Asterisks

Legal Hub

Everything you need to know about how we handle your data, our compliance with regulations, and your responsibilities on the platform.

Privacy Policy

Last Updated: April 26, 2026

This Privacy Policy explains how Asterisks ("we", "us") collects, uses, shares, and safeguards personal information when you use our website, dashboard, APIs, and the USSD flows you build on the platform (the "Service"). It is written to comply with the Ghana Data Protection Act, 2012 (Act 843), the EU General Data Protection Regulation (GDPR) where applicable, and Nigeria's NDPR.

1. Who We Are

Asterisks is the data controller for personal data of platform users (developers, account owners, team members). For end-user USSD session data your applications process, you are the data controller and Asterisks acts as a data processor under a Data Processing Agreement (DPA) which is incorporated by reference. Request our DPA at privacy@useasterisks.com.

2. Categories of Data We Collect

  • Account data: name, email, phone number, organization, role, and authentication credentials (passwords are hashed; passkey public keys are stored).
  • Billing data: top-up history, invoice records, and the last four digits of any card via our payment processor (we do not store full card numbers).
  • Usage data: pages viewed, features used, IP address, device and browser type, referrer, and timestamps.
  • USSD session metadata (processed on your behalf): MSISDN, session ID, network operator, input string, and timestamps. Content of inputs is processed transiently to route the session.
  • Support data: messages, screenshots, and bug reports you submit.

3. Lawful Bases (GDPR & Act 843)

We process your data on one or more of the following bases: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to secure the platform, prevent fraud, and improve features; (c) legal obligation — to comply with NCA, financial, and tax regulations; (d) consent — for analytics cookies and marketing communications, which you can withdraw at any time.

4. How We Use Personal Data

  • Provide, operate, and maintain the Service.
  • Authenticate accounts, route USSD sessions, and bill usage.
  • Detect and prevent fraud, abuse, and security incidents.
  • Communicate updates, security notices, and (with consent) marketing.
  • Comply with legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use Customer Data to train AI models.

5. Sharing & Sub-Processors

We share personal data only with:

  • Aggregators (Hubtel, Nalo Solutions, Arkesel, Africa's Talking) — strictly to deliver USSD requests you have configured.
  • Cloud infrastructure (e.g., Vercel for hosting, our managed database and cache providers) — bound by data processing agreements.
  • Payment processors for top-ups and invoicing.
  • Analytics (Google Analytics 4, with IP anonymisation) — only after you accept the cookie banner.
  • Authorities, where compelled by valid legal process.

A current list of sub-processors is available at privacy@useasterisks.com.

6. International Transfers

Our primary infrastructure is in regional data centres serving Africa. Where data is transferred outside Ghana (for example, to the EU or US), we rely on Standard Contractual Clauses, adequacy decisions, or your explicit consent. Enterprise customers can request in-region or on-premise deployments.

7. Retention

  • Account data: for the life of your account, plus 90 days after closure.
  • Billing records: 7 years (statutory tax retention).
  • USSD session metadata: 90 days by default, configurable to 30 days for Enterprise customers.
  • Server logs: 30 days.

8. Your Rights

Subject to applicable law, you have the right to: access your data, request rectification of inaccuracies, request deletion, restrict or object to processing, port your data, and withdraw consent. To exercise any of these rights, email privacy@useasterisks.com — we will respond within 30 days. You also have the right to lodge a complaint with the Ghana Data Protection Commission (dataprotection.org.gh) or your local supervisory authority.

9. Cookies & Tracking

We use strictly-necessary cookies for authentication and a session token. Analytics cookies (GA4) are set only after you accept them via our cookie banner. You can change your preferences at any time via the Cookie Preferences link in the footer. We honour the Global Privacy Control (GPC) signal.

10. Children

The Service is not directed to children under 18 and we do not knowingly collect data from minors. If you believe a child has provided us data, contact us and we will delete it.

11. Security

We implement TLS 1.3 in transit, AES-256 at rest, hardened HttpOnly authentication cookies, role-based access controls, audit logging, and regular vulnerability assessments. No system is perfectly secure — please report vulnerabilities responsibly to security@useasterisks.com.

12. Contact / DPO

Privacy questions, rights requests, or DPA requests: privacy@useasterisks.com. Postal: Asterisks, Accra, Ghana.