Privacy Policy | CoreNett

Effective Date: 3 June 2026 | Version: 1.0

1. Introduction

CoreNett Limited ("CoreNett," "we," "our," or "us") is a systems infrastructure company that designs and operates AI-driven platforms across healthcare delivery, insurance, and financial services. We are incorporated in the Republic of Ghana, with our principal place of business at House #134 University Farm Road, Accra, Ghana.

This Privacy Policy describes how CoreNett collects, uses, stores, shares, and protects personal information when you: (a) visit or interact with our corporate website at www.corenett.com (the "Website"); (b) engage with us for business or procurement purposes; (c) access or use any of our platforms or products, including PharmaNett, SureNett, VisionNett, and our Financial Infrastructure solutions; or (d) contact us for any other reason.

We are committed to processing personal data responsibly, transparently, and in compliance with applicable law — including the Data Protection Act, 2012 (Act 843) of Ghana, the regulations of the Data Protection Commission of Ghana, and other applicable data protection and privacy frameworks to the extent they apply to our operations.

Please read this Policy carefully. By accessing or using the Website or our services, you acknowledge that you have read and understood this Policy.

2. Scope of This Policy

This Policy applies to:

Website visitors — individuals who browse www.corenett.com, submit forms, or otherwise interact with the Website.
Prospective clients and partners — individuals who contact CoreNett for business enquiries, demonstrations, or partnership discussions.
Enterprise clients and their authorised representatives — organisations and individuals who enter into agreements to use our platforms.
Platform end-users — individuals whose data is processed through CoreNett platforms on behalf of our enterprise clients (where CoreNett acts as a data processor).
Employees, contractors, and service providers — to the limited extent addressed by this Policy; separate internal policies govern employee data.

Where CoreNett processes personal data on behalf of an enterprise client (e.g., patient records in PharmaNett, claims data in SureNett), the enterprise client is the data controller and CoreNett acts as a data processor. In those cases, the client's own privacy notice governs end-users' rights, and CoreNett's obligations are governed by the applicable data processing agreement.

3. Data Controller Information

For the purposes of personal data collected directly through the Website and corporate interactions, CoreNett Limited is the data controller:

Legal Name: CoreNett Limited

Registration: Incorporated in the Republic of Ghana

Address: House #134 University Farm Road, Accra, Ghana

Telephone: +233 554 252 948

Privacy Email: Info@corenett.com

Website: www.corenett.com

4. Information We Collect

CoreNett collects personal information only where it is necessary and proportionate to the purposes described in this Policy.

4.1 Website Visitors

When you visit or interact with our Website, we may collect:

Contact and enquiry data: name, email address, phone number, company name, and job title — provided when you complete a contact form, book a demonstration, or subscribe to communications.
Communication data: the content of messages or enquiries you send us, including supporting attachments.
Automatically collected technical data: IP address; browser type and version; operating system; referring URL; pages visited and time spent; device identifiers; language preferences.
Cookie and tracking data: session identifiers and analytics data as described in Section 7 below.

4.2 Enterprise Clients and Business Representatives

In the course of a business relationship, we may collect:

Identity and contact information of authorised representatives (name, title, business email, telephone).
Contractual and commercial information (signed agreements, purchase orders, billing details).
Communications records (emails, meeting notes, support tickets).
Technical access credentials and audit logs for platform environments.

4.3 Healthcare and Insurance Platform Data

Where CoreNett operates PharmaNett or SureNett on behalf of a healthcare provider, pharmacy, or insurer, personal data processed may include:

Patient or beneficiary identity data (name, date of birth, national ID, health insurance number).
Clinical and prescription data (diagnoses, prescribed medications, dispensing records, clinical notes).
Claims and authorisation data (pre-authorisation requests, claims submissions, adjudication outcomes).
Health insurance eligibility and coverage information.

