Privacy Policy

OnePass Africa Privacy Policy

This Policy explains how OnePass Africa ("OnePass", "we", "us") collects, uses, and shares personal data when you use our platform — whether as an event organizer, a ticket buyer, or a visitor to onepassafrica.com.

1. The data we collect

- Account data: your email, name (optional), and the events / organizers your account is associated with. - Buyer data: name, email, phone, and tickets purchased. Collected by the organizer at checkout and stored on our platform on their behalf. - Wallet card data: a unique cross-network MemberCard identifier and the QR rotation history. This is the data that lets one pass work across every gate on OnePass. - Payment data: handled by Paystack. We see references, amounts, and outcomes — never card numbers or PIN data. - Operational data: IP addresses for rate limiting and fraud signals, audit logs of privileged actions, basic device info for accessibility (reduced-motion preference). - Optional inputs: anything you add to your storefront (organizers) or your account profile (buyers).

2. How we use it

- Provide the platform: render storefronts, process checkouts, scan tickets, route platform-fee splits, send transactional email. - Keep the platform safe: rate limiting, abuse detection, audit trails of who did what on which tenant. - Improve the platform: anonymized usage analytics. We never use buyer data to train external AI products. - Honor your requests: the event concierge ("ask in plain English…") sends the prompt to a hosted LLM; we do not store the prompt with your account beyond the URL parameters needed to remount the filtered listing.

3. Cookies and similar tech

We use first-party cookies for sign-in and rate-limiting. We use Plausible Analytics, which is cookieless and aggregates without an individual buyer identifier. We do not use ad-network cookies. We do not sell your data to third parties.

4. Sharing

- With Organizers: each Organizer can see the buyers who purchased their tickets. We don't share buyer data across Organizers. - With Paystack: charge initiation and refund requests carry the buyer's email and the amount. - With email providers (Resend): transactional email contains the recipient's email address. - With Cloudflare R2: admin-uploaded media (logos, hero images, event photos) is stored on R2's public-read bucket. - With law enforcement: only on a valid order, and only the minimum necessary.

5. Retention

- Audit logs: kept indefinitely for the lifetime of the tenant; archived for a defined period after tenant deletion. - Tickets and orders: kept for as long as the Organizer's account remains active, plus a reasonable period for accounting and refund-window compliance. - Account data: kept until you close the account; we honor erasure requests subject to legal-retention overrides (tax, accounting, refund disputes).

6. Your rights

You can access, correct, export, or delete your data. Buyers do this through the Organizer where they bought the ticket; Organizers do this through their admin console, or by emailing privacy@onepassafrica.com.

You have the right to lodge a complaint with your local data-protection regulator. In Ghana, that's the Data Protection Commission.

7. Cross-border transfers

Our infrastructure runs on Vercel and Neon (Postgres), with media on Cloudflare R2 and email through Resend. Some of these vendors host data outside Ghana. Where required by law we put appropriate transfer safeguards (standard contractual clauses) in place.

8. Security

We encrypt sensitive secrets at rest (Paystack credentials are AES-encrypted with a per-platform key). All traffic uses HTTPS. We run rate limiting on authentication and checkout endpoints. No system is perfectly secure; if we identify a breach affecting your data we will notify you and the regulator on the statutorily required timeline.

9. Children

OnePass is not intended for users under 16. Organizers must apply their own age-verification at the door for events with age restrictions; we do not collect age data automatically.

10. Changes

We will post any revision with an updated "Last updated" date. Material changes to how we handle buyer data will be notified through the platform.

11. Contact

privacy@onepassafrica.com — for data-subject requests, security questions, and anything else this Policy doesn't cover.