Skip to content
Skip to content
AstaBill

Legal

Privacy Policy

Last updated: 2026-04-30

Policy version: 2026.04.30-gh-v6

1. General

1.1. Astacraft Systems Limited, trading as AstaBill ("Company", "we", "us", "our"), contact email: legal@astabill.com, processes your personal data as part of your use of our products ("Products") or platform ("Platform" and, together with the Products, "Services"). We deal with your personal data in a confidential and responsible way. The processing of your personal data takes place in compliance with the Ghana Data Protection Act, 2012 (Act 843) and other applicable data protection laws.

1.2. In this Privacy Policy we provide you with information about the nature, scope, and purposes of data collection and use, and offer insight into the processing of your personal data.

1.3. For some of our Products we will only process data pursuant to the purposes and means you determine. In these cases, we will provide you with separate data processing agreements.

1.4. The controller for the processing of your personal data is the Company. You can contact us via the address below or by email at legal@astabill.com.

Company address:

Astacraft Systems Limited (trading as AstaBill)

8 Sam Nujoma Road, North Ridge, Accra, Ghana

Email: legal@astabill.com

1.5. Astacraft Systems Limited is registered with the Data Protection Commission of Ghana as a data controller, as required by Sections 27, 46, and 53 of the Ghana Data Protection Act, 2012 (Act 843).

2. Data We Process

2.1. General: We process personal data that you as a user of the Services make available to us, for example upon registration or when using the Services (the "Data").

2.2. Website Use: If you visit our website, we process only personal data that your browser communicates to our server. We collect the following data, which is necessary to display the website correctly and guarantee stability and security:

  • IP address
  • Date and time stamp
  • Requested page, referrer URL, transmitted data volume
  • Access status / HTTP status code
  • Browser, operating system, interface, language, and browser version

2.3. Registration Data: Upon registration we collect and process the following information:

  • Registration details: date of registration, password (stored as a secure hash)
  • Personal information: first name, last name, email address, phone number
  • Business information (optional): business name, address, tax number, logo
  • Payment information: Paystack sub-account details (bank or mobile money provider, account number); payment dates, invoice IDs, currency, amounts

2.4. Product Use Data: Data processed when using the Services — such as invoices, customer records, and payment data you create — is processed by us only as a processor, not as a controller. Please see the separate data processing agreement for details.

2.5. Data Minimality: We collect only the personal data that is adequate, relevant, and limited to what is necessary for the stated Purposes, in accordance with Section 19 of the Ghana Data Protection Act, 2012 (Act 843). We do not collect personal data beyond what is required to provide and improve the Services.

2.6. Data Quality: We take reasonable steps to ensure that personal data we hold is accurate, complete, and kept up to date. If you believe any of your Data is inaccurate, you may request correction under the right described in Section 6.4 below.

2.7. Collection Notice: Where we ask you to provide personal data, we will inform you whether that information is mandatory or optional, the consequences of failing to provide it, and who specifically may receive it. Registration and payment fields marked as required are necessary to create and operate your account; all other fields are optional.

3. Why We Process Your Data

3.1. Purpose: The processing of Data pursues the following purposes ("Purposes"):

  • Provide and improve the Services
  • Customer relations management, including transactional communications and product updates
  • Marketing and promotional communications, only where you have given prior written consent (see Section 3.4)
  • Security and stability of the Services
  • Compliance with legal and financial obligations

3.2. Lawfulness of Processing: The lawfulness of processing stems from:

  • Your consent, where we have asked your explicit consent
  • The necessity for the performance of the contract between you and the Company, as your data is needed for satisfactory use of the Services
  • The necessity for the purposes of the legitimate interests pursued by the Company or by a third party
  • Compliance with a legal obligation to which the Company is subject

3.3. Legitimate Interests: The legitimate interests are to monitor, analyse, and improve the Services; to protect the security, integrity, performance, and functionality of the Services; and to understand how the Services are used in order to make them more useful.

3.4. Marketing Consent: We will only send you marketing or promotional communications if you have given your prior written consent, as required by Section 40 of the Ghana Data Protection Act, 2012 (Act 843). You may withdraw consent at any time by clicking "unsubscribe" in any marketing email or by contacting us at legal@astabill.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use and Transfer Your Personal Data

4.1. Use: We use Data that you, as a user of the Services, have provided to us only for the Purposes.

4.2. Transfer: We transmit Data to third parties only if this is (i) necessary for the Purposes, such as when we use service providers, (ii) required by a national authority or court order, or (iii) you have consented beforehand.

4.3. Service Providers: For some parts of our Services, we use third-party providers to process data on our behalf, including:

  • Paystack Holdings Inc. — payment processing and sub-account management
  • Resend Inc. — transactional email delivery
  • Neon Inc. — managed database hosting
  • Render Inc. — API server hosting and infrastructure
  • Vercel Inc. — web application hosting and edge delivery
  • PostHog Inc. — product analytics (page views, feature usage, user behaviour)
  • Functional Software, Inc. (Sentry) — error monitoring and performance diagnostics

Most of these providers are headquartered in the United States or the European Union. Where your Data is transferred outside Ghana, we take steps to ensure that the recipient provides an adequate level of protection consistent with the Ghana Data Protection Act, 2012 (Act 843), as required by Section 30(4) of that Act. Such steps include binding data processing agreements, Standard Contractual Clauses, or equivalent contractual safeguards.

5. Storage and Data Safety

5.1. Storage Period: We store your Data for as long as you are a registered user of the Services. Beyond that, we only store Data if it is legally necessary (for example, due to accounting, tax, or retention obligations) or otherwise required.

5.2. Deletion and Destruction: Data will be deleted or destroyed if you (a) revoke your consent to storage, (b) the Data is no longer needed to fulfil the user contract, or (c) storage is or becomes legally impermissible. When Data is destroyed, it is done in a manner that prevents reconstruction, as required by Section 24(5) of the Ghana Data Protection Act, 2012 (Act 843). A deletion request does not affect Data where storage is legally required, for example for financial or audit records.

5.3. Safety Measures: To avoid unauthorised access and to secure your Data, we apply the following measures: encrypted transmission (TLS), encrypted storage at rest, role-based access controls, audit logging, data backup procedures, and physical security measures for servers. These measures are regularly reviewed and updated.

5.4. Security Breach Notification: If we become aware of a security incident that compromises your personal data, we will notify the Data Protection Commission of Ghana and, where the breach is likely to result in harm to you, notify you as the affected data subject, as soon as reasonably practicable after discovery, in accordance with Section 31 of the Ghana Data Protection Act, 2012 (Act 843). Notification will describe the nature of the breach, the categories of data affected, and the steps we are taking to address it.

6. Your Rights

6.1. Exercise of Rights: To exercise the rights described below, please send a request by email to legal@astabill.com or by mail to the address in Section 1.4.

6.2. Revocation of Consent: You may revoke consent for future data processing at any time. This does not affect the lawfulness of processing carried out before revocation.

6.3. Right of Access: You have the right to obtain confirmation as to whether your Data is being processed by us and, if so, to receive specific information including processing purposes, categories of Data, potential recipients, and storage duration.

6.4. Right to Rectification: You have the right to obtain correction of inaccurate Data. Where Data we process is incorrect, we will rectify it without undue delay and inform you.

6.5. Right to Erasure: If you no longer want us to process your Data, please send a deletion request to legal@astabill.com. We will erase your Data and inform you. Where mandatory law prevents erasure, we will inform you without undue delay.

6.6. Right to Restriction of Processing: You have the right to request restriction of processing of your Data where:

  • You have disputed the accuracy of the Data, pending verification
  • You believe processing is unlawful but oppose erasure
  • You require the Data for the establishment, exercise, or defence of legal claims
  • You have objected to processing pending verification of legitimate grounds

6.7. Right to Data Portability: You have the right to receive your Data in a structured, commonly used, and machine-readable format, and to transmit that Data to another controller without hindrance from us. You can export your invoices, customers, and business data directly from your workspace settings. For additional export requests, contact legal@astabill.com.

6.8. Right to Object: You have the right to object at any time to the processing of your Data based on legitimate interests.

6.9. Right to Lodge a Complaint: You have the right to lodge a complaint with the Data Protection Commission of Ghana if you believe that the processing of your Data infringes applicable data protection law.

6.10. Right to Prevent Processing Causing Damage or Distress: You have the right to require us, by written notice, to cease or not begin processing your Data where such processing is causing or is likely to cause you substantial unwarranted damage or distress, as provided by Section 39 of the Ghana Data Protection Act, 2012 (Act 843). We will respond within 21 days of receiving your notice, stating either that we have complied or our reasons for not doing so.

6.11. Automated Decision-Making: You have the right not to be subjected to a decision made solely on the basis of automated processing that significantly affects you. If we use automated decision-making in connection with your Data, you may request a human review of that decision by contacting us at legal@astabill.com, in accordance with Section 41 of the Ghana Data Protection Act, 2012 (Act 843).

7. Cookies

7.1. What are Cookies? The website uses cookies — small text files placed on your device by your browser. When you return to our website, your browser sends the stored cookie back to our server. Cookies may be used to manage authentication sessions, remember preferences, or analyse usage.

7.2. Disabling Cookies: You may disable cookies through your browser settings (for example, in Chrome, Firefox, Safari, or Edge). However, disabling certain cookies may impair the full functionality of the Services.

7.3. Cookie Policy: Please see our Cookie Policy for more information on the categories of cookies we use and how to manage your preferences.

8. Analytics and Monitoring

We use third-party tools to understand platform usage and diagnose errors. Each tool is described below, including what data it collects, where that data is stored, how to opt out, and where to find its own privacy policy.

8.1 PostHog (Product Analytics)

Provider: PostHog Inc., 965 Mission St, San Francisco, CA 94103, USA.

What is collected: Page views, feature interactions, click events, session activity, and your account identifier. Data is used solely to understand how the platform is used and to improve it.

Data location: United States.

Opt-out: You may opt out by adjusting your privacy settings within the Service. You may also prevent PostHog from collecting data by enabling tracking prevention in your browser or using a content-blocking extension.

Privacy Policy: https://posthog.com/privacy

8.2 Sentry (Error Monitoring)

Provider: Functional Software, Inc. (Sentry), 45 Fremont St, San Francisco, CA 94105, USA.

What is collected: Technical identifiers including user ID, email address, device type, browser version, stack traces, and request details — captured only when an application error occurs. This data is used solely to diagnose and resolve technical issues and is not used for marketing.

Data location: United States.

Opt-out: Sentry only activates in response to application errors; it does not run continuously. A general opt-out is not available, but Sentry captures the minimum identifiers necessary for diagnostics only.

Privacy Policy: https://sentry.io/privacy/

8.3 Data Processing Agreements

Both PostHog and Sentry operate under data processing agreements with Astacraft Systems Limited and are contractually prohibited from using your data for their own purposes.

9. Changes to This Privacy Policy

9.1. If the Company decides to change this Privacy Policy, it will post those changes directly in the Services. Where changes are material to your data protection rights, you will be asked to confirm acceptance before continuing to use the Services.

Back to home