Privacy policy

1. Introduction

Savannah Institute for Innovative Finance ("SAIIF", "we", "us", or "our") is committed to protecting your privacy and handling personal data responsibly, transparently, and in accordance with applicable law.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard personal information when you visit https://saiifgh.org, subscribe to updates, contact us, or otherwise interact with our services (collectively, the "Services").

This policy is designed to meet the standards of the EU General Data Protection Regulation (GDPR), the UK GDPR, and Ghana's Data Protection Act, 2012 (Act 843), as applicable to our processing activities.

By using our Services, you acknowledge that you have read this Privacy Policy. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

2. Data controller

Savannah Institute for Innovative Finance is the data controller for personal information processed through this website and related communications.

Registered / correspondence address: No. 22 Justice E. P Sowah Avenue, East Legon, Accra P. O. Box CT 6938 – Cantonments

Privacy contact: info@saiifgh.org

If you are located in the European Economic Area (EEA) or United Kingdom and have questions about our use of your personal data, you may contact us using the details above. We will respond within the timeframes required by applicable law.

3. Personal data we collect

We may collect and process the following categories of personal data, depending on how you interact with us:

• Identity and contact data: name, job title, organisation, email address, telephone number, and postal address.
• Communication data: messages, enquiries, attachments, and other content you submit through contact forms, email, or event registrations.
• Subscription data: email address and communication preferences when you subscribe to insights, newsletters, or updates.
• Technical and usage data: IP address, browser type and version, device identifiers, operating system, referral URLs, pages viewed, session duration, and similar analytics data collected through cookies and similar technologies (see our Cookie Policy).
• Consent records: your cookie and marketing preferences, including timestamps and the version of notices accepted.
• Compliance data: information necessary to respond to legal requests, enforce our Terms of Use, or protect our rights.

4. How we collect personal data

• Directly from you when you complete forms, send email, register for events, or communicate with us.
• Automatically when you browse our website, through cookies, server logs, and similar technologies.
• From third parties such as hosting providers, analytics partners, or professional advisers, where permitted by law and subject to appropriate safeguards.

5. Purposes and legal bases for processing

Under the GDPR, we must identify a lawful basis for each processing activity. We process personal data for the purposes below:

• To respond to enquiries and provide information about our programmes (legal bases: contract performance, steps prior to contract, or legitimate interests in responding to stakeholders).
• To send publications, insights, and updates you have requested (legal bases: consent, or legitimate interests where permitted, with easy opt-out).
• To operate, secure, and improve our website and Services (legal bases: legitimate interests in maintaining a secure and effective digital presence; consent for non-essential cookies).
• To analyse aggregated usage trends and measure website performance (legal bases: consent for non-essential analytics cookies).
• To comply with legal obligations, regulatory requests, and court orders (legal basis: legal obligation).
• To establish, exercise, or defend legal claims and prevent fraud or misuse (legal basis: legitimate interests or legal obligation).

6. Cookies and similar technologies

We use cookies, local storage, and similar technologies to operate our website, remember your preferences, and—where you consent—understand how visitors use our Services.

Essential technologies are necessary for core functionality such as security, load balancing, and storing your cookie consent choices. Non-essential technologies, including analytics and marketing cookies, are used only with your prior consent.

For detailed information about the cookies we use, their purposes, retention periods, and how to manage your preferences, please see our Cookie Policy at /cookies.

7. How we share personal data

We do not sell your personal data. We may share personal data with:

• Service providers and processors who assist with website hosting, email delivery, analytics, security, IT support, and professional services, under written contracts requiring appropriate data protection measures.
• Partner organisations where you have been informed and, where required, have consented to such sharing.
• Regulators, law enforcement, courts, or other authorities when required by applicable law or to protect rights, safety, and security.
• Successors in the event of a merger, reorganisation, or transfer of assets, subject to this Privacy Policy or equivalent protections.

8. International transfers

Your personal data may be processed in Ghana and in other countries where our service providers operate. Some of these countries may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data from the EEA or UK to countries not recognised as providing adequate protection, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or UK authorities, supplemented by technical and organisational measures where necessary.

You may request further information about international transfers and applicable safeguards by contacting us at the address above.

9. Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

Enquiry and contact records are typically retained for up to three (3) years from the date of last meaningful contact, unless a longer period is needed for legal, regulatory, or archival purposes.

Marketing subscription data is retained until you unsubscribe or withdraw consent, after which we maintain a suppression record to honour your preferences.

Cookie consent records are retained to demonstrate compliance and may be stored for up to three (3) years.

Server logs and security records may be retained for up to twelve (12) months unless required for incident investigation.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include access controls, encryption in transit where supported, secure hosting environments, and staff awareness.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

11. Your rights

Depending on your location and applicable law, you may have the following rights in relation to your personal data:

To exercise your rights, contact us at info@saiifgh.org. We may need to verify your identity before responding. We aim to respond within one (1) month, or inform you if an extension is required under applicable law.

• Right of access — to obtain confirmation of whether we process your data and receive a copy.
• Right to rectification — to request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — to request deletion in certain circumstances.
• Right to restrict processing — to request limitation of processing in certain circumstances.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
• Right to object — to object to processing based on legitimate interests or for direct marketing at any time.
• Right to withdraw consent — where processing is based on consent, without affecting prior lawful processing.
• Right to lodge a complaint — with a supervisory authority, including the Data Protection Commission in Ghana or your local EU/UK authority.

12. Children

Our Services are not directed at children under sixteen (16) years of age, and we do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us and we will take steps to delete it promptly.

13. Automated decision-making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

14. Third-party websites

Our website may contain links to third-party websites, platforms, or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing personal data.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. The "Last updated" date at the top of this page indicates when the policy was last revised.

Where changes are material, we will provide prominent notice on our website or by other appropriate means. Continued use of the Services after the effective date of an updated policy constitutes acknowledgement of the changes, subject to applicable consent requirements.

16. Contact and supervisory authority

For privacy-related questions, requests, or complaints, contact:

Savannah Institute for Innovative Finance

No. 22 Justice E. P Sowah Avenue, East Legon, Accra P. O. Box CT 6938 – Cantonments

Email: info@saiifgh.org

You may also lodge a complaint with the Data Protection Commission of Ghana or, if you are in the EEA or UK, with your local data protection supervisory authority.