Legal

Privacy policy.

Effective date: 1 January 2025  ·  Amedex Limited

1. Who we are and this policy's scope

Amedex Limited(“Amedex”, “we”, “our”, “us”) is the data controller responsible for personal data collected through this website (“Site”). We are registered under the Companies Act, 2019 (Act 992), Republic of Ghana.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it. It applies to visitors to our Site, people who submit contact forms or RFP applications, and vendors who apply to join our supply chain.

This policy does not cover personal data collected and processed under our commercial contracts with clients — those arrangements are governed by the applicable contract and any data processing agreement attached to it.

2. Data we collect

Information you provide directly

  • Contact form: name, organisation, email address, phone number (optional), and message content.
  • RFP submission: name, organisation, sector, project scope, budget range, deadline, and any documents you attach.
  • Vendor application: company name, registration number, sectors served, certifications, TIN, SSNIT number, and business registration certificate.
  • Account registration (admin users only): email address and a password you create.

Information collected automatically

  • Server logs: IP address, browser type, referring page, pages visited, date and time of access. Retained for up to 90 days for security and diagnostic purposes.
  • Session cookies:a secure, httpOnly session token (“am_sid”) used solely to maintain a logged-in state for authenticated admin users. No tracking cookies are set for general visitors.

Information we do not collect

We do not collect payment card details (we accept no payments through this Site). We do not use third-party advertising networks or behavioural tracking pixels. We do not embed Google Analytics or similar third-party analytics services.

3. Legal basis and purposes for processing

We process personal data only where we have a lawful basis to do so under the Ghana Data Protection Act, 2012 (Act 843):

  • Contract performance / pre-contract steps: processing RFP submissions and vendor applications to evaluate and potentially enter into a commercial relationship.
  • Legitimate interests: responding to general enquiries; maintaining security logs; improving the Site.
  • Legal obligation: retaining records required by Ghanaian tax, company, or procurement law.
  • Consent: where we ask for and receive your explicit consent (e.g., to send you a project newsletter, if we introduce one). You may withdraw consent at any time.

4. How we share your data

We do not sell, rent, or trade personal data. We share it only in the following circumstances:

  • Service providers: companies that help us operate the Site and services (hosting on Render/Vercel, transactional email via Resend, file storage). These providers process data only on our instructions and under contractual data protection obligations.
  • Internal routing: RFP and vendor submissions are shared with the relevant Amedex sector director and relevant administrative staff. Only staff with a legitimate need to evaluate the submission receive access.
  • Legal requirement: we may disclose data if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Amedex, our clients, or the public.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals before data is transferred and becomes subject to a different privacy policy.

5. Retention

We retain personal data for as long as is necessary to fulfil the purpose for which it was collected, or as required by law:

  • Contact form enquiries: 2 years from last interaction, unless a commercial relationship develops.
  • RFP submissions: 7 years from submission. RFP data is append-only; original submission bodies are never modified (audit requirement).
  • Vendor applications: 7 years, or until 5 years after the end of any resulting commercial relationship.
  • Server logs: 90 days.
  • Admin account data: until account deletion plus 90 days.

6. Security

We implement technical and organisational measures proportionate to the risks of the data processed. These include:

  • HTTPS/TLS encryption for all data in transit.
  • Passwords stored using Argon2id with parameters at or above the OWASP 2025 baseline. We never store passwords in plain text.
  • Session tokens stored in httpOnly, Secure, SameSite=Lax cookies — not in localStorage or JavaScript-accessible storage.
  • Database access restricted to authenticated application connections only; no public-facing database ports.
  • Role-based access control for internal systems.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected individuals and the Data Protection Commission of Ghana in accordance with our obligations under Act 843.

7. Your rights

Under the Ghana Data Protection Act, 2012 (Act 843), you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that inaccurate or incomplete data be corrected.
  • Deletion: request erasure of your data where there is no longer a lawful basis for processing, subject to our legal retention obligations.
  • Restriction: request that we limit how we use your data while a complaint is pending.
  • Objection: object to processing carried out on the basis of our legitimate interests.
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@swiftamedex.com. We will respond within 30 days. We may ask for proof of identity before processing your request.

You have the right to lodge a complaint with the Data Protection Commission of Ghana if you believe we have not handled your data lawfully.

8. Children's privacy

The Site is directed at institutional and business users. We do not knowingly collect personal data from persons under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date above. Material changes will be highlighted on the Site for 30 days after they take effect. Continued use of the Site after any changes constitutes your acceptance of the revised policy.

10. Contact

For privacy enquiries, data subject requests, or to report a concern, contact our Data Protection Officer at privacy@swiftamedex.com or by post:

Data Protection Officer
Amedex Limited
Airport City Business District
Accra, Ghana