Personal data rules for a financial platform.

Your credit union or institution is normally the controller for member account, KYC, savings, shares, loans, checkoff, and transaction records. MicroSuite acts as the platform provider and may act as processor or joint controller depending on the deployment contract.

Privacy questions can be sent to privacy@microsuite.gh or raised directly with the credit union responsible for your account.

Identity and contact data: name, email, phone, address, date of birth, national ID or membership identifiers, institution affiliation, staff role, and login details.

Financial data: account numbers, balances, savings, shares, fixed deposits, loans, repayments, arrears, fees, approvals, reversals, ledger entries, checkoff postings, and statements.

Technical data: IP address, browser, device, session events, audit logs, security events, OTP records, and support messages.

Contract and service delivery: to operate accounts, process transactions, manage loans, produce statements, and provide support.

Legal obligation: to keep financial records, maintain KYC data, support regulatory reporting, prevent financial crime, and comply with lawful requests.

Legitimate interests: to secure the platform, detect fraud, maintain audit trails, improve reliability, and protect members and institutions.

Consent: for optional analytics cookies, optional marketing, non-essential communications, and any processing where consent is the correct legal basis.

You may request access to your data, correction of inaccurate data, deletion where lawful, restriction of processing, portability of provided data, objection to legitimate-interest processing, and withdrawal of consent.

Deletion is not absolute in a banking system. Core user identity records, account records, ledger entries, loan records, repayments, statements, KYC evidence, approvals, audit logs, and transaction history may need to be retained so the institution can monitor accounts, explain balances, investigate disputes, meet AML/CFT duties, prepare accounts, and satisfy regulators.

Data that may be deleted or anonymized includes optional marketing preferences, expired support attachments, duplicate uploads, non-required profile extras, stale device/session records, and optional analytics identifiers where there is no overriding legal or operational reason to keep them.

We aim to respond to verified rights requests within 30 days unless the request is complex or the law allows an extension.

Strictly necessary cookies keep sessions secure, maintain authentication, and protect the service. They cannot be disabled through the platform because the banking service cannot function without them.

Analytics and marketing cookies are optional and should only run after consent. You can accept, reject, or change optional preferences using the privacy control shown on the site.

Data may be shared with authorized credit union staff, regulators, auditors, payment processors, SMS/email providers, cloud hosting providers, support tools, and fraud/security vendors where needed.

Vendors must process data only for approved purposes and must apply appropriate confidentiality, security, retention, and breach notification controls.

Member, transaction, KYC, loan, ledger, audit, and regulatory records are retained for the period required by financial, tax, AML/CFT, accounting, dispute, and institutional rules.

Optional marketing consent records and cookie preferences are retained only as long as needed to prove and respect your preference.

The platform uses access controls, authentication, role restrictions, audit logging, encrypted transport, session management, and operational monitoring.

If a personal data breach is likely to create a risk to affected people, the relevant controller should assess notification duties and notify authorities and affected users where required by law.

Where service providers process data outside the local jurisdiction, the deployment should rely on appropriate contractual, organizational, and technical safeguards.

Institutions should keep an up-to-date vendor register showing where data is processed and what safeguards apply.

Send data requests to privacy@microsuite.gh with your name, institution, contact details, and the right you want to exercise. We may need to verify your identity before acting.

If you are unsatisfied, you may complain to your institution, the relevant data protection authority, or the Data Protection Commission of Ghana where applicable.