Last updated: 6 July 2026
Applies to: the Adroit Cloud web and desktop application, its APIs ( and related endpoints), and all add-on services (SMS, subscription billing, and the industry modules described below).
About this document. This policy explains what information Adroit Cloud collects, why, how it is used and shared, and the rights available to the people it concerns. Adroit Cloud serves Customers in multiple countries, so we apply the data-protection law that applies to you, including Ghana's Data Protection Act, 2012 (Act 843), the EU/UK General Data Protection Regulation (GDPR/UK GDPR) where it applies, and comparable laws in the other countries where we operate (for example Nigeria's Data Protection Act 2023). Where a stricter local rule applies to you, we follow it. Section 7 sets out the rights that apply in your region. Rules about payment, subscription commitments, suspension and account termination live in the separate Terms of Service / Subscription Agreement; this policy cross-references them where data is affected.
1. Who we are
Adroit Cloud ("Adroit Cloud", "we", "us", "our") provides a cloud business-management platform to organisations ("Customers") across several industries, including accounting/ERP (FRM), hospitals, eye clinics, restaurants, microfinance, schools, share management, and inventory/stores.
- Data controller / registered entity: _[Registered legal name]_
- Registered address: _[Address]_
- Data Protection contact: info@adroitcloud.online
- Data Protection Commission registration no.: _[if registered]_
Complete the bracketed fields before publishing.
Our two roles
Because of how the platform works, our role under Act 843 changes depending on whose data is involved:
- We are the data controller for information about the Customer organisation and its logged-in users — the people who sign up, subscribe, pay, and administer an account.
- We are a data processor for the operational records a Customer stores inside their own workspace — for example a hospital's patient records, a clinic's clinical notes, a firm's own customers and suppliers, or a school's student records. The Customer is the controller of that data. We process it only to run the service on the Customer's behalf and under our agreement with them.
If you are a patient, client, student, or customer of an organisation that uses Adroit Cloud, that organisation — not Adroit Cloud — is primarily responsible for your records. Please direct access or deletion requests to them first.
2. Information we collect
2.1 Account and organisation data (we are controller)
- Company name, organisation type, address, telephone, email, website, logo
- Contact person and administrator contact details
- Login identity: email address and authentication identifiers (via our authentication provider), the devices you sign in from, and device-limit counters
- Roles and per-page permissions assigned to each user
- Licence and subscription details: tier, plan name, start/end dates, price, currency, licence status, and payment status
2.2 Billing and transaction data (we are controller)
- Subscription and SMS-package purchases processed through our payment provider
- Payment reference, amount, currency, channel (card / mobile money), and paid-at timestamp returned by the payment provider, stored in our records
- We do not store full card numbers or mobile-money PINs. Card and mobile-money credentials are handled by our payment provider under its own security and PCI-DSS obligations.
2.3 Operational / workspace data (we are processor; Customer is controller)
Depending on the modules a Customer enables, their workspace may contain:
- Financial/ERP (FRM): customers, suppliers, general-ledger accounts, invoices, receipts, journal vouchers, inventory, bills of materials, payroll
- Health modules (hospital, eye clinic): patient demographics, diagnoses, investigations, consultation and treatment records, refraction values, and other clinical notes — this is sensitive personal data / special personal data under Act 843 and is treated with heightened protection
- Restaurant / POS: orders, customer names and phone numbers
- Microfinance, school, share management, stores: client, student, member, and stock records as configured by the Customer
2.4 Communications data
SMS messages sent through the platform are transmitted via a third-party messaging provider. Recipient phone numbers, message content, sender ID, and delivery status are processed to deliver the message and to maintain the Customer's SMS balance and history.
2.5 Technical and usage data
- Log and audit data: actions taken in the system, timestamps, the acting user, and record-change history (many modules keep an audit trail)
- Basic technical data needed to operate and secure the service (e.g. request metadata handled by our hosting and infrastructure providers)
2.6 Cookies and local storage
Adroit Cloud uses only a small amount of browser storage, and does not use analytics, advertising, or tracking cookies. We do not profile you or sell your activity.
- Strictly necessary storage — we use local browser storage (such as local storage / IndexedDB) to keep you securely signed in, remember your session, and hold your app settings. The service cannot work without these, so they do not require consent.
- Sign-in — signing in with a third-party identity provider (e.g. "Sign in with Google") may cause that provider to set its own cookies as part of the login process.
- Maps — pages that use mapping features load a third-party maps service, which may set its own cookies. This is the only non-essential third-party cookie the platform may set.
- Payments — completing a payment opens the payment provider's secure checkout, which sets its own session cookies for that transaction.
EU/UK note. Under EU/UK ePrivacy rules, non-essential cookies (such as the maps cookie above) normally require your consent before they are set. If you are in the EU/UK and we have not obtained that consent through a banner or similar control, you can prevent these cookies by not using the mapping feature and by managing cookies in your browser settings. We are keeping this footprint minimal and may load the maps service only on demand to reduce it.
We collect this information when you sign up, subscribe, log in, use the modules, make a payment, or send an SMS — and, for operational data, whenever a Customer's authorised users enter it.
3. How we use information
We use personal data to:
- Provide the service — create and run Customer workspaces, authenticate users, enforce device and user limits, and store the records Customers enter.
- Process payments and manage subscriptions — take subscription and SMS payments through our payment provider, activate or renew licences, and keep billing records.
- Deliver add-on services — send SMS via a third-party messaging provider and maintain SMS balances and history.
- Support and communicate — respond to requests, send service and billing notices, and provide technical support.
- Secure and maintain the platform — audit logging, fraud/abuse prevention, backups, debugging, and enforcing our Terms.
- Comply with law — meet tax, accounting, regulatory, and record-keeping obligations, and respond to lawful requests.
Lawful bases (Act 843): performance of our contract with the Customer; the Customer's and users' consent where required; our legitimate interests in operating and securing the service; and compliance with legal obligations. For sensitive/health data we rely on the Customer's lawful basis as controller (e.g. the patient's consent or the provision of health care) and process it strictly on the Customer's instructions.
We do not sell personal data, and we do not use Customer operational data (including patient or financial records) for advertising.
4. How information is shared
We do not sell personal data. We share it only with the categories of service providers needed to run Adroit Cloud, and only as needed to deliver the service:
| Category of recipient |
Purpose |
Data involved |
| Cloud hosting and infrastructure providers |
Authentication, database, application hosting, reporting, backups, and secure storage of service keys |
Account, billing, and workspace data |
| Payment processors |
Processing subscription and add-on payments |
Email, amount, and payment metadata |
| Communications / SMS providers |
Delivering SMS you send through the platform |
Sender ID, recipient numbers, message content |
These providers act on our instructions and are permitted to use the data only to provide their service to us. A more detailed list of the specific sub-processors we use is available to Customers on request (for example, for a data-processing agreement).
We may also disclose data (a) to comply with the law or a lawful request, (b) to protect our rights, users, or the public, or (c) in connection with a merger or acquisition, subject to this policy.
Some of these providers may process data outside your country, including in countries whose data-protection laws differ from your own. Where personal data is transferred across borders, we take reasonable steps to ensure a comparable level of protection, consistent with the law that applies to you. For transfers of EU/UK personal data, we rely on an appropriate transfer mechanism (such as the European Commission's Standard Contractual Clauses or an adequacy decision) where required.
5. Data retention
- Account and billing records are kept for the life of the account and afterwards as required for legal, tax, and accounting purposes.
- Workspace/operational data is retained for as long as the Customer's account is active, and thereafter as described in Section 8 (Suspension, termination, and your data) and the Terms.
- SMS records are kept as needed to run the service and for reasonable billing history.
When data is no longer needed, we delete or irreversibly anonymise it, subject to any legal retention requirement (for example, statutory retention of financial and health records that the Customer is required by law to keep).
6. Security
We protect data with measures including authentication, role- and page-level permissions, per-user device limits, encrypted transport (HTTPS/TLS), server-side handling of payment and SMS secrets via a secure secrets manager, signed verification of payment webhooks, and audit logging. No system is perfectly secure, but we work to protect data against unauthorised access, loss, or misuse, and we expect Customers to safeguard their own login credentials and to manage their users' access responsibly.
