tondomarket

Privacy Policy

Effective May 17, 2026 · How tondomarket collects, uses, stores, and protects your personal data.

This policy explains what personal information tondomarket collects, why, how we use it, and the choices you have. It is written to comply with the Data Protection Act 2012 (Act 843) of Ghana and to align with international best practice (including the EU General Data Protection Regulation where it applies to visitors in the EEA).

1. Who is the data controller

tondomarket is the data controller for the personal data described in this policy. Our address is Accra, Greater Accra Region, Ghana. You can contact our Data Protection Officer at privacy@tondomarket.com.

2. What personal data we collect

Depending on how you use tondomarket, we may collect:

  • Account data: name, email, phone number (including WhatsApp number), password (stored hashed), profile photo, role (buyer / seller), location (region and city).
  • Seller profile data: shop name, shop description, business category, business hours, addresses, and (for verified sellers) the documents you submit to prove identity or business registration.
  • Listings: titles, descriptions, prices, photos, and metadata about items you post.
  • Communications: messages sent through our in-app chat, contact forms, reports, reviews, and customer-support tickets.
  • Transactional data: details of fees paid through Paystack (subscription, ad campaigns, verification, listing boosts) — we do not store full card numbers; Paystack handles that.
  • Usage data: pages visited, products viewed, search queries, devices used, browser type, IP address, approximate location derived from IP, referrer URLs, and timestamps.
  • Cookies and similar technologies: see section 7.

3. Why we collect it (legal bases)

  • To provide the service — creating your account, displaying listings, enabling chat, processing payments. Legal basis: performance of a contract with you.
  • To keep the platform safe — preventing fraud, abuse, spam, and unauthorized access. Legal basis: legitimate interests, and where applicable, legal obligation under the Cybersecurity Act 2020.
  • To communicate with you — transactional emails (verification codes, password resets, listing approvals), and — if you opt in — marketing emails. Legal basis: consent for marketing; legitimate interest for transactional notices.
  • To improve the product — analytics, A/B testing, search relevance tuning. Legal basis: legitimate interests, with personal identifiers minimized.
  • To comply with the law — responding to lawful requests from Ghanaian authorities (Police, EOCO, Cyber Security Authority), tax obligations, and similar. Legal basis: legal obligation.

4. Who we share data with

We do not sell your personal data. We share it only with:

  • Other tondomarket users — e.g. your name, shop name, and listings are public; your WhatsApp number is shown on your shop page only if you choose to enable WhatsApp contact.
  • Service providers we rely on to operate the platform: Paystack (payments), our cloud hosting and email provider, push-notification gateways, anti-fraud screening services. These providers process data on our behalf under contractual data-protection obligations.
  • Ghanaian authorities when required by law (e.g. court order, investigation by the Police Cybercrime Unit, Cyber Security Authority).
  • Successors in the event of a business sale, merger, or restructuring — your data may transfer under the same terms.

Where data is transferred outside Ghana (for example, to international hosting infrastructure), we ensure appropriate safeguards are in place as required by Act 843, including standard data-protection clauses with the recipient.

5. How long we keep your data

  • Account data — retained while your account is active. After you delete your account, we keep the bare minimum (e.g. a hashed identifier and your transaction history) for up to 7 years to meet our tax and accounting obligations.
  • Messages and notifications — kept for up to 24 months, after which they are routinely deleted (you can also clear your inbox manually from your dashboard).
  • Listings — kept while live; soft-deleted listings remain queryable in our backend for 180 days for fraud-investigation purposes, then permanently deleted.
  • Payment records — kept for the legally-mandated retention period (typically 6 years from the date of the transaction).
  • Security and access logs — kept for up to 12 months, then aggregated or deleted.

6. Your rights

Under the Data Protection Act 2012, you have the right to:

  • Access your personal data and request a copy.
  • Rectify inaccurate or incomplete data.
  • Object to processing for direct marketing.
  • Withdraw consent at any time, where consent is the legal basis (e.g. marketing emails — use the unsubscribe link or your account settings).
  • Lodge a complaint with the Data Protection Commission if you believe we've mishandled your data.

Visitors from the EEA/UK additionally have the right to data portability and the right to be forgotten under the GDPR. Email privacy@tondomarket.com to exercise any of these rights.

7. Cookies and similar technologies

tondomarket uses cookies and localStorage to:

  • Essential cookies — keep you signed in, remember CSRF tokens, store cart and consent preferences. These cannot be switched off.
  • Functional cookies — remember your search filters, language, region, and feed preferences.
  • Analytics cookies — measure page views and feature usage so we can improve the platform. These are loaded only after you accept the cookies banner.

You can accept or decline non-essential cookies via the banner shown on your first visit; your choice is remembered for 6 months. You can revisit the choice anytime by clearing the tm_cookie_consent cookie in your browser.

8. How we protect your data

  • All connections to tondomarket use HTTPS (TLS 1.2 or higher).
  • Passwords are stored as salted hashes using a modern algorithm. We never see your password in plaintext.
  • SMTP credentials and similar secrets are encrypted at rest using AES-256.
  • Access to production data is limited to authorized staff on an audited basis.
  • We monitor for suspicious sign-in patterns and lock accounts after repeated failed attempts.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in a risk to your rights, we will notify you and the Data Protection Commission as required by Ghanaian law.

9. Children

tondomarket is not intended for children under 18. We do not knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Effective" date at the top, and for material changes we will notify you by email or an in-app banner. We encourage you to revisit this page periodically.

11. Contact us

Data-protection questions: privacy@tondomarket.com. Other support: support@tondomarket.com or the contact page.

tondomarket · Accra, Greater Accra Region, Ghana · © 2026 All rights reserved.