Privacy Policy

Data Privacy Information

This privacy statement informs you about how we treat your data. To make the processing of your data transparent, we would like to provide you with the following information to give you an overview of these processing operations. To keep things fair, we additionally want to inform you about your rights pursuant to the Data Protection Act 843 of Ghana (2012), EU-General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Rwandan Law No. 058/2021 on the Protection of Personal Data and Privacy.

We will inform you in detail about

• General Information
• Data Processing on our Website
• Data Processing on our Social Media

AmaliTech Ghana Limited is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).

General Information

Contact

If you have any questions or feedback concerning this information or wish to contact us to exercise your rights, please send your enquiry to

AmaliTech Ghana Limited SSNIT House 27 Ama Akroma Road Takoradi, Ghana Email: info@amalitech.com  

Legal Basis

The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.

We process personal data in compliance with the data protection regulations, in particular the DPA, GDPR and the BDSG. We solely process data based on law. We process personal data

• solely with your consent (DP Act 843 section 20(1), RDL Art. 12 and Art. 6 section 1 letter a GDPR),
• to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (DP Act 843 section 20(1a), RDL Art. 13 and Art. 6 section 1 letter b GDPR),
• to comply with a legal obligation (DP Act 843 section 20(1b), RDL Art. 14 and Art. 6 section 1 letter c GDPR) or
• where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR).

If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (DP Act 843 section 17(c), RDL Art. 13 and § 26 para. 1 sentence 1 BDSG).

Period of Storage

Unless otherwise stated in the following, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations. In particular, such statutory retention requirements may result from regulations under commercial or tax law.

Recipients of Data

For certain processing activities, we rely on service providers. These processing activities include, for example, hosting, maintenance and support for IT systems or destruction of paper files and data carriers. A ‘processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.

Apart from that, we may transfer your data to postal and delivery services, our bank, consultants/auditors or the fiscal authority if necessary.

Should your data be transferred to further recipients, you can find this information under the description of the respective processing activity.

Processing in the Exercise of your Rights pursuant to Art. 15 to 22 GDPR

If you exercise your rights pursuant to DP Act 35 to 44, RDL Art. 24 to 30 and Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. For the purpose of providing information and preparing such information, we will process the stored data only for this purpose as well as for purposes of data protection control and otherwise restrict processing in accordance with DP Act 35, RDL Art. 27 and Art. 18 GDPR. These processing operations are based on DP Act 20(1c), RDL Art. 14 and Art. 6 section 1 letter c GDPR in combination with DP Act 35 to 44, RDL Art. 24 to 30, Art. 15 to 22 GDPR and § 34 para. 2 BDSG.

Your rights

As the data subject, you are entitled to exercise your rights against us. In particular, you have the following rights:

Pursuant to DP Act 35(c), RDL Art. 24, Art. 15 GDPR and § 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.

Pursuant to DP Act 843 section 33(a), RDL Art. 25 and Art. 16 GDPR, you have the right to rectification of your data.

Pursuant to DP Act 843 section 33(b), RDL Art. 26, Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.

Pursuant to DP Act 843 section 20(2 & 3), RDL Art. 27 and Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.

Pursuant to DP Act 843 section 35(1), RDL Art. 28 and Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.

Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to DP Act 843 section 20(3), RDL Art. 12 and Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.

If you are of the view that the processing of your personal data infringes the DP Act 843, RDL Art. 30 and GDPR provisions, you have the right to lodge a complaint with a supervisory authority (in Germany: the relevant Landesbeauftragter für Datenschutz; in Ghana: the Data Protection Commission (DPC); in Rwanda: the Rwanda Information Society Authority (RISA)) pursuant to DP Act 843, RDL Art. 30 and Art.77 GDPR.

Right to object

Pursuant to DP Act 843 section 20(2), RDL Art. 29 and Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e or letter f GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to DP Act 843 section 40(2), RDL Art. 29 and Art. 21 section 2 and section 3 GDPR.

Data protection officer

You can contact our data protection officer via the following address:

Farida Baberin-Yor Beacher

AmaliTech Ghana Limited

SSNIT House 27 Ama Akroma Road

Takoradi Email: farida.beacher@amalitech.org

Data processing on our website

During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.

Processing of Server-Log-Files

When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on DP Act 843 section 20(1e), RDL Art. 15 and Art. 6 section 1 letterGDPR. This processing serves the technical administration and security of the website. The data collected will be deleted when the visitor logs off the site unless the visitor leaves a message that requires attention and/or response from the site administrator or any department, after thirty days unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.

Data Transfer to third countries

Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries where the GDPR is not applicable law. Such a transfer shall be authorised if the European Commission has decided that an adequate level of data protection is ensured in such third country.

In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.

Unless otherwise stated below, we use as appropriate safeguards the EU standard contractual clauses for the transfer of personal data to processors in third countries (Commission Implementing Decision (EU) 2021/914): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914.

Contact and requests

Our website contains contact forms through which you can send us messages. The transfer of your data is encrypted (recognizable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this data will result in us not being able to process your request. The provision of further data is voluntary. Alternatively, you can send us a message via the contact e-mail. We process the data for the purpose of answering your inquiry. If your request is directed towards the conclusion or performance of a contract with us, DP Act 843 section 20(1a), RDL Art. 13 and Art. 6 section 1 letter b GDPR is the legal basis for data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting inquiring persons. The legal basis for data processing is then DP Act 843 section 20(1b), RDL Art. 14 and Art. 6 section 1 letter f GDPR.

Application

When you apply for a position at our company, we process your application data exclusively for purposes related to your interest in current or future employment with us. Your application will only be processed and acknowledged by the responsible contact persons. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you a position, we will retain the data you provide for up to three months for the purpose of potentially answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of presenting evidence or if you have expressly consented to longer storage. Legal basis for the data processing is DP Act 843 section 17(c), RDL Art. 17 and § 26 para. 1 sentence 1 BDSG.

If we keep your applicant data for a period of four months and you have expressly consented to this, we would like to point out that this consent can be freely withdrawn at any time in accordance with DP Act 843 section 20(3), RDL Art. 12 and Art. 7 section 3 GDPR. Such a withdrawal of consent does not affect the lawfulness of the processing, which has taken place prior to the withdrawal.

SmartRecruiters

We use SmartRecruiters, a recruitment platform provided by SmartRecruiters Inc. (USA), to manage job applications submitted through our website. Depending on the role, you may interact with SmartRecruiters in one of two ways: either via a form embedded directly on our website, or by being redirected to a SmartRecruiters-hosted careers page to complete your application. In both cases, the same data protection standards apply.

Through SmartRecruiters, we collect the personal data you voluntarily provide as part of your application. This includes standard application data such as your name, email address and CV, as well as any additional information you choose to submit, such as a cover letter, portfolio, links to professional profiles, or responses to role-specific questions. You are not required to submit additional data beyond what is marked as mandatory, but failure to do so may affect our ability to fully assess your application.

AmaliTech acts as the data controller and SmartRecruiters acts as our data processor, processing your personal data solely on our behalf and in accordance with our instructions. We have concluded a Data Processing Agreement (DPA) with SmartRecruiters in accordance with Art. 28 GDPR to ensure appropriate technical and organisational safeguards are in place. The legal basis for this processing is DP Act 843 section 17(c), RDL Art. 17 and § 26 para. 1 sentence 1 BDSG.

As SmartRecruiters Inc. is headquartered in the United States, the processing of your application data may involve a transfer of personal data to a country outside the EU/EEA. Such transfers are carried out on the basis of Standard Contractual Clauses pursuant to Art. 46 section 2 letter c GDPR (Decision (EU) 2021/914). Please also refer to the “Data Transfer to Third Countries” section of this policy for further information.

For further information on how SmartRecruiters processes personal data, please refer to their privacy policy at https://www.smartrecruiters.com/legal/general-privacy-policy/.

Cookies

We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This makes the browser identifiable so it can be recognised by our web server. We use so-called ‘session cookies’, which are deleted when the browser session is ended. Other cookies (‘persistent cookies’) are automatically deleted after a specific period, which may vary depending on the cookie.

In part, the use of cookies is necessary to maintain functionality and operation of our website. Apart from that, we use cookies and similar technologies to measure the coverage of our website and analyse the use of our website.

Cookies are stored on the computer of the user. Therefore, you as the user have full control over the use of cookies. You can delete cookies in the security settings of your browser at any time. You can object to the use of cookies entirely or for certain cases in your browser settings.

You can find information on how we use cookies and similar technologies in the description of the specific processing activity. Further information about cookies used on our website can be found via the privacy settings in the consent banner. For users accessing our website from Germany, please note that the storage of and access to information on your device is additionally governed by the German Telecommunications-Telemedia Data Protection Act (TDDDG, formerly TTDSG), which came into force on 1 December 2021 and was renamed on 14 May 2024. Where such storage or access requires consent, we rely on § 25 TDDDG as the applicable legal basis alongside the GDPR.

Google Analytics

We use the Google Analytics service of the provider Google Ireland Limited (Google Ireland/EU) on our website.

Google Analytics is a web analytics service that allows us to collect and analyze data about the behavior of visitors to our website. Google Analytics uses cookies for this purpose, which enable an analysis of the use of our website. Personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website are processed in the process.

Some of this data is information that is stored in the terminal device you are using. In addition, further information is also stored on your end device via the cookies used. Such storage of information by Google Analytics or access to information that is already stored in your terminal device only takes place with your consent.

Google Ireland will process the data thus collected on our behalf in order to evaluate the use of our website by the users, to compile reports on the activities within our website and to provide us with further services related to the use of our website and the internet. In doing so, pseudonymous usage profiles of the users can be created from the processed data.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for the data processing in connection with the Google Analytics service is therefore DP Act 843 section 20(1), RDL Art. 12 and Art. 6 section 1 letter a GDPR. You can revoke this consent at any time with effect for the future.

The personal data processed on our behalf to provide Google Analytics may be transferred to any country in which Google Ireland or Google's Ireland sub-processors maintain facilities. The legal basis for this transfer is the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Art. 46 section 2 letter c GDPR.

We only use Google Analytics with IP anonymization enabled. This means that the IP address of the user is shortened by Google Ireland within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The IP address transmitted by the user's browser is not merged with other data.

We use Google Analytics 4 (GA4), the current version of Google’s analytics platform. GA4 uses an event-based data model and supports cross-device measurement. It includes built-in IP anonymisation by default and is designed to operate with or without cookies, in line with modern privacy requirements.

Data on user actions is stored for a period of 14 months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.

ZoomInfo WebSights

We use ZoomInfo WebSights, a B2B website visitor identification service provided by ZoomInfo Technologies LLC (805 Broadway St, Suite 800, Vancouver, WA 98660, USA). WebSights works by embedding a ZoomInfo tracking script on our website. When you visit our website, this script collects your IP address and certain related information — such as pages visited, click behaviour, approximate device location, and browser information — and transmits it to ZoomInfo. ZoomInfo cross-references this data against their proprietary business database in order to identify the name and firmographic details (such as industry, size, and location) of the company associated with your IP address. The output we receive is company-level information only; we do not receive the names or personal details of individual visitors through this tool.

The purpose of using ZoomInfo WebSights is to understand which organisations are visiting our website so that we can better tailor our B2B outreach, improve our marketing activities, and identify potential business opportunities. We do not use the data collected through WebSights to identify or contact individuals, and we do not combine the company-level output with other data sources to profile individual visitors.

The ZoomInfo tracking script sets cookies and accesses information stored on your device. Under § 25 TDDDG, this requires your prior consent. Accordingly, the ZoomInfo WebSights script is only activated after you have given your explicit consent via our cookie consent banner. You may withdraw your consent at any time with effect for the future by adjusting your cookie preferences via the consent settings accessible on our website. Withdrawal of consent does not affect the lawfulness of any processing that took place prior to the withdrawal.

The legal basis for the processing of your personal data (including your IP address) by ZoomInfo WebSights is your consent pursuant to DP Act 843 section 20(1), RDL Art. 12 and Art. 6 section 1 letter a GDPR, in conjunction with § 25 TDDDG for the storage and access to information on your device.

ZoomInfo Technologies LLC acts as our data processor for this service. We have concluded a Data Processing Agreement (DPA) with ZoomInfo in accordance with Art. 28 GDPR. As ZoomInfo is headquartered in the United States, the processing of your data may involve a transfer of personal data to a country outside the EU/EEA. Such transfers are carried out on the basis of Standard Contractual Clauses pursuant to Art. 46 section 2 letter c GDPR (Decision (EU) 2021/914). Please also refer to the “Data Transfer to Third Countries” section of this policy. ZoomInfo holds TRUSTe GDPR and CCPA Practices Validations, as well as ISO 27001 and ISO 27701 certifications.

You may also opt out of ZoomInfo’s data collection directly via ZoomInfo’s opt-out page at https://www.zoominfo.com/about/privacy. For further information on how ZoomInfo processes personal data, please refer to their privacy policy at https://www.zoominfo.com/legal/privacy-policy.

Data processing on our Social Media

We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:

• Facebook
• Instagram
• X (formerly Twitter)
• LinkedIn
• Youtube
• TikTok

Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.

Data Processing during the Visit of a Social Media Page

Facebook and Instagram Page

Certain information about you is processed relating to your visit to our Facebook or Instagram page on which we present our company or individual products. Facebook Ireland Ltd (Ireland/EU – ‘Facebook’) is the sole controller of this processing. Further information about the processing of personal data by Facebook is available via https://www.facebook.com/privacy/explanation.

Facebook provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.

Facebook provides us with anonymised statistics and insights for our Facebook and Instagram page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page. Facebook and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page. We have concluded an agreement with Facebook on joint controllership in which the data protection duties are allocated between Facebook and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Facebook are available via https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Facebook directly. Further information is available in Facebook’s privacy statement via https://www.facebook.com/privacy/explanation.

Please note that user data is also processed in the USA and other third countries according to Facebook’s data protection guidelines. Facebook only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.

LinkedIn Company Page

Generally, the LinkedIn Ireland Unlimited Company (Ireland/EU – ‘LinkedIn’) is the sole controller of the processing of your personal data relating to a visit to our LinkedIn page. Further information on the processing of personal data by LinkedIn are available viahttps://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

If you visit or follow our LinkedIn company page, LinkedIn processes personal data to provide us with anonymised statistics and insights which enable us to gain knowledge about the ways in which interact with our page (so called ‘insights’). For this purpose, LinkedIn processes, in particular, such data that you already shared with LinkedIn by adding it to your profile like, for example, position, country, field of work, seniority, company size and employment status. Further, LinkedIn collects information on how you interact with our LinkedIn company page, for example whether you follow our LinkedIn company page. LinkedIn does not share personal data with us by providing us with the insights. We only have access to a summarized version of the insights. Also, we are unable to make conclusions about individual members from the information in the insights. LinkedIn and we are joint controllers of the processing regard the page insights. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR. We have concluded an agreement with LinkedIn on joint controllership in which the data protection duties are allocated between LinkedIn and us. The agreement is available via https://legal.linkedin.com/pages-joint-controller-addendum. The agreement stipulates the following:

• LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights pursuant to the GDPR. In order to do so, you can contact LinkedIn online via (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=en) or via the contact details in the data protection guidelines. You can contact the Data Protection Officer of LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also reach out to us via the contact details mentioned above for the exercise of your rights relating to the processing of your personal data for insights. In such a case, we will forward your request to LinkedIn.
• LinkedIn and we have agreed that the Irish data protection commission shall be the responsible supervisory authority monitoring the processing for insights. You always have the right to lodge a complaint with the Irish data protection commission (see www.dataprotection.ie) or any other supervisory authority.

