01Policy statement
Sage Advance Global Services Ltd (“Sage”, “the Company”, “we”, “our” or “us”) is committed to protecting the privacy and personal data of its clients, employees, directors and all other individuals whose data it processes. We treat personal data as a critical business asset underpinning our ability to deliver a compliant, trustworthy virtual asset brokerage service.
This Privacy Policy explains the principles, obligations and procedures governing our collection, processing, use, storage, transfer, disclosure, retention and disposal of personal data. It applies wherever we process personal data, in electronic form and in structured paper files.
02Regulatory framework
Our data protection obligations arise under, among others:
- The 1992 Constitution of the Republic of Ghana — Article 18(2) (right to privacy).
- Data Protection Act, 2012 (Act 843).
- Cybersecurity Act, 2020 (Act 1038).
- Virtual Asset Service Providers Act, 2025 (Act 1154).
- Anti-Money Laundering Act, 2020 (Act 1044).
- Electronic Transactions Act, 2008 (Act 772).
- SEC Guidelines for the Operation of the Securities Regulatory Sandbox, 2026.
- Directives of the DPC, SEC, FIC, BoG and CSA applicable to our Sandbox Admission.
03Scope
This Policy applies to all personal data processed by Sage, including client KYC data, transaction data, biometric liveness data, communication records, employee records, and any personal data processed by third-party data processors acting on our instruction.
04Data protection principles
- Accountability — we take responsibility for our processing.
- Lawfulness of processing — every processing activity has a lawful basis.
- Specification of purpose — we tell you why we collect data before we collect it.
- Compatibility of further processing — we don’t reuse data for incompatible purposes.
- Quality of information — we keep data accurate and up to date.
- Openness — we publish this Policy and respond to reasonable enquiries.
- Data security safeguards — technical and organisational controls are described in section 10.
- Data subject participation — you can exercise the rights in section 6.
05Personal data we collect
Depending on your relationship with us, we may process:
- Identity data — full name, date of birth, gender, nationality, Ghana Card / passport / driver’s licence number.
- Biometric data — facial biometric data collected during liveness verification.
- Contact data — residential or registered address, email, phone number.
- Business / financial data — occupation, source of funds, source of wealth.
- Transaction data — trade records, wallet addresses, TXIDs, fiat settlement details, order history.
- Compliance data — sanctions screening results, PEP status, EDD records, blockchain analytics results, KYC risk ratings, STR records.
- Device and usage data — IP address, browser type, and platform interactions relevant to fraud prevention.
We process this data for identity verification and KYC compliance, transaction execution and settlement, AML/CFT monitoring, regulatory reporting, security and fraud prevention, service communication, and record-keeping.
06Your rights
Subject to Ghana’s Data Protection Act (Act 843), you have the right to:
- be informed about the collection and use of your personal data;
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- withdraw consent where processing is based on consent;
- object to processing based on legitimate interest or direct marketing;
- request erasure where legally permissible; and
- lodge a complaint with the Data Protection Commission.
To exercise any right, email us at info@thesageglobal.com with proof of identity. We respond within statutory timeframes.
08Cross-border transfers
We transfer personal data outside Ghana only where adequate protections are in place — a valid lawful basis, appropriate contractual safeguards, and only the minimum data necessary for the purpose.
09Retention
We keep personal data only as long as necessary for the purpose for which it was collected, or as required by law. AML/CFT records are retained for a minimum of five years after the end of the client relationship, in line with Act 1044. On expiry we securely dispose of the data so it cannot be reconstructed.
10Security controls
We apply technical and organisational controls including encryption in transit and at rest, role-based access control, multi-factor authentication for staff, network segregation, logging and monitoring, vendor security due diligence, and mandatory staff training. We maintain an incident response process for personal data breaches.
11Data breach management
Where a personal data breach is confirmed, we notify the Data Protection Commission as soon as reasonably practicable, and — where the breach arises from a cybersecurity incident — the Cybersecurity Authority within 24 hours of detection. Where a Material Incident occurs, we also notify the SEC under §13(3) of the Sandbox Guidelines 2026. Affected data subjects are notified where the breach is likely to result in significant harm.
12Contact us
Questions or requests should be addressed to our Data Protection Supervisor:
- Email: info@thesageglobal.com
- Post: FAO Data Protection Supervisor, Sage Advance Global Services Ltd, Accra, Ghana (P.O. Box GP 1695, GhanaPostGPS GT-192-6030).
You also have the right to lodge a complaint with the Data Protection Commission of Ghana.
13Changes to this policy
We review this Policy at least annually and whenever there is a material change in our processing, controls, processors or cross-border transfers. Material updates require Board approval, and we notify clients of any change likely to affect them.
