FirmAssist is committed to the protection of personal data in full compliance with the Data Protection Act, 2012 (Act 843) of the Republic of Ghana ("the Act"), as enforced by the Data Protection Commission ("DPC"). This policy sets out how we meet our obligations under the Act and protect the rights of all data subjects whose information is processed through our platform.
This Data Protection Policy is governed by the following legislation:
In accordance with the Act, FirmAssist adheres to the following eight data protection principles in all processing activities:
| Principle | Section | Our Commitment |
|---|---|---|
| Accountability | s.18 | We are registered as a data controller and maintain records of all processing activities |
| Lawfulness of Processing | s.20 | We process personal data only with consent or on other lawful grounds specified in the Act |
| Specification of Purpose | s.22 | We collect data for specific, explicitly defined purposes communicated to users |
| Compatibility | s.25 | We do not process data for purposes incompatible with the original collection purpose |
| Quality of Information | s.26 | We take steps to ensure personal data is accurate, complete, and up to date |
| Openness | s.27 | We publish clear information about our data processing practices |
| Data Security Safeguards | s.28 | We implement appropriate technical and organisational measures to secure data |
| Data Subject Participation | s.33-44 | We facilitate and honour data subjects' rights of access, correction, and objection |
Additionally, we observe the principle of minimality (Section 19), ensuring that personal data is only processed if the purpose is necessary, relevant, and not excessive.
FirmAssist processes client data that our users (lawyers and law firms) input into the platform. In this capacity, our users act as the primary data controllers for their clients' data under the Act, and FirmAssist acts as a data processor. Client data may include:
We recognise that legal case files may contain special personal data as defined in Section 37 of the Act (including data relating to criminal proceedings, health, or other sensitive matters). We apply enhanced security measures to all case data and require users to obtain the additional consent required under Section 37(2)(b) of the Act before entering such data.
| Activity | Data Processed | Lawful Basis (Act 843) | Retention Period |
|---|---|---|---|
| Account creation | Name, email, phone, firm details | Consent (s.20) / Contract | Duration of account |
| Case management | Case details, client data, documents | Contract / Legitimate interest | Duration of account + 90 days |
| Billing & invoicing | Financial records, payment data | Contract / Legal obligation | 7 years (tax compliance) |
| WhatsApp notifications | Client phone numbers, message content | Consent (user-configured) | 30 days (message logs) |
| Google Calendar sync | Calendar events, dates, descriptions | Explicit consent | Duration of connection |
| AI Paralegal | Prompts, case context, generated content | Contract / Consent | Session-based (not permanently stored) |
| Client portal | Case status, invoices, portal access links | Consent / Contract | Duration of portal link validity |
| Analytics | Anonymised usage data | Legitimate interest | 12 months |
In compliance with Section 28 of the Act, which requires data controllers to secure the integrity and confidentiality of personal data, we implement the following measures:
In accordance with Section 30 of the Act, we ensure that all third-party processors comply with adequate data protection standards:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google (Firebase) | Hosting, database, authentication, storage | All platform data | USA / Global (Google Cloud) |
| Anthropic (Claude AI) | AI paralegal features | User prompts and case context (session-based) | USA |
| Twilio | WhatsApp message delivery | Client phone numbers, message content | USA / Global |
| Paystack | Payment processing | Billing details, transaction data | Nigeria / Ghana |
| Google Calendar API | Calendar synchronisation | Event titles, dates, descriptions | USA / Global |
For cross-border transfers (Section 36 of the Act), we ensure that receiving countries provide adequate data protection through contractual safeguards and industry-standard security certifications (SOC 2, ISO 27001) maintained by our processors.
The Act grants the following rights to data subjects. FirmAssist provides mechanisms to facilitate each right:
| Right | Section | How to Exercise |
|---|---|---|
| Access your data | s.35 | Contact us to request a copy of all personal data we hold about you |
| Correct inaccurate data | s.33 | Update your profile directly in the app, or contact us |
| Object to processing | s.39 | Contact us to object to specific processing activities |
| Prevent direct marketing | s.40 | Disable notifications in Admin Panel, or contact us |
| Restrict automated decisions | s.41 | Contact us to request human review of AI-assisted outputs |
| Rectify or erase data | s.44 | Contact us to have inaccurate data corrected or deleted |
| Seek compensation | s.43 | Lodge a claim if you suffer damage from non-compliance |
All requests should be directed to info@firmassist.net. We will respond within 30 days of receiving a valid request.
Lawyers and law firms using FirmAssist act as data controllers for their clients' personal data. As such, you are responsible under the Act for:
FirmAssist provides tools to facilitate your compliance, including client portal data visibility, data export functionality, and role-based access controls.
In the event of a personal data breach, FirmAssist will:
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to data subjects' rights, including the introduction of new features, changes to AI processing capabilities, and new third-party integrations.
In accordance with Section 46 of the Act, FirmAssist maintains its registration as a data controller with the Data Protection Commission of Ghana. Our registration is subject to renewal every two years as required by the Act.
FirmAssist ensures that all personnel involved in the processing of personal data are aware of their obligations under the Act and receive appropriate training on data protection principles, security procedures, and breach response protocols.
This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in our processing activities, the regulatory environment, or technological developments. Material changes will be communicated via email or a notice on the platform.
For data protection enquiries, requests, or complaints:
If you are unsatisfied with our response, you have the right to lodge a complaint with the Data Protection Commission of Ghana: