Inc.) — payment processing. PCI-DSS Level 1 certified, operating under the Bank of Ghana regulatory framework. Data processed in accordance with their Privacy Policy.
  • Google Gemini API (Google LLC) — AI inference for AI features. Google does not use API submitted data to train models. Data is processed under our API agreement with Google.

We do not share data with any other third parties for commercial purposes.

Incident response

In the event of a data breach or security incident:

  1. Detection: We maintain monitoring that alerts us to unusual activity.
  2. Containment: We isolate affected systems within hours of detection.
  3. Assessment: We assess the nature, scope, and impact of the incident.
  4. Notification: If a breach poses a risk to individuals' rights, we notify the Data Protection Commission of Ghana within 72 hours and affected users without undue delay.
  5. Remediation: We address the root cause and implement measures to prevent recurrence.
  6. Post incident review: We document lessons learned and update our security practices.

To report a security vulnerability, email privacy@crearea.app with the subject line "Security Report". We commit to acknowledging reports within 48 hours.

Data Protection contact

Crearea has designated a data protection contact responsible for overseeing compliance with the Ghana Data Protection Act 2012 and this organisation's data protection obligations.

Data Protection Contact
Email: privacy@crearea.app
Address: Accra, Ghana

You may contact our data protection contact for any questions or concerns about how we handle your personal data, to exercise your rights under the Ghana DPA 2012, or to report a potential data protection issue.

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana.