Privacy Policy

The VoteEdge platform is operated by VoteEdge (“VoteEdge”, “we”, “us”).

You can reach us at:

• General contact: hello@voteedgeng.com
• Privacy + data-subject rights: hello@voteedgeng.com
• Security incident reporting: hello@voteedgeng.com
• Phone: +234 706 155 1969

Our designated Data Protection Officer (or equivalent accountability lead, depending on the jurisdiction) is our Privacy Team, reachable at the email above.

This policy applies to personal data we process in connection with:

• visitors to our marketing website at https://voteedgeng.com and its country sub-pages;
• signed-in users of the VoteEdge application (Authorised Users acting on behalf of a Customer);
• field agents enrolled via the public election-day enrollment flow (see clause 3.4 and the field-agent annex at clause 18.6);
• inquirers who submit our public contact form;
• recipients of our transactional or operational email (renewal notices, password resets, expiry reminders).

This policy does not cover personal data processed by our Customers within their own Projects, where VoteEdge acts as a processor on the Customer’s instructions. For that processing, the Customer is the controller, and the Customer’s own privacy notice applies.

The table below states the lawful basis on which we process each category of personal data, in each jurisdiction. The named statute is in addition to any other lawful basis that may apply.

Where we rely on legitimate interest, the interest is described in the table above. For each such row, we document the balancing test that confirms the interest is not overridden by the data subject’s rights and freedoms; that documentation is available to regulators on request.

Secondary analytical purpose (Campaign Diagnostic module). Where the Customer has licensed the optional Campaign Diagnostic module, the aggregated, de-identified survey responses for that Project are analysed to produce location-level findings and campaign recommendations for the Customer’s candidate. This analysis is performed on aggregated data only; it does not single out, re-identify, or target any individual respondent, and the survey instrument itself remains neutral and non-leading. This purpose is compatible with, and carried out under the same lawful basis as, the research purpose for which the responses were collected.

We process two categories of special-category data:

The platform is not intended for children. We do not knowingly collect personal data from individuals under the age of 18. Authorised Users and field agents must be of legal age to contract for employment in their jurisdiction. If we learn that we have inadvertently collected personal data from a child, we will delete it.

The data protection laws of each jurisdiction impose specific obligations regarding children’s data: see (NG · NDPA 2023, s. 31), (KE · DPA 2019, s. 33), (ZA · POPIA, s. 34), (GH · Act 843, s. 32), and (RW · Law N° 058/2021, art. 14).

We collect personal data from the following sources:

• directly from the data subject (visit, sign-up, enrollment, contact form);
• from our Customers, who upload rosters of their Authorised Users and (in some markets) of polling agents;
• generated by our systems as a result of your use of the platform (audit logs, session metadata, derived analytics).

We do not buy personal data from data brokers, and we do not enrich personal data from third-party social or commercial databases.

We share personal data with the following categories of recipient:

• VoteEdge personnel who need to access it to operate the platform, support you, or investigate a security or compliance event;
• the Customer running the relevant Project, in respect of personal data collected within that Project;
• sub-processors who provide hosting, object storage, email delivery, SMS delivery, error monitoring, and timestamping services on our behalf — see the Data Processing Agreement, Annex A;
• professional advisers (lawyers, accountants, auditors) under a duty of confidence;
• law-enforcement, regulatory, or governmental bodies in response to a binding legal request.

We do not sell personal data, and we do not share personal data with third parties for those parties’ own marketing purposes.

The current sub-processor list is available on request via the privacy contact above and is also enumerated in Annex A of the Data Processing Agreement.

Some of our sub-processors process personal data in countries other than the country in which the data subject is located. When that occurs, we put in place appropriate transfer safeguards under the law of the originating country, namely:

• Nigeria (NG · NDPA 2023, s. 41): transfer to a country with adequate protection as recognised by the Nigeria Data Protection Commission, or (where such recognition has not been issued) under specific safeguards including binding corporate rules, standard contractual clauses, or the data subject’s explicit consent;
• Ghana (GH · Act 843, s. 47): transfer to a country with an adequate level of protection or under an authorisation from the Data Protection Commission;
• Kenya (KE · DPA 2019, ss. 48-49): transfer where appropriate safeguards are in place (including standard contractual clauses approved by the ODPC), or with the data subject’s explicit consent;
• South Africa (ZA · POPIA, s. 72): transfer to a recipient subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection, or with the data subject’s consent, or where the transfer is necessary for the conclusion or performance of a contract;
• Rwanda (RW · Law N° 058/2021, art. 48-49): transfer to a country with adequate protection or under specific safeguards approved by the supervisory authority.

The specific transfer instrument used for each sub-processor pair is documented internally and is available on request via the privacy contact above..

We retain personal data for the period necessary to fulfil the purposes described in this policy, plus any minimum statutory retention floor that applies in the relevant jurisdiction.

Project-level data follows the Customer Agreement’s retention schedule: a default minimum of one (1) year from expiry of the Access Window, subject to country-specific statutory minima below. We may, at our discretion and for operational, re-engagement, or audit purposes, retain Customer Data for longer than the contractual one-year minimum; the Customer may request earlier deletion at any point (subject to the country-specific minima below).

• Nigeria: 180 days (NDPC guidance under (NG · NDPA 2023, s. 24));
• Ghana: 365 days (DPC guidance under (GH · Act 843, s. 24));
• Kenya: 365 days (ODPC guidance under (KE · DPA 2019, s. 39));
• South Africa: 5 years (1825 days), the POPIA principle of minimum-necessary retention applied to our specific processing context ( (ZA · POPIA, s. 14));
• Rwanda: 365 days ( (RW · Law N° 058/2021, art. 14)).

Audit-log metadata is retained for the longer of the applicable statutory minimum and 7 years, unless a binding legal hold or open investigation requires longer retention.

Depending on your jurisdiction, you have rights in respect of your personal data. The table below summarises those rights and the statutory references that grant them.

Each right is exercisable subject to the limits, conditions, and exceptions stated in the relevant statute. Where a right is not explicitly enumerated in a particular statute, an analogous right may still be available under general principles of that statute.

To exercise any of the rights described in clause 11, contact us at hello@voteedgeng.com with:

• your full name;
• the email address associated with your account or enrollment, if any;
• the country in which you are located;
• which right you wish to exercise and which personal data you are referring to;
• any documentation that helps us verify your identity (we will not act on requests we cannot reasonably verify, to protect against impersonation).

We respond within the response time required by the data protection law applicable to you:

• Nigeria: within one (1) month of receipt (NDPA s. 34(2) );
• Ghana: within forty (40) days of receipt for an access request (Act 843 s. 35(2));
• Kenya: within seven (7) days of receipt (DPA s. 26(2));
• South Africa: within a reasonable time and in accordance with the Promotion of Access to Information Act framework (Form 2);
• Rwanda: within thirty (30) days of receipt (Law N° 058/2021 art. 21(3) ).

Where your request is manifestly unfounded, excessive, or repetitive, we may refuse it or charge a reasonable fee, in accordance with the applicable statute. Where we refuse, we will tell you in writing why and how to seek redress.

Without prejudice to your other rights, you may lodge a complaint with the data protection regulator of your jurisdiction:

• Nigeria: Nigeria Data Protection Commission (NDPC). Contact details available on the NDPC official website at ndpc.gov.ng.
• Ghana: Data Protection Commission of Ghana (DPC). Contact details available on the DPC Ghana official website at dataprotection.org.gh.
• Kenya: Office of the Data Protection Commissioner (ODPC). Contact details available on the ODPC official website at odpc.go.ke.
• South Africa: Information Regulator (South Africa). Contact details available on the Information Regulator official website at inforegulator.org.za.
• Rwanda: National Cyber Security Authority (NCSA), pending appointment of the supervisory authority specifically designated for data protection. Contact details available on the NCSA official website at cyber.gov.rw.

We encourage you to contact us first so we have the opportunity to address your concern.

We design and operate the Platform in line with appropriate technical and organisational measures, having regard to the state of the art, the cost of implementation, the nature of the processing, and the risks to the rights and freedoms of data subjects. Our security commitments are set out in detail in the Data Processing Agreement, Annex B. They include:

• TLS in transit between your browser and our servers;
• at-rest encryption of stored personal data;
• role-based access control aligned to least-privilege principles;
• per-project tenant scoping enforced at the data-access layer;
• audit logging of every privileged mutation, with the actor identifier, timestamp, and IP recorded;
• hash-chain integrity for election-day result reports, allowing post-hoc verification that no row has been modified in place;
• multi-factor authentication available to all account holders;
• independent disaster-recovery procedures with documented restore drills.

We do not represent that our security measures are impenetrable or that no incident will occur. Where we have a reportable personal-data breach, we will notify the regulator and (where required) you within the timeframe required by the applicable statute (clause 15).

We notify the relevant regulator and (where required) the data subject within the timeframe required by each applicable statute:

• Nigeria (NG · NDPA 2023, s. 40): within 72 hours of becoming aware of the breach.
• Ghana (GH · Act 843, s. 30): without undue delay .
• Kenya (KE · DPA 2019, s. 43): within 72 hours of becoming aware of the breach.
• South Africa (ZA · POPIA, s. 22): as soon as reasonably possible after the breach has been discovered.
• Rwanda (RW · Law N° 058/2021, art. 30): within 48 hours of becoming aware of the breach .

We may update this policy from time to time. The version tag and last-revised date in the header reflect the current version. Where the change is material, we will give you notice in advance:

• by in-app message to logged-in users; and
• by email to the address associated with your account or enrollment.

For non-material clarifications, we may rely on publication on this page alone.

For any privacy question, request, or complaint, please contact us at hello@voteedgeng.com.

The annexes below summarise the country-specific points that a data subject in each market is most likely to need.