Privacy policy

KOJA HEIGHTS ("we", "us") is a private property-management business based in Accra, Ghana. We operate the kojaheights.com website and direct-booking platform for the residences we own and manage. For Ghana data-protection law, our data-controller email is privacy@kojaheights.com.

• Account info — your name, email, phone number, and (if you sign in with Google) your profile photo.
• Booking info — dates, guest count, nationality, purpose of visit, special requests, and a copy of a government-issued ID at time of booking.
• Payment info — handled entirely by Paystack and Stripe. We never see your card or mobile-money credentials; we store only a gateway reference and the amounts/currency paid.
• Communications — messages you send through the platform, including WhatsApp link-throughs.
• Technical info — IP address, user-agent, and basic device info captured at booking time for security and audit.

• To take, confirm, and service your booking.
• To verify your identity at check-in (a legal and safety requirement for short-term rentals in Ghana).
• To send transactional messages — booking confirmations, check-in details, refunds.
• To respond to your questions and provide concierge service during your stay.
• To keep audit logs and tax records, and to comply with Ghana Revenue Authority requirements.

Booking and financial records: 7 years, per Ghana tax and accounting law. ID document uploads: retained for 18 months after your last stay for safety and dispute resolution, then deleted. Account profile: kept until you ask us to delete it (see Section 7).

• Paystack (payments — Ghana) and Stripe (payments — international): card and mobile-money processing.
• Supabase (database + encrypted storage): infrastructure provider with EU/US data residency.
• Cloudinary (image hosting), Resend (email), Arkesel (SMS/WhatsApp): transactional delivery providers.
• Government authorities: when legally compelled, or when reporting is required (e.g. tax, criminal investigation).

We do not sell, rent, or trade your personal information. Ever.

• HTTPS everywhere; HSTS preloaded.
• 2-step verification on every admin account.
• ID documents stored in a private bucket with row-level security; only the booking guest and admins can read.
• Card data never touches our servers — tokenised by Paystack and Stripe.
• Daily database backups with point-in-time recovery.
• Audit log of every consequential admin action.

Under the Ghana Data Protection Act (Act 843) and the EU GDPR (if you reside in the EU), you can:

• Request a copy of the personal data we hold about you.
• Correct anything that's wrong.
• Ask us to delete your account and personal data, subject to the 7-year financial retention above.
• Withdraw consent for marketing email at any time (we send only transactional email by default).
• Lodge a complaint with the Ghana Data Protection Commission or your local supervisory authority.

Email privacy@kojaheights.com and we'll respond within 30 days.

We use a small number of strictly necessary cookies (session, security, currency preference). We use Plausible Analytics, which is cookie-less. See our cookie policy for the full list.

If we make a material change, we'll email you. Smaller changes (clarifications, typos) are posted here with a new "last updated" date.