Instaclean ("we", "us", "our") operates a cleaning services marketplace that connects customers with vetted cleaners through tryinstaclean.com and related services (the "Services"). This Data Processing Agreement ("DPA") explains how we process personal data when we act as a processor on behalf of another organisation or person that determines why and how that data is used (the "Controller"). It also describes how we work with trusted sub-processors and how we meet our obligations under the Data Protection Act, 2012 (Act 843) of Ghana and internationally recognised data protection principles. Where we process the same data as an independent controller (for example, for fraud prevention, product integrity, or our own legal compliance), we do so under our Privacy Policy and applicable law, not under this DPA.
1. Definitions
Act 843 means the Data Protection Act, 2012 (Act 843) of Ghana, as amended or replaced from time to time, together with regulations and guidance issued by the Data Protection Commission of Ghana.
Applicable Data Protection Law means Act 843 and any other data protection or privacy laws that apply to the processing described in this DPA (including, where relevant, laws aligned with GDPR-style principles in the regions where we operate).
Controller means the natural or legal person that decides the purposes and means of processing personal data.
Data Subject means an identified or identifiable person whose personal data is processed.
Personal Data means any information relating to a Data Subject that we process on behalf of a Controller under this DPA.
Processing means any operation performed on Personal Data, such as collection, storage, use, disclosure, adaptation, or deletion.
Processor means Instaclean when we process Personal Data on behalf of a Controller, in accordance with their documented instructions and this DPA.
Sub-processor means a third party we engage to process Personal Data on our behalf in connection with the Services.
Services means the Instaclean marketplace, website, apps, and related features described in our terms and policies.
2. Roles of the parties
Controller. The Controller decides why Personal Data is processed and the essential purposes of that processing, and is responsible for providing any required notices and obtaining any required consents or other lawful bases under Applicable Data Protection Law.
Processor. Instaclean acts as a Processor only where we have agreed in writing (including by reference in a contract, order form, or this published DPA where applicable) to process Personal Data on the Controller's behalf. We process such data only on documented instructions from the Controller (including as set out in this DPA and our agreement with you), unless Applicable Data Protection Law requires otherwise.
Independent roles. Where we determine our own purposes and means (for example, operating the marketplace, improving product safety, or meeting our regulatory obligations as Instaclean), we act as an independent controller for those activities. This DPA does not limit our responsibilities as a controller in those cases.
3. Scope and purpose of processing
This DPA applies to Processing we perform as a Processor to provide the Services, including: creating and managing accounts; matching customers with cleaners and facilitating bookings; communications related to bookings and the marketplace; payments facilitation and related records; identity and safety checks where instructed by the Controller and permitted by law; and other purposes explicitly agreed in writing between us and the Controller.
We will not process Personal Data for incompatible purposes unless required by law, in which case we will inform the Controller beforehand unless we are legally prohibited from doing so.
4. Categories of data
Depending on how you use the Services, categories of Personal Data processed on behalf of a Controller may include:
- Identifiers and contact details: name, phone number, email address, and similar profile information.
- Account and booking information: booking times, service type, addresses or locations needed to perform or arrange cleaning, messages or notes reasonably necessary for the booking, and related operational records.
- Location data: approximate or precise location where needed for booking, routing, or service delivery, in line with product settings and permissions.
- Verification and trust and safety data (cleaners): identification and verification materials and outcomes (for example, ID checks and background check results or status), where collected and used as part of the marketplace vetting process and as instructed by the Controller relationship applicable to your use case.
- Payment-related metadata: transaction references, amounts, status, and similar non-card payment metadata processed through our payment partners. Full payment card data is handled by our payment provider in line with their certifications and terms.
- Technical and service data: limited logs and diagnostics needed to secure and operate the Services (for example, timestamps, device or app version, and error reports), where such data constitutes Personal Data.
This list is illustrative. The Controller remains responsible for describing any additional categories in our written instructions where required.
5. Obligations of the processor
When acting as a Processor, Instaclean will: process Personal Data only on documented instructions from the Controller, including as set out in this DPA and our commercial agreement, unless Applicable Data Protection Law requires other processing (in which case we will inform the Controller unless the law forbids that notice); ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations; and, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, where reasonable, with responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, and with the Controller's obligations relating to security, breach notification, data protection assessments, and prior consultation with regulators, where those obligations apply and the information is available to us.
At the end of the relevant Services (unless we must retain certain data by law), we will delete or return Personal Data in line with Section 9. We will make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits agreed in advance (including inspections conducted by the Controller or a mutually agreed independent auditor), subject to confidentiality, security, and business continuity safeguards, and no more than once every twelve months unless required by a regulator or a serious incident warrants more frequent review.
6. Security measures
We implement appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are risk-based and evolve with our Services, and may include, where appropriate: encryption in transit and encryption at rest for stored data where supported by our systems; access controls, authentication, and least-privilege principles for staff and systems; logging, monitoring, and vulnerability management practices; secure development and deployment practices; and vendor security reviews for material sub-processors.
No method of transmission or storage is completely secure; we commit to maintaining measures appropriate to the risks involved.
7. Sub-processors
To run the Services reliably, we use vetted service providers who may process Personal Data on our instructions. We remain responsible for their performance of processing obligations under this DPA. Examples include:
- Supabase: database, authentication, file storage, and related backend infrastructure for the Services.
- Paystack: payment processing and related payment operations.
- Twilio: SMS, WhatsApp, and related messaging for transactional and operational notifications.
We may add or replace sub-processors from time to time. Where Act 843 or other Applicable Data Protection Law requires authorisation for a new or replacement sub-processor, we will obtain that authorisation or give the Controller the opportunity to object in line with our agreement and the law. We will publish or provide reasonable notice of material changes to sub-processors where our agreement with the Controller requires it. Each sub-processor is contractually required to protect Personal Data and process it only for the purposes we specify.
8. Data subject rights
Data Subjects may have rights under Applicable Data Protection Law, such as rights to access, rectify, erase, restrict, or object to certain processing, and rights related to portability or automated decision-making, where those rights apply. Where Instaclean is the Processor, we will forward requests we receive directly to the Controller unless we are instructed otherwise and unless we are permitted or required to respond directly under law. We will assist the Controller in responding to such requests within a reasonable period, considering the complexity of the request and whether the Controller has supplied necessary information. Where Instaclean is an independent controller for a given processing activity, Data Subjects may exercise their rights through the contact details in Section 14 and our Privacy Policy.
9. Data retention and deletion
We retain Personal Data processed on behalf of a Controller only as long as needed to provide the Services, meet legal obligations, resolve disputes, and enforce our agreements, unless a different retention period is agreed in writing or required by law. When processing on behalf of a Controller ends, we will delete or return Personal Data in accordance with the Controller's reasonable instructions and our technical capabilities, unless we must retain copies under Applicable Data Protection Law. Backups may persist for a limited period under our backup cycles before automatic deletion.
10. Data breach notification
If we become aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data processed on behalf of a Controller, we will notify the Controller without undue delay after becoming aware, and in any event within seventy-two (72) hours where feasible and where that timeframe aligns with our regulatory expectations, unless a shorter period is required by Applicable Data Protection Law; provide information reasonably available to us to assist the Controller in meeting its own notification obligations to regulators or Data Subjects; and take reasonable steps to mitigate harm and prevent recurrence. Notifications will describe, to the extent known: the nature of the breach, likely consequences, measures taken or proposed, and contact points for further information. Controllers remain responsible for their own regulatory filings and Data Subject communications where the law places that duty on the Controller.
11. International data transfers
Instaclean may process and store Personal Data in Ghana and in other countries where we or our sub-processors maintain facilities, including countries that may not be deemed to provide an adequate level of protection. Where Applicable Data Protection Law requires safeguards for such transfers, we will implement appropriate mechanisms recognised under that law (for example, contractual clauses, standard contractual terms, or other lawful transfer tools), together with supplementary measures where appropriate, and we will cooperate with the Controller on documentation where reasonably required.
12. Compliance with Ghana Data Protection Act, 2012 (Act 843)
Instaclean is designed to align with Act 843 and the expectations of the Data Protection Commission of Ghana, including principles of lawfulness, fairness, purpose limitation, data minimisation, accuracy, integrity and confidentiality, and accountability, as applicable to our role as Processor or Controller. Where this DPA applies to processing subject to Act 843, we will process Personal Data in line with lawful bases and fair information practices expected under Act 843; implement reasonable security safeguards appropriate to the sensitivity of the data and the risks involved; support lawful rights requests and regulatory cooperation in line with Sections 8 and 10; and cooperate with the Controller in meeting registration, notification, or other obligations that apply to the Controller under Act 843.
Nothing in this DPA is intended to contradict Act 843 where it applies. If a provision of this DPA cannot be applied as written under mandatory local law, that provision will be interpreted or adjusted to the minimum extent necessary to comply, and the remainder will remain in effect.
13. Term and termination
This DPA begins on the effective date of the agreement between Instaclean and the Controller that incorporates it (or, for published terms, when the Controller begins using the Services in a capacity that makes this DPA applicable) and continues until processing on behalf of that Controller ends and all Personal Data has been returned or deleted in accordance with Section 9, unless a longer period is required by law. Termination of the underlying commercial agreement will end the Controller's right to instruct new processing, but will not erase obligations regarding confidentiality, incident response, audit records, and return or deletion of data, which survive as needed to give them practical effect.
14. Contact information
Questions about this DPA, our processing activities, or data protection at Instaclean: support@tryinstaclean.com. Company: Instaclean. Website: https://tryinstaclean.com. We will respond to good-faith requests within a reasonable time, and sooner where required by Applicable Data Protection Law.
15. Updates to this DPA
We may update this DPA from time to time to reflect changes in our Services, sub-processors, or legal requirements. We will post the updated version on this page and adjust the "Last updated" date shown in the Help Center. Where we are required to provide additional notice or obtain consent, we will do so in line with Applicable Data Protection Law and our agreement with the Controller.