This data is processed on behalf of the enterprise client (the controller). CoreNett does not use this data for its own commercial purposes beyond operating the contracted service.

4.4 Financial Services Platform Data

Where CoreNett provides financial services infrastructure (payment platforms, loan management, or transaction switching), data processed may include:

Transaction records (amounts, timestamps, counterparties, reference numbers).
Loan application and credit-assessment data.
Mobile money account identifiers and wallet reference data.
Regulatory reporting data as required by the Bank of Ghana and applicable financial sector regulators.

4.5 Special Categories of Data

Certain data we process on behalf of clients — such as health information and biometric identifiers — constitutes sensitive personal data under the Ghana Data Protection Act. We apply heightened security and access controls to such data and process it only on the basis of explicit consent, contractual necessity, or legal obligation.

4.6 Data We Do Not Collect

CoreNett does not:

Sell or rent personal information to third parties.
Collect sensitive personal data through the Website (e.g., health conditions, financial account numbers) without a specific operational need and appropriate safeguards.
Use facial recognition or biometric identification on Website visitors.

5. Legal Basis for Processing

CoreNett processes personal data on the following legal grounds under the Ghana Data Protection Act, 2012 (Act 843) and, where applicable, equivalent provisions of international frameworks:

Legal Basis	When It Applies
Consent	When you voluntarily submit information, subscribe to marketing communications, or grant permission for non-essential cookies or analytics.
Contract	When processing is necessary to respond to an enquiry, enter into or perform a contract with you or your organisation, or provide a requested service.
Legal Obligation	When processing is required to comply with the Ghana Data Protection Act, Bank of Ghana regulations, or other applicable law.
Legitimate Interests	When CoreNett has a genuine business interest (e.g., website security, fraud prevention, analytics, product improvement) that does not override your fundamental rights and interests.
Vital Interests	In exceptional circumstances where processing is necessary to protect the life, health, or safety of an individual.

6. How We Use Your Information

6.1 Website and Corporate Operations

To respond to enquiries, demonstration requests, and support communications.
To provide you with information about CoreNett products and services where you have requested this.
To manage and administer contracts and commercial relationships.
To send transactional and service communications (e.g., confirmations, invoices, updates).
To conduct due diligence for business partnerships or vendor engagements.

6.2 Platform Operations (on behalf of enterprise clients)

To provision, maintain, and operate contracted platforms (PharmaNett, SureNett, VisionNett, Financial Infrastructure).
To process transactions, claims, prescriptions, or other workflows as directed by the enterprise client.
To provide technical support, incident management, and system monitoring.
To enforce contractual service levels and conduct quality assurance.

6.3 Security and Compliance

To detect, investigate, and prevent fraudulent transactions, unauthorised access, and security incidents.
To comply with regulatory reporting obligations to the Bank of Ghana, the Data Protection Commission, the National Health Insurance Authority (NHIA), and other applicable regulators.
To maintain audit trails and records as required by law or contract.

6.4 Analytics and Improvement

To analyse website usage patterns in aggregate to improve navigation and content.
To measure platform performance, identify system issues, and enhance service reliability.
To develop de-identified or aggregated insights for product improvement and strategic planning.

6.5 Marketing (Opt-In Only)

To send newsletters, product updates, or event invitations where you have consented to receive such communications.
You may withdraw marketing consent at any time by clicking 'unsubscribe' in any marketing email or by contacting us at Info@corenett.com.

7. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our Website. A cookie is a small text file placed on your device to help us provide a better user experience. We distinguish between the following categories:

Category	Purpose	Can You Opt Out?
Strictly Necessary	Core website functionality: session management, security, form submission.	No — required for the site to function.
Performance / Analytics	Anonymised measurement of page visits, traffic sources, and user journeys to improve the Website.	Yes — via cookie consent settings.
Functional	Remembering preferences (language, form field data) to enhance your experience.	Yes — via cookie consent settings.
Marketing / Targeting	Tracking interactions to enable relevant advertising and measure campaign effectiveness. Used only with explicit consent.	Yes — disabled by default; enabled only with consent.

