Shovu Privacy Policy

Shovu ("we", "us", "our") operates the Shovu storefront platform — the website at shovu.app, the storefront domain shovu.shop, our mobile applications, and the related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, and protect your personal information when you use the Service.

We comply with Ghana's Data Protection Act, 2012 (Act 843) and with applicable rules from the Data Protection Commission. Where you use the Service from outside Ghana, we additionally honour the substantive rights provided by local law (for example, the GDPR for visitors located in the European Economic Area).

This policy applies to three groups of users:

• Sellers — people and businesses who create a shop on Shovu to sell goods or services.
• Buyers — people who browse a Seller's shop, place orders, or otherwise transact through Shovu.
• Visitors — anyone else who views the Shovu marketing pages, downloads the app, or interacts with our content.

When a Seller stores or processes personal data about their own Buyers using the Service, the Seller is the data controller for that data and Shovu acts as a data processor on their behalf, in accordance with these Terms.

We collect the following categories of information:

3.1 Account information

• Your phone number (for OTP sign-in and SMS notifications).
• Your email address, name, and profile photo if you provide them.
• Your password (stored hashed — we never see it in plain text).
• For Sellers: your shop name, slug, description, logo, location, payment methods, FAQs, brand colours, and any other shop content you upload.
• Team-member invitations — names and phone numbers of people you invite to help run your shop.

3.2 Transaction information

• Orders, including line items, prices, delivery address, payment method, and order status.
• Buyer contact details captured at checkout (name, phone, address, optional email).
• Payment metadata returned by Paystack (transaction reference, amount, card type or MoMo operator, last four digits, success / failure). Full card numbers and CVCs are NEVER touched or stored by Shovu — Paystack handles those directly.
• Withdrawal destinations — your MoMo number or bank account details, with verification documents you upload (for example, ID copies for KYC).

3.3 Device and usage information

• Pages you visit, features you use, timestamps, and approximate location (derived from IP).
• Device type, operating system, browser version, and screen size.
• Crash logs and performance metrics.
• Push-notification subscription tokens (one per device you opt in on) and the OneSignal / Apple / Google identifiers needed to deliver pushes.

3.4 Information from third parties

• Webhook events from Paystack confirming the status of payments and refunds.
• Delivery-status events from SMS provider Arkesel (sent, delivered, failed).
• Aggregate analytics from Cloudflare about how the storefronts are loading.

We use the information we collect to:

• Operate, maintain, and improve the Service — the dashboard, the storefront, payments, AI features, search.
• Sign you in (via OTP), authenticate your sessions, and protect your account against unauthorised access.
• Process Orders end-to-end: charge the Buyer through Paystack, settle the Seller, send order-status SMS / push notifications, and produce receipts and invoices.
• Send service messages — receipts, order updates, withdrawal confirmations, security alerts, billing notices, and policy changes.
• Send marketing or product-update messages only if you opt in (see section 10), and stop sending them the moment you opt out.
• Detect, investigate, and prevent fraud, chargebacks, abuse, money-laundering, sanctions violations, and any other illegal activity.
• Comply with applicable law (tax, accounting, KYC, AML, sanctions, court orders).
• Generate aggregated, de-identified statistics about platform usage to improve features and inform business decisions.

Under Ghana's Data Protection Act 2012 we process personal information on one or more of the following bases, depending on the purpose:

• Performance of a contract — to provide you the Service you signed up for and to fulfil Orders.
• Legitimate interest — to keep the platform secure, prevent fraud, and improve features, balanced against your rights and expectations.
• Legal obligation — to comply with tax, AML, sanctions, court orders, and other binding law.
• Your consent — for non-essential cookies, marketing messages, and any optional feature you specifically opt in to.

You can withdraw consent at any time, for any purpose where consent is the basis. Withdrawal does not affect any processing done before you withdrew.

We don't sell your personal information. We share it only in the following situations:

• With other users to the extent necessary to make the Service work — Sellers see the Buyer's order details; Buyers see the Seller's shop details.
• With the processors listed in section 7, who help us run the Service under written contracts that limit how they may use the data.
• With law enforcement, regulators, courts, or other authorities when we are legally required to do so or when we believe in good faith that disclosure is necessary to prevent imminent harm.
• With a successor entity in connection with a merger, acquisition, or sale of substantially all our assets, subject to the protections in this policy.
• With your consent or at your direction (for example, when you share your store link publicly or invite a team member).

We use the following service providers to run Shovu. Each one is contractually bound to use your information only as we direct, and to protect it to at least the standard described here. (Inevitably, this list changes as the platform evolves — we will update this section.)

Shovu's AI features include the Mira assistant (which drafts copy, suggests prices, answers shop questions) and AI photo enhancement (which upscales, sharpens, and denoises product photos via the Real-ESRGAN model running on Replicate).

When you use AI photo enhancement, the original image is sent to Replicate for processing and the enhanced image is returned. Replicate states it does not retain inputs or outputs after the prediction completes; we treat this as binding under our processor agreement. The image is also stored briefly in our edge function memory while the call is in flight.

When you use Mira, your prompt and the relevant context from your shop (the products, shop description, or other data you reference in the prompt) are sent to our AI model provider for inference. We do not use your private shop content to train third-party models, and we do not let providers train on your data without your explicit consent.