Please note that user data is also processed in the USA and other third countries according to LinkedIn’s data protection guidelines. LinkedIn only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR.

X (formerly Twitter)

Generally, X Corp. (USA) is the sole controller of the processing of your personal data relating to your visit to our X (formerly Twitter) account. Further information on the processing of personal data by X Corp. is available via https://x.com/en/privacy.

Generally, TikTok Technology Limited (Ireland/EU) is the sole controller of the processing of your personal data relating to your visit to our TikTok account. TikTok collects information such as your IP address, device identifiers, browsing behaviour, and interaction data when you visit our page. Further information on the processing of personal data by TikTok is available via https://www.tiktok.com/legal/page/eea/privacy-policy/en. Please note that data may also be transferred to servers outside the EU/EEA. TikTok relies on Standard Contractual Clauses as the legal basis for such transfers pursuant to Art. 46 GDPR.

YouTube

We use the YouTube service of Google Ireland Limited (Google Ireland/EU) on our website to integrate videos. For such an integration, a processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Google and Google may set its own cookies. We use YouTube in “extended data protection mode” so that no cookies are set by YouTube to analyze user behavior.

This processing of personal data serves our legitimate interest in integrating the video service into our website. The use of YouTube takes place on the legal basis of DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR.

With YouTube, a transmission of data to Google Inc. and YouTube LLC in the USA cannot be ruled out. Please note the information in the section “Data transfer to third countries”. Users can find further information on data protection at Google in Google’s privacy policy at https://www.google.com/policies/privacy.

Processing of Data you Share with us via our Company Pages

Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey. We are the sole controller of such processing activities.

We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR.

Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 section 1 letter a GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c GDPR).

Donation

On our website you have the possibility to support us and our projects with a donation. In the context of your donation, we only process the data that you yourself have entered. The data processing is carried out to process your donation and, if necessary, to send you a donation receipt.

The transfer of your data is encrypted (recognizable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. Failure to provide this data will result in us not being able to process your request.

The legal basis for the processing is in each case DP Act 843 section 20(1a), RDL Art. 13 and Art. 6 section 1 letter b GDPR.

Donation by credit card

We offer you the possibility to donate by credit card. Please note that the respective payment information is collected and processed by the respective payment service providers on their own responsibility.

Donation by PayPal

Furthermore, you have the possibility to donate via Paypal. Please note that the relevant payment information is collected and processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., based in Luxembourg, under its own responsibility.

For more information on data protection at Paypal, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE#r5.

Newsletter

We offer on our website the possibility to register for our newsletter. After registration we will inform you regularly about the latest news on our projects. For the registration to the newsletter a valid e-mail address is required. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address on the basis of the consent you have given us. The processing is based on the legal basis ofDP Act 843 section 20(1), RDL Art. 12 andArt. 6 section 1 letter a GDPR. You can revoke the consent granted at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation.

When registering for the newsletter, we also store the IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to document your consent (DP Act 843 section 20(1), RDL Art. 12 and Art. 6 section 1 letter c in conjunction with Art. 7 section 1 GDPR).

Further data processing

In certain cases, we process personal data that we have received from you not online but in other ways.

Use of LinkedIn Insight Tag We use the LinkedIn Insight Tag to improve our advertising and gain insights into website traffic. This tag sets a cookie in your browser and collects data such as URLs visited, referrer, IP address, device and browser info, and visit time. LinkedIn encrypts and de-identifies this information within seven days, then deletes de-identified data within 180 days. We only receive aggregated reports and do not access personal data. The tag helps us track conversions, retarget visitors, and assess ad performance, so we can deliver more relevant content and campaigns. You control how your data is used: LinkedIn members can adjust settings in their account, while non-members can learn about cookies and opt out via LinkedIn’s guest controls page. These options help you manage your targeted advertising preferences. The legal basis for this processing is DP Act 843 section 20(1b), RDL Art. 15 and Art. 6 section 1 letter f GDPR.