7. Your rights
The rights available to you depend on the law that applies in your country. Under most data-protection laws (including Act 843, the GDPR/UK GDPR, and comparable regimes), individuals may:
- Access the personal data held about them
- Correct inaccurate or incomplete data
- Object to or restrict certain processing
- Request deletion where there is no overriding legal reason to keep it
- Withdraw consent where processing relies on consent
- Complain to their data-protection regulator (see Section 11)
Additional rights for EU/UK individuals (GDPR/UK GDPR). If you are in the EU or UK, you also have the right to data portability (receive your data in a portable format), the right not to be subject to solely automated decisions with legal or similarly significant effects, and the right to complain to your local supervisory authority (or the UK Information Commissioner's Office). We do not carry out automated decision-making of that kind, other than the automatic enforcement of licence/access status based on payment described in Section 8.
Because Adroit Cloud is usually the processor of workspace data, if your data sits inside an organisation's workspace (e.g. you are its patient or client), please contact that organisation first; we will support them in responding. For account-level data where we are the controller, contact us at info@adroitcloud.online. We aim to respond within the timeframes set by the law that applies to you (for example, within one month under the GDPR/UK GDPR).
8. Suspension, termination, and your data
Adroit Cloud is provided on a subscription basis. The commercial rules — including the commitment a Customer makes when subscribing and the consequences of non-payment or breach — are set out in the Terms of Service / Subscription Agreement. This section explains only the data consequences.
8.1 Enforcement rights
Where a Customer fails to honour its subscription commitment or its payment obligations, or otherwise materially breaches the Terms, Adroit Cloud may suspend, restrict, or discontinue the Customer's access to the platform and to any add-on services (including SMS), and may terminate the agreement, in accordance with the Terms. Licence status and access are enforced automatically by the platform based on payment and subscription status.
8.2 Fair-handling commitments
- Advance notice of suspension or termination will be given to the Customer's registered administrator/contact, except where immediate action is required by law or to stop abuse or a security threat.
- A cure/grace period will normally be offered to settle outstanding amounts or remedy the breach before access is withdrawn.
- Suspension before deletion: suspension restricts access but does not immediately erase data. Data is retained for a defined window (see the Terms) during which the Customer may bring the account back into good standing.
- Data export window: before permanent deletion, the Customer will be given a reasonable opportunity to export or request a copy of their data.
- Statutory records: we will not withhold or destroy data in a way that prevents a Customer from meeting its own legal obligations (e.g. retention of tax or medical records), and either party may retain records the law requires it to keep.
8.3 Add-on services. Prepaid add-on balances (such as unused SMS credit) and their treatment on suspension or termination are governed by the Terms.
8.4 Effect on third parties. Suspension or termination affects the Customer's access to the platform. It does not, by itself, extinguish our data-protection obligations or the rights of the individuals whose data the Customer holds.
9. Children's data
Some modules (e.g. schools, hospitals, clinics) may hold data about minors. The Customer, as controller, is responsible for obtaining any parental/guardian consent required by law. We process such data only on the Customer's instructions and with the same protections as other sensitive data.
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified through the platform or to the Customer's registered contact, and the "Last updated" date above will change. Continued use of the service after an update constitutes acceptance of the revised policy.
11. Contact us
Questions, requests, or complaints about this policy or your data:
- Email: info@adroitcloud.online
- Address: _[Registered address]_
- Your data-protection regulator: you have the right to lodge a complaint with the data-protection authority in your country — for example the Data Protection Commission (Ghana), your EU supervisory authority or the UK Information Commissioner's Office (ICO), the Nigeria Data Protection Commission, or the equivalent regulator where you are.
- EU/UK representative: _[appoint and name an Article 27 representative if you offer the service to individuals in the EU/UK without an establishment there]_
This document is a template prepared to reflect how the Adroit Cloud platform handles data. It is not legal advice. Because Adroit Cloud operates in multiple countries, have it reviewed by qualified counsel for each market you serve — covering Ghana's Data Protection Act, 2012 (Act 843), the EU/UK GDPR, other applicable national data-protection laws, and, where relevant, health-records and financial-records regulation.