Privacy Policy

This Privacy Policy explains how Kas Maven Consult (“Kasem”, “we”, “us”, “our”) collects, uses, stores, and protects information when you use the Kasem platform, accessible at kasem.app and its institutional subdomains (e.g., yourorg.kasem.app).

Kasem is an anonymous internal reporting platform that enables institutions — including schools, companies, and organisations — to receive and manage confidential reports from their members or employees.

This Policy applies to:

• Institutions that subscribe to and operate a Kasem portal (“Subscriber Institutions”);
• Administrators appointed by a Subscriber Institution to manage reports; and
• Individuals who submit reports through a Subscriber Institution's Kasem portal (“Reporters”).

By accessing or using Kasem, you acknowledge that you have read and understood this Privacy Policy. If you are acting on behalf of a Subscriber Institution, you confirm that you have the authority to bind that institution to this Policy.

Kasem is operated from Ghana and is subject to the Ghana Data Protection Act, 2012 (Act 843) (“DPA 843”). All personal data collected and processed by Kasem is handled in accordance with DPA 843, including the requirement that data be:

• Collected for a specific, explicit, and legitimate purpose;
• Processed lawfully, fairly, and in a transparent manner;
• Adequate, relevant, and limited to what is necessary for the stated purpose;
• Accurate and kept up to date where necessary;
• Retained only as long as necessary for the stated purpose; and
• Processed in a manner that ensures appropriate security.

Kasem is registered as a data controller under the jurisdiction of the Data Protection Commission of Ghana to the extent required by law.

3.1 Subscriber Institution Accounts

When an institution registers on Kasem, we collect:

• The name, email address, and password (hashed) of the person registering the account;
• The name of the institution and, optionally, its logo or branding information;
• The chosen subdomain for the institution's portal; and
• Billing and subscription information (processed via our payment provider — we do not store full card details).

3.2 Reporter Submissions

Kasem is designed so that Reporters do not need to provide any directly identifying personal information to submit a report. Reporters do not create user accounts and are not required to provide their name, email address, telephone number, or any other direct identifier.

Pseudonymous Case Identity: When a Reporter submits a case, Kasem generates a unique, random case reference number. The Reporter is also presented with a Recovery Phrase. A one-way cryptographic hash of the Recovery Phrase is stored in our database — this hash cannot reasonably be reversed to identify the Reporter. The Recovery Phrase itself is never stored in plaintext.

System Metadata: Our infrastructure (Supabase, hosted in the EU West – Ireland region) may automatically log certain technical metadata associated with a submission request, including IP addresses and timestamps, as part of standard server and security logging. Kasem does not proactively collect, display, or link this metadata to any submitted case content.

Case Content: The content of a report is stored and associated only with the anonymised case reference. Kasem does not analyse, mine, or share case content beyond making it available to the designated administrators of the relevant Subscriber Institution.

3.3 Usage Data

Kasem may collect standard analytics data relating to how the platform is used, such as pages visited, session durations, and browser or device type. This data is aggregated and used solely to improve the platform. It is not linked to individual user identities.

We use the information we collect for the following purposes:

• To create and manage Subscriber Institution accounts and associated portals;
• To enable the secure submission, storage, and management of anonymous reports;
• To generate and maintain pseudonymous case identities that allow Reporters to track or update their own submissions;
• To communicate with institutional administrators regarding their accounts, subscription status, or platform updates;
• To process subscription payments;
• To maintain the security and integrity of the platform and detect or prevent fraudulent or unauthorised activity;
• To comply with applicable legal obligations; and
• To improve the platform through aggregated, anonymised usage analysis.

We do not use personal data for marketing to individual Reporters, and we do not sell personal data to third parties.

Storage Location: All Kasem data is stored on Supabase infrastructure in the EU West (Ireland) region. By using Kasem, Subscriber Institutions acknowledge that data will be processed and stored in Ireland.

Security Measures: Kasem implements industry-standard technical and organisational measures to protect personal data, including encrypted data transmission (TLS), hashed storage of authentication credentials, database access controls, and row-level security policies enforced at the database level.

Recovery Phrase Hashing: Recovery Phrases are stored exclusively as one-way cryptographic hashes. Kasem personnel cannot retrieve or read any Reporter's Recovery Phrase.

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

• Subscriber Institution account data is retained for the duration of the active subscription and for up to 12 months after termination, after which it is deleted or anonymised.
• Case submissions and associated pseudonymous identifiers are retained for as long as the Subscriber Institution's account remains active. Upon account termination, Subscriber Institutions may request export of their case data; case data will be deleted within 90 days of that request.
• System and server logs containing technical metadata are retained for a maximum of 90 days for security purposes.
• Aggregated, anonymised usage analytics are retained indefinitely as they cannot be used to identify individuals.

We do not sell, trade, or rent personal data to third parties. We may share information in the following limited circumstances:

Service Providers: We use Supabase (database and backend infrastructure), Vercel (hosting), and ImprovMX (transactional email relay). These providers act as data processors on our behalf and are contractually required to handle data only in accordance with our instructions and applicable law.

Subscriber Institutions: Case content submitted through an institution's portal is accessible to that institution's designated administrators. Subscriber Institutions are independently responsible for the lawful processing of any personal data contained in case submissions.

Legal Requirements: We may disclose information where required by law, court order, or a competent regulatory authority in Ghana or another jurisdiction with a valid legal basis.

Business Transfers: In the event of a merger, acquisition, or sale of all or part of the Kasem business, personal data may be transferred to the relevant successor entity. We will notify affected users via the registered email address before such a transfer takes effect.

Under DPA 843, individuals whose personal data is processed by Kasem have the following rights:

• The right to be informed about how their data is used (this Policy fulfils that obligation);
• The right to access personal data held about them;
• The right to request correction of inaccurate or incomplete personal data;
• The right to request erasure of personal data, subject to legal or contractual retention obligations;
• The right to object to the processing of their personal data in certain circumstances; and
• The right to lodge a complaint with the Data Protection Commission of Ghana.

To exercise any of these rights, please contact us at hello@kasem.app. We will respond to all valid requests within 30 days. Please note that because Reporter submissions are pseudonymous, Kasem may not be able to verify a Reporter's identity sufficiently to action a data subject request unless the Reporter can provide their Recovery Phrase.

Kasem is architected to protect the identity of Reporters to the greatest extent practicable. However, users should be aware of the following:

• The content of a report may itself contain information that identifies the Reporter, whether intentionally or inadvertently. Reporters are responsible for the content they choose to include in their submissions.
• System-level metadata (such as IP addresses) may be retained in server logs as described in Section 3.2. While Kasem does not proactively link this to case content, this metadata may be accessible to Kasem personnel or infrastructure providers in the context of security or legal investigations.
• The pseudonymous case identity system means that a Reporter who returns using their Recovery Phrase will be recognised as the same submitting party. The Recovery Phrase should be kept secure and should not be shared.

Nothing in this Policy guarantees absolute anonymity. Reporters should exercise their own judgement regarding the information they include in submissions.

Kasem uses technically necessary session cookies to maintain authenticated sessions for Subscriber Institution administrators. These cookies are strictly necessary for the operation of the platform and do not track users across third-party websites.

We do not currently use advertising cookies, cross-site tracking technologies, or third-party analytics cookies that identify individual users. If this changes, this Policy will be updated and users will be notified.

Kasem's platform is intended for use by institutions and their adult administrators. The Kasem portal of a Subscriber Institution may be used by individuals under the age of 18 to submit reports (for example, students at a subscribing school). In such cases, the Subscriber Institution is responsible for ensuring that its use of Kasem complies with any applicable laws relating to the processing of data belonging to minors.

Kasem does not knowingly collect personal data directly from children under the age of 13 outside of the institutional submission context.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy;
• Notify Subscriber Institution administrators via email to the registered address; and
• Where required by law, seek fresh consent.

Continued use of the platform after the effective date of any updated Policy constitutes acceptance of the revised terms.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact:

You also have the right to lodge a complaint with the Data Protection Commission of Ghana if you believe your data has been processed in a manner that does not comply with DPA 843.