Notice to United States Residents

AmaliTech operates a registered entity in the United States. This section provides additional information for residents of US states that have enacted comprehensive consumer privacy legislation. As of the date of this policy, the United States does not have a single federal privacy law. Instead, privacy rights are governed by a growing number of state-level laws, the most significant of which is the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Other active state privacy laws include, among others, the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Texas Data Privacy and Security Act (TDPSA).

Whether and to what extent these state laws apply to AmaliTech depends on factors including our annual revenue, the volume of personal data we process about residents of each state, and the nature of our activities in each state. We are committed to monitoring our obligations under applicable US state privacy laws as our operations grow, and we will update this policy accordingly. If you are a US resident and have questions about how your data is handled, please contact us using the details in the Contact section above.

Personal Data We Collect and How We Use It

When US residents visit our website or interact with our services, we may collect the following categories of personal data: identifiers (such as name, email address, and IP address); internet or other electronic network activity information (such as browsing behaviour and device information collected via cookies and analytics tools); professional or employment-related information (when you apply for a position); and any other information you voluntarily provide through contact forms, newsletter sign-ups, or donation forms. We use this information for the purposes described in the relevant sections of this privacy policy, including website administration, responding to enquiries, recruitment, and improving our services. We do not use personal data for purposes that are incompatible with the purpose for which it was collected.

We Do Not Sell Your Personal Data

AmaliTech does not sell personal data to third parties, nor do we share personal data with third parties for cross-context behavioural advertising purposes. This applies to all users, including residents of California and other US states. Because we do not sell personal data, the right to opt out of the sale of personal data under the CCPA/CPRA and equivalent state laws does not apply in our case. However, we do use third-party analytics and advertising tools (such as Google Analytics and the LinkedIn Insight Tag) that may involve the sharing of limited data. Where required, we obtain your consent before enabling such tools, and you may withdraw consent at any time via our cookie consent settings.

Rights Available to US Residents

Depending on the state you reside in and whether the applicable state privacy law applies to our processing of your data, you may have some or all of the following rights:

Right to Know / Access: You may request that we disclose the categories and specific pieces of personal data we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared.

Right to Deletion: You may request that we delete personal data we have collected about you, subject to certain exceptions permitted by applicable law (for example, where retention is necessary to complete a transaction, comply with a legal obligation, or detect security incidents).

Right to Correction: You may request that we correct inaccurate personal data we hold about you.

Right to Opt Out of Sale or Sharing: As stated above, AmaliTech does not sell or share personal data for cross-context behavioural advertising. This right therefore does not apply in our case.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge you different prices, or provide a different level of service as a result of exercising your rights.

Right to Appeal: If we decline to act on your privacy rights request, you may appeal our decision by contacting us at info@amalitech.com. We will respond to your appeal within the timeframe required by applicable law.

How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to us by email at info@amalitech.com. We will verify your identity before processing your request and respond within the timeframe required by applicable law (generally 45 days, with a possible extension of a further 45 days where reasonably necessary). We will not charge a fee for processing your request unless it is manifestly unfounded or excessive. You may also designate an authorised agent to submit requests on your behalf, in which case we may require proof of authorisation.

Data Retention and Security

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, as described in the Period of Storage section of this policy. We implement reasonable technical and organisational security measures to protect personal data against unauthorised access, disclosure, or destruction, as described in the Data Breach Notification section of this policy. All 50 US states have enacted data breach notification laws. In the event of a breach affecting US residents, we will notify affected individuals and relevant state authorities in accordance with the applicable state breach notification law.

Additional Notice for California Residents (CCPA/CPRA)

California residents may have additional rights under the CCPA as amended by the CPRA, depending on whether AmaliTech meets the applicable thresholds under California law. These thresholds include annual gross revenues exceeding $26.625 million (indexed to inflation), processing the personal data of 100,000 or more California consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal data. If these thresholds apply to AmaliTech, California residents would have the right to know what personal data is collected and how it is used, the right to delete personal data, the right to correct inaccurate personal data, the right to opt out of the sale or sharing of personal data, the right to limit the use of sensitive personal data, and the right to non-discrimination for exercising these rights. AmaliTech does not knowingly sell or share the personal data of minors under 16 years of age. To determine whether the CCPA/CPRA currently applies to AmaliTech or to submit a privacy request, please contact us at info@amalitech.com.

Policy Updates

US state privacy law is evolving rapidly, with new laws coming into force each year. AmaliTech is committed to reviewing and updating this section of the privacy policy on a regular basis to reflect changes in applicable law and in our own operations. We recommend that US residents check back periodically for updates. Material changes will be reflected in the “Last Updated” date at the bottom of this policy.

Additional Rights for Rwanda-Based Users

If you are located in Rwanda, your personal data is also protected under the Law No. 058/2021 of 13/10/2021 on the Protection of Personal Data and Privacy (hereinafter “Rwandan Data Protection Law”). This section sets out the additional rights and protections applicable to you as a data subject under Rwandan law, in addition to the rights described elsewhere in this Privacy Policy.

Legal Framework

The Rwandan Data Protection Law governs the collection, storage, use, and sharing of personal data for individuals located in Rwanda. AmaliTech processes personal data in compliance with this law. We process your personal data on one or more of the following legal bases: your explicit consent (Art. 12); the performance of a contract to which you are a party (Art. 13); compliance with a legal obligation (Art. 14); or our legitimate interests, where these are not overridden by your rights and freedoms (Art. 15).

Your Rights Under Rwandan Law

As a data subject located in Rwanda, you have the following rights under the Rwandan Data Protection Law, which you may exercise by contacting us using the details provided in the Contact section above:

Right of Access (Art. 24): You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with relevant information about the processing.

Right to Rectification (Art. 25): You have the right to request the correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 26): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where processing is unlawful.

Right to Restriction of Processing (Art. 27): You have the right to request that we limit the processing of your personal data in certain circumstances, such as while we verify the accuracy of your data or assess an objection.

Right to Data Portability (Art. 28): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request its transfer to another data controller where technically feasible.

Right to Object (Art. 29): You have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Art. 12): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Supervisory Authority – Rwanda

If you believe that our processing of your personal data infringes the Rwandan Data Protection Law, you have the right to lodge a complaint with the Rwanda Information Society Authority (RISA), which is the competent supervisory authority in Rwanda. RISA can be contacted via its official website at www.risa.gov.rw or at its offices in Kigali, Rwanda.

Cross-Border Data Transfers – Rwanda

In accordance with Art. 35 to 37 of the Rwandan Data Protection Law, personal data may only be transferred to a third country or international organisation if an adequate level of protection is ensured. Where no adequacy decision exists, we rely on appropriate safeguards such as standard contractual clauses or binding corporate rules to authorise the transfer.

Data Breach Notification

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, or destruction. In the event of a personal data breach, we are legally required to take immediate action in accordance with applicable data protection law.

Notification to Supervisory Authorities

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach concerns individuals in Ghana, we will notify the Data Protection Commission (DPC) in accordance with the Data Protection Act 843. Where the breach concerns individuals in Rwanda, we will notify the Rwanda Information Society Authority (RISA) in accordance with Art. 42 of the Rwandan Data Protection Law. The notification will include a description of the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures taken or proposed to address the breach.

Notification to Affected Individuals

Where a data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you directly without undue delay, in accordance with Art. 34 GDPR and the equivalent provisions under Ghanaian and Rwandan law. This communication will describe the nature of the breach in clear and plain language, provide contact details of our Data Protection Officer, explain the likely consequences of the breach, and describe the measures we have taken or propose to take to address it, including measures to mitigate its possible adverse effects. We will use the contact information you have provided to us to notify you, or, if direct notification is not possible, publish a public communication.

Last Updated: May 2026