1 About This Policy
General Trust Company Ltd ("we", "us", or "our") operates the GenTrust mobile application (the "App") — a pension and investment management platform that enables members to view and manage their accounts and access investment products. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the App.
By downloading, installing, or using GenTrust, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the App.
Regulatory notice: General Trust Company Ltd is licensed and regulated by the National Pensions Regulatory Authority (NPRA) of Ghana. The processing of your personal data is required by law for KYC (Know Your Customer), member onboarding, and pension reporting obligations under the National Pensions Act, 2008 (Act 766) and applicable NPRA guidelines.
2 Data We Collect
We collect the following categories of personal and sensitive data:
2.1 Information You Provide Directly
| Data Type | Examples | Required? |
|---|---|---|
| Identity | Full name, date of birth, gender, profile photo | Yes |
| Contact | Email address, phone number, home address | Yes |
| Government ID | SSNIT number, Ghana Card / National ID | Yes – KYC |
| Financial | Account number, pension contributions, investment portfolio records | Yes |
| Account credentials | Username, encrypted password, PIN (hashed — never stored in plain text) | Yes |
2.2 Data Collected Automatically
| Data Type | Examples | Can Opt Out? |
|---|---|---|
| Device information | Device model, OS version, device ID, screen size | No |
| Usage data | Features accessed, screens viewed, session duration | Partial |
| Network data | IP address, network type (Wi-Fi / mobile data) | No |
| Crash & diagnostics | App crash logs, performance metrics | Partial |
| Biometric / Security | Fingerprint / Face ID — processed on-device only, never sent to servers | Optional |
2.3 Data We Do Not Collect
- We do not access your contacts, microphone, camera roll, or SMS messages unless explicitly required for a specific feature and consented to.
- We do not collect precise GPS location unless you enable location-based features.
- We do not sell your personal data to third parties for marketing purposes.
3 How We Use Your Data
We use your data only for the purposes described below:
- Account creation & management — to create and maintain your GenTrust account, including account tier management (Tier 1, Tier 2, etc.).
- KYC / Identity verification — to comply with financial regulations, verify your identity, and prevent fraud.
- Customer support — to respond to your enquiries and resolve account issues.
- Security & fraud prevention — to detect suspicious activity, protect your account, and maintain platform integrity.
- Regulatory compliance — to satisfy reporting obligations to the National Pensions Regulatory Authority (NPRA) under the National Pensions Act, 2008 (Act 766) and applicable Ghanaian laws.
- Service improvements — aggregate, anonymised analytics to understand how the App is used and improve features.
- Notifications — to send you account alerts, security notifications, and (with your consent) product updates.
We will never use your personal data for targeted advertising or share it with advertisers.
4 Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:
4.1 Service Providers
We engage trusted third-party processors who assist in operating the App. All processors are contractually bound to handle data only as we instruct and to maintain adequate security:
- Cloud infrastructure — secure hosting of app data
- KYC / Identity verification providers — for regulatory compliance and member onboarding checks
- Analytics (anonymised) — crash reporting and app diagnostics (e.g., Firebase Crashlytics)
- SMS / Push notification services — for OTPs and account alerts
4.2 Legal & Regulatory Obligations
We may disclose your data to regulators, courts, law enforcement, or government bodies when required by applicable law, including:
- National Pensions Regulatory Authority (NPRA) — regulatory reporting and member data submissions
- Social Security and National Insurance Trust (SSNIT) — pension contribution reporting
- Court orders, subpoenas, or lawful government requests
4.3 Corporate Transactions
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. You will be notified before data is transferred and becomes subject to a different privacy policy.
4.4 With Your Consent
For any sharing not described above, we will request your explicit consent before sharing your data.
5 Data Retention
We retain personal data only as long as necessary for the purposes in this policy or as required by law:
| Data Category | Retention Period |
|---|---|
| Account & identity data | Duration of account + 7 years (NPRA requirement) |
| Pension & investment records | 10 years (National Pensions Act, 2008 requirement) |
| KYC documents | 5 years after account closure |
| Support communications | 3 years |
| Crash / diagnostic logs | 90 days |
| Usage analytics (anonymised) | 24 months |
Upon account deletion, we will anonymise or securely delete your data within 30 days, except where retention is required by law.
6 Data Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption in transit — all data transmitted between your device and our servers uses TLS 1.2+ encryption.
- Encryption at rest — sensitive data stored on our servers is encrypted using AES-256.
- On-device biometrics — fingerprint and Face ID data is processed entirely on your device and never transmitted to our servers.
- Multi-factor authentication (MFA) — all account logins require OTP verification.
- Access controls — employee access to personal data is strictly limited on a need-to-know basis with full audit trails.
- Regular audits — our systems undergo regular security assessments and penetration testing.
If you believe your account has been compromised, contact us immediately at info@gentrustgh.com.
7 Your Rights
You have the following rights regarding your personal data:
7.1 Rights Available to All Users
- Right to access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to deletion — request deletion of your account and personal data (subject to legal retention requirements).
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to withdraw consent — withdraw consent for non-essential data processing at any time.
- Right to lodge a complaint — file a complaint with the relevant data protection authority.
7.2 How to Exercise Your Rights
Exercise your rights within the App under Settings → Privacy & Data, or by contacting us at info@gentrustgh.com. We will respond within 30 days.
7.3 Account Deletion
To delete your account, go to Settings → Account → Delete Account in the App, or email info@gentrustgh.com with the subject line "Account Deletion Request". We will process your request within 30 days and confirm deletion via email.
8 Children's Privacy
GenTrust is a pension and investment management application intended for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under 18.
If we become aware that we have inadvertently collected data from a child under 18, we will promptly delete such information. If you believe a minor has provided us with personal data, contact us at info@gentrustgh.com.
9 Third-Party Services & SDKs
The App integrates the following third-party services. Each has its own privacy policy which we encourage you to review independently:
| Service | Purpose | Data Shared |
|---|---|---|
| Firebase (Google) | Analytics, crash reporting, push notifications | Device ID, anonymised usage data |
| KYC Provider | Identity & member verification | Name, ID number, document image |
| SMS Gateway | OTP & account security alerts | Phone number, message content |
We are not responsible for the privacy practices of third-party services.
10 International Data Transfers
Your data is primarily stored and processed in Ghana. Where data is transferred to service providers outside Ghana (e.g., cloud infrastructure), we ensure such transfers use appropriate safeguards, including standard contractual clauses or equivalent data protection agreements.
For users in the European Economic Area (EEA), transfers outside the EEA are conducted under the European Commission's Standard Contractual Clauses (SCCs) where applicable.
11 Changes to This Policy
We may update this Privacy Policy periodically. When we do, we will:
- Update the "Last updated" date at the top of this page
- Display an in-app notification informing you of the change
- For material changes, request your re-acknowledgement before continued use
Your continued use of the App after changes are posted constitutes acceptance of the updated policy.
12 Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out: