Privacy Policy

CEDIMAKER is a digital legacy management platform headquartered in Accra, Ghana. We help adults aged 30–65 catalogue assets, assemble draft wills, store sensitive documents, designate beneficiaries and executors, and run a heartbeat protocol that keeps legacy plans current.

Our registered contact details:

• Address: Accra, Ghana
• Email: legacy@cedimaker.com
• Data protection contact: privacy@cedimaker.com
• Phone / WhatsApp: +233 (0) 24 322 2058

We only collect the minimum data needed to deliver the Service. The categories below reflect the actual fields stored in our backend.

2.1 Account information

• Email address and phone number (one of each per account)
• First name, last name, date of birth, and Ghana national identification number (used for identity verification and to seed will-related identity fields)
• Hashed password (we never store passwords in plain text)
• Communication channel preferences (SMS, WhatsApp, Email)
• If you enable multi-factor authentication, an encrypted TOTP secret tied to your authenticator app
• Role assignment within the platform

2.2 Will information

• Testator details: full name, identification type and number, address, and date of birth
• Family information: marital status, whether you have minor children, whether your spouse is included, spouse name and share percentage
• Witness information: full names, identification numbers, and the timestamps at which witnesses sign
• Beneficiary information: full name, relationship to you, contact details (phone and email), identification type and number, the asset(s) assigned to them, and the percentage share they receive
• Executor information: full name, identification, and contact details
• Will status, type, and a sound-mind acknowledgement timestamp

2.3 Asset information

• Asset type, name, description, estimated value, and currency
• Type-specific fields, such as institution name and account number for bank accounts, property address and land registry number for real estate, vehicle make / model / registration, wallet address and exchange for cryptocurrency, business name and registration number, debtor details for debts owed, and similar identifiers
• Joint-ownership flags and co-owner names where applicable
• Information about related persons (relatives, dependants, associates) you choose to record, including names, relationships, contact details, and identification

2.4 Documents you upload

• Files such as title deeds, land certificates, bank or investment statements, pension and insurance policies, business certificates, ID documents, draft and signed wills, legal forms, and other supporting documents
• File metadata: original file name, MIME type, size (up to 25 MB per file), and the document type and entity it is linked to
• Virus-scan results from our internal scanning service. Files that fail scanning are quarantined and never made available for download.

2.5 Heartbeat protocol data

• Your chosen check-in frequency, response channels (SMS, phone, email, push, physical letter), primary phone, primary email, and optional physical address for escalation
• Records of each check-in attempt and your response, used to determine when escalation contacts (next-of-kin, executor, law firm) should be notified

2.6 Support and ticketing

• Subjects, messages, attachments, and statuses for tickets you raise with our support team. Internal staff notes on tickets are never shown to you.

2.7 Technical and audit data

• Device information from sign-in (browser, operating system), tracked so you can review and revoke active sessions
• IP addresses captured against authentication and sensitive actions for security and audit purposes
• An immutable audit trail of significant actions (account changes, will signing, document uploads, role changes), used for compliance, fraud detection, and dispute resolution

2.8 Information about other people

When you record beneficiaries, executors, witnesses, related persons, or escalation contacts, you are submitting personal data about third parties. By doing so, you confirm that you have a lawful basis (typically the legitimate interest of estate planning or your relationship to the person) and that you have informed those individuals where reasonably practicable. We process that data only to deliver the Service to you and to contact those individuals when your plan or heartbeat protocol requires it.

We use personal data to:

• Create and operate your account and verify your identity
• Provide the will-drafting, asset-cataloguing, document-storage, heartbeat, and legal-partner discovery features you actively use
• Send transactional messages over SMS, WhatsApp, and email, including one-time passwords, password resets, heartbeat check-ins, escalation notices, and ticket updates
• Detect and prevent fraud, abuse, and unauthorised access (rate limiting, login monitoring, audit logging)
• Comply with legal obligations, court orders, and lawful regulator requests in Ghana
• Improve the platform’s reliability, performance, and security — using aggregated and de-identified information wherever possible

Under the Data Protection Act, 2012, we rely on the following grounds:

Performance of a contract

We must process your data to deliver the Service you signed up for — for example, storing your will or sending heartbeat messages.

Your consent

For optional features such as enabling multi-factor authentication, sharing your draft will with a chosen legal partner, or marketing communications. You may withdraw consent at any time.

Legal obligation

For audit retention, anti-fraud monitoring, and responses to lawful demands from competent Ghanaian authorities.

Legitimate interests

For securing the platform, preventing abuse, communicating with executors and beneficiaries on your instructions, and maintaining business records — balanced against your rights and freedoms.

Vital interests

In rare cases where heartbeat escalation is needed to alert next-of-kin or an executor about a missed check-in.

We do not sell your personal data. We share it only as described below:

• People you nominate. Beneficiaries, executors, witnesses, and escalation contacts may receive notifications and, where you authorise it, copies of relevant documents.
• Legal partners you select.If you ask a Ghanaian lawyer or law firm listed in our directory to review your will, we share the data you authorise. Listed legal partners are independent professionals; CEDIMAKER does not endorse them and is not party to the lawyer–client relationship.
• Service providers (sub-processors). Vetted vendors who help us run the platform under written data processing terms (see Section 6).
• Legal and regulatory bodies. When required by Ghanaian law, court order, or a binding regulator request, or to protect the rights, property, or safety of CEDIMAKER, our users, or the public.
• Business transfers. If CEDIMAKER is involved in a merger, acquisition, or asset sale, your data may transfer to the successor under equivalent or stronger protection. We will notify you in advance.

The following third parties help us deliver the Service. Each is bound by contractual obligations to protect your data and use it only for the purposes we instruct.

• Vercel Inc.— hosting of thelegacy.cedimaker.com web application and supporting edge infrastructure.
• Cloudflare, Inc.— storage of all uploaded documents in the Cloudflare R2 object store, and platform-level DDoS protection.
• Twilio Inc.— delivery of SMS and WhatsApp messages (one-time passwords, heartbeat check-ins, alerts).
• Email delivery provider— transactional email (account verification, password reset, ticket updates, heartbeat notifications).
• Cloud database provider— managed PostgreSQL hosting for our auth, will, asset, document, and admin services.

A current list of sub-processors and their roles is available on request from privacy@cedimaker.com.

Some sub-processors operate outside Ghana, including in the United States, the European Union, and the United Kingdom. Where data leaves Ghana, we rely on appropriate safeguards under the Data Protection Act, 2012 — for example, contractual data protection clauses with each sub-processor and review of the recipient country’s legal regime. Document files held in Cloudflare R2 are encrypted in transit and at rest.

• Active accounts: we retain your data for as long as your account is active.
• Closed accounts: when you close your account, we soft-delete your records and remove personally identifying content within 90 days, except where retention is needed to complete a will already in force, settle outstanding billing, or satisfy a legal obligation.
• Signed and executed wills: kept for the lifetime of the will plus a reasonable post-execution period to support probate and dispute resolution.
• Audit logs: retained for at least 7 years to support fraud investigations and statutory record-keeping. Personally identifying fields in old audit records are anonymised after that period.
• Documents under legal hold: kept until the related will, asset, or court order is released, regardless of other deletion requests.

• All traffic between your browser and our servers uses TLS encryption.
• Backend services are isolated, authenticated with short-lived JWT tokens, and rotate signing keys on a defined cadence.
• Passwords are hashed with industry-standard algorithms; we never see your plain-text password. Multi-factor authentication is available and recommended.
• Uploaded documents are scanned for malware before being made available for download. Suspicious files are quarantined and blocked.
• Access to production systems by CEDIMAKER staff is restricted, logged, and limited to a need-to-know basis.
• Sensitive endpoints are rate-limited to deter brute force and scraping.

No system is perfectly secure. If we ever discover a personal data breach affecting your information, we will notify you and the Data Protection Commission as required by Section 31 of the Data Protection Act, 2012.

Under the Data Protection Act, 2012, you have the right to:

• Access the personal data we hold about you
• Have inaccurate or incomplete data corrected (much of which you can edit yourself in Settings)
• Have your data erased, subject to the retention rules in Section 8 and any active legal hold
• Restrict or object to certain processing, including direct marketing
• Withdraw consent for any processing that is based on your consent, without affecting prior lawful processing
• Receive a copy of your data in a portable format, where technically feasible
• Lodge a complaint with the Data Protection Commission

To exercise any of these rights, write to privacy@cedimaker.com. We will respond within the statutory timeframes and may need to verify your identity before acting on requests involving sensitive data.

The Service is intended for adults aged 18 and over and is designed for Ghanaians aged 30–65. We do not knowingly collect data from children under 18. If you believe a minor has registered, write to privacy@cedimaker.com and we will delete the account.

The heartbeat protocol periodically asks you to confirm you are alive and well. If you miss check-ins, the system escalates by contacting the people you have nominated (next-of-kin, executor, law firm). By enabling the heartbeat protocol you authorise us to contact those individuals through the channels and at the cadence you configure. You can deactivate the protocol at any time in your settings, which immediately stops further check-ins and escalation.

We may revise this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top and, if changes are material, notify you by email or in-app banner before they take effect. Continued use of the Service after the effective date of an updated policy means you accept the changes.

If you believe we have mishandled your data and we have not resolved your concern, you may contact:

Data Protection Commission, Ghana
Independence Avenue, Accra
Email: info@dataprotection.org.gh
Website: dataprotection.org.gh