We log AI usage (call count, success / failure, latency, and a redacted error code on failure) so we can debug issues, monitor cost, and enforce free-tier limits.

We use a small set of cookies and similar technologies to run the Service. They are all in one of these categories:

• Strictly necessary — to keep you signed in, remember your shop, hold your cart, and protect against CSRF. These cannot be turned off without breaking the Service.
• Performance — local storage and IndexedDB used to cache shop content so the storefront opens fast on repeat visits.
• Preference — to remember your theme, last-used template, and similar settings.

We do not use third-party advertising cookies, behavioural ad-targeting trackers, or social-media pixels. Where a third-party processor (e.g. fonts.googleapis.com) sets a cookie of its own, that cookie is described in that provider's privacy notice.

We send three categories of messages:

• Transactional — receipts, order updates, withdrawal confirmations, security alerts, and important policy changes. These are part of the Service; you cannot opt out while you have an active account.
• Service updates — occasional notifications about new features or platform improvements. You can opt out from your account settings.
• Marketing — promotional messages from Shovu. We only send these if you opt in, and you can opt out at any time using the link in the message or by replying STOP to an SMS.

Sellers may use Shovu's SMS broadcast tools to send their own messages to their own customers. When a Seller does this, the Seller is the controller of that communication and is responsible for compliance with local marketing rules. Shovu's role is limited to delivering the messages the Seller composed, through Arkesel.

We keep information for as long as we need it to provide the Service and to meet our legal and accounting obligations. Concretely:

• Account profile data — while your account is active, then deleted within 30 days of closure (subject to the carve-outs below).
• Transaction records (orders, payments, refunds, withdrawals, invoices, receipts) — at least 7 years, to comply with Ghana's accounting and tax record-keeping requirements.
• KYC documents — at least 5 years from the end of the business relationship, to comply with the Anti-Money Laundering Act 2020 (Act 1044).
• Logs (authentication, fraud detection, AI usage, error logs) — typically 90 days, longer if required for an ongoing investigation.
• Push subscriptions — until the device unsubscribes or stops responding for 90+ days.
• Backups — encrypted backups roll over on a typical 30-day cycle.

Under the Data Protection Act 2012 (Act 843) and similar laws, you have the following rights over your personal information held by Shovu:

• Access — request a copy of the information we hold about you.
• Correction — ask us to fix information that is inaccurate or incomplete.
• Deletion — ask us to delete your information when it is no longer needed for the purpose we collected it, subject to the retention exceptions in section 11.
• Restriction — ask us to limit how we process your information in certain circumstances.
• Portability — receive your information in a structured, commonly-used, machine-readable format.
• Objection — object to processing that is based on our legitimate interest.
• Withdraw consent — where processing is based on your consent, withdraw that consent at any time.
• Lodge a complaint with the Data Protection Commission of Ghana if you believe we have not handled your information correctly.

To exercise any of these rights, email hello@shovu.app with "Privacy Request" in the subject. We will respond within 30 days, or sooner where the law requires.

Some of our processors (notably Supabase, Replicate, OneSignal, Cloudflare) operate servers outside Ghana. When we transfer your information to those processors, we rely on standard contractual safeguards in our agreements with them — including commitments to security, confidentiality, and assistance with data-subject requests. Where the law that protects you (for example, the GDPR) imposes additional transfer requirements, we honour them.

We take reasonable technical and organisational measures to protect your information, including:

• Encryption in transit — every connection between you, our app, our servers, and our processors uses TLS 1.2 or higher.
• Encryption at rest — database storage and backups are encrypted on disk.
• Hashed passwords — we use industry-standard password hashing (bcrypt / argon2 family); we never see your password.
• Row-level security in the database so a Seller can only read their own shop's data, and a Buyer can only read their own orders.
• Least-privilege access for our team — production data access is logged and limited to the smallest set of people necessary for support and incident response.
• Regular dependency scanning, vulnerability monitoring, and security review for code changes that touch sensitive paths (payments, auth, withdrawals).
• Two-factor support for Seller accounts (OTP-based) and for staff accounts with production access.

No system is perfectly secure. If you discover a security issue, please email security@shovu.app — we'll respond promptly and never penalise good-faith reporting.

If we suffer a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify the Data Protection Commission of Ghana without undue delay and, where required, notify you directly via SMS, email, and in-app message. The notice will describe what happened, what information was affected, what we are doing about it, and what you can do to protect yourself.

Shovu is not intended for children under 13 and we do not knowingly collect personal information from them. If you are between 13 and 17 you may only use Shovu under the supervision of a parent or legal guardian. If you believe we have inadvertently collected information from a child under 13, email hello@shovu.app and we will delete it.

The Service may contain links to third-party websites and services that we do not operate. We are not responsible for the privacy practices of those third parties. Please consult their privacy notices before sharing your information with them.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you in-app, by email, or both, at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision. We encourage you to review the policy periodically.

If you have any question about this Privacy Policy or how we handle your information, contact us at hello@shovu.app or via WhatsApp at +233 55 813 8714.

You can also lodge a complaint with the Data Protection Commission of Ghana — see dataprotection.org.gh.