Skip to content
You are offline. Some features may be unavailable.

Data Protection Policy

Last updated: 1 May 2026

1. Our Commitment

Esper Global LLC (“EsperWorks”) is committed to protecting the personal data of our users, their clients, and anyone whose data is processed through our platform. We apply GDPR-aligned data protection principles across all our operations, regardless of where our users are located.

This policy supplements our Privacy Policy and explains in detail how we protect data technically and organisationally.

2. Data Protection Principles

We process personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency. we only process data with a lawful basis and are transparent about how we use it.
  • Purpose limitation, data is collected for specified, explicit purposes and not processed in ways incompatible with those purposes.
  • Data minimisation, we collect only the data necessary for the stated purpose.
  • Accuracy, we take reasonable steps to ensure data is accurate and up to date.
  • Storage limitation, data is retained only as long as necessary.
  • Integrity and confidentiality, data is protected against unauthorised access, loss, or destruction.

3. Technical Security Measures

We implement the following technical controls:

  • Encryption in transit: All data between your browser and our servers is encrypted using TLS 1.2+.
  • Password security: Passwords are hashed using bcrypt with a cost factor of 12. We never store plain-text passwords.
  • Two-factor authentication: TOTP-based 2FA with backup codes is available on all accounts.
  • Session management: Sessions are tracked per device. You can view and revoke active sessions at any time.
  • API security: API keys use SHA-256 fast lookup with bcrypt fallback. All keys are scoped and rate-limited.
  • Webhook integrity: Outbound webhooks are signed with HMAC-SHA256. Payment webhooks from Paystack are verified with HMAC-SHA512.
  • File storage: Uploaded files and generated PDFs are stored on Cloudflare R2 with private access controls.
  • Soft deletes: Sensitive records (invoices, payments, contracts) are soft-deleted, preserving audit trails.
  • Rate limiting: Authentication endpoints are limited to 5 requests/minute. API endpoints are limited to 60 requests/minute per user.
  • Input sanitisation: All AI-generated HTML output is sanitised with DOMPurify before rendering.

4. Organisational Measures

  • Access to production data is restricted to authorised personnel only.
  • We use error monitoring (Sentry) to detect and respond to security incidents.
  • Security events are logged to a separate security log with IP, user agent, and action details.
  • We conduct regular reviews of access controls and security configurations.

5. Data Processor Relationships

EsperWorks acts as a data processor on behalf of our business users when processing their clients' data. Our business users are the data controllers for their client data.

We use the following sub-processors:

Sub-processorPurposeLocation
PaystackPayment processingNigeria / Global
FlutterwavePayment processingNigeria / Global
Cloudflare R2File storageGlobal (CDN)
ResendTransactional emailUSA
PusherReal-time notificationsUSA / EU
SentryError monitoringUSA
RailwayApplication hostingUSA
PostHogProduct analyticsUSA / EU

6. Data Retention

  • Account data is retained while your account is active.
  • On account deletion, personal data is removed within 30 days.
  • Financial records (invoices, payments) may be retained for up to 7 years to comply with tax and accounting regulations.
  • Security logs are retained for 90 days.
  • Deleted records are soft-deleted first and permanently purged by our data retention job after the applicable retention period.

7. Your Rights

Under applicable data protection law, you have the right to:

  • Access, request a copy of the personal data we hold about you.
  • Rectification, correct inaccurate or incomplete data.
  • Erasure, request deletion of your data (subject to legal retention requirements).
  • Portability, export your data in a machine-readable format from your account settings.
  • Restriction, request that we restrict processing of your data in certain circumstances.
  • Objection, object to processing based on legitimate interests.

To exercise any of these rights, email privacy@tryesperworks.com. We will respond within 30 days.

8. Data Breach Response

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, data affected, likely consequences, and steps we are taking to address it.

9. Applicable Law

EsperWorks operates under the laws of the Republic of Ghana, including the Data Protection Act, 2012 (Act 843). We also apply GDPR-equivalent standards as a baseline for all users regardless of location.

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority.

10. Contact

Data protection enquiries: privacy@tryesperworks.com
Esper Global LLC, Nii Nortey Palm Crescent, North Legon, Accra, Ghana.