You can manage cookie preferences at any time through your browser settings or our cookie preference centre on the Website. Disabling cookies may affect certain Website functions.

8. Data Sharing and Third-Party Disclosure

CoreNett does not sell, rent, or trade your personal information. We may share data only in the following circumstances:

8.1 Authorised Sub-Processors and Service Providers

We engage trusted third-party vendors who process data on our behalf under written data processing agreements that require them to maintain equivalent data protection standards. Categories include:

Cloud infrastructure and hosting providers (servers, storage, backup).
Email delivery and notification service providers.
Analytics and monitoring platforms (configured for data minimisation and anonymisation where applicable).
Customer relationship management (CRM) and helpdesk platforms.
Security and fraud detection services.

8.2 Enterprise Clients

Where CoreNett acts as a data processor on behalf of an enterprise client, data may be shared back with that client or other processors they have authorised, strictly as directed by the client and within the scope of the data processing agreement.

8.3 Regulatory and Government Authorities

We may disclose personal data where required to do so by law, court order, or regulatory directive — including to the Bank of Ghana, the Data Protection Commission, the Financial Intelligence Centre (FIC), the National Health Insurance Authority (NHIA), or any other competent authority with jurisdiction.

8.4 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of all or part of CoreNett's business, personal data may be transferred as part of that transaction. We will provide notice and ensure appropriate safeguards are maintained.

8.5 With Your Consent

We may share data with third parties where you have given explicit, informed consent for a specific purpose not otherwise covered by this Policy.

9. Artificial Intelligence and Automated Decision-Making

CoreNett's platforms embed artificial intelligence, machine learning, and automated decision-support capabilities. We are committed to responsible AI governance, including:

9.1 How AI Is Used

Claims adjudication support in SureNett: AI models analyse clinical and billing data to flag anomalies, support adjudication, and assist fraud detection. Final determinations in high-impact cases remain subject to human review.
Credit and risk scoring in financial platforms: Automated models assess transaction patterns for risk management purposes on behalf of enterprise clients.
Operational intelligence: AI-driven analytics detect system anomalies, optimise workflows, and generate operational insights.

9.2 Your Rights Regarding Automated Decisions

Where a decision produces a significant legal or equivalent effect and is based solely on automated processing, individuals have the right to:

Request human review of the automated decision.
Obtain a plain-language explanation of the logic involved.
Contest the decision and provide additional context.

To exercise these rights, contact Info@corenett.com. In many cases, the relevant enterprise client (not CoreNett) is the controller responsible for responding to such requests.

9.3 AI Governance Principles

Accuracy and fairness: AI models are periodically audited for bias, accuracy, and proportionality.
Data minimisation: models are trained and operated using the minimum data necessary for the stated purpose.
Explainability: CoreNett aims to deploy AI in a manner that supports meaningful human oversight.
Security: AI infrastructure is subject to the same access controls and security standards as our broader platform estate.

10. International Data Transfers

CoreNett is headquartered in Ghana and primarily processes data within Ghana. Where it is necessary to transfer personal data to service providers or infrastructure located outside Ghana, we ensure appropriate safeguards are in place, which may include:

Standard contractual clauses or equivalent contractual protections.
End-to-end encryption of data in transit and at rest.
Data minimisation — transferring only what is strictly necessary for the processing purpose.
Restricted access controls limiting who can view transferred data.

We do not transfer data to jurisdictions that we assess as presenting an unacceptable risk to the rights and freedoms of data subjects without additional safeguards.

11. Data Security

CoreNett implements a layered security architecture to protect personal data against unauthorised access, loss, disclosure, or destruction:

Encryption in transit (TLS 1.2 or higher) and encryption at rest for sensitive data stores.
Role-based access controls (RBAC) and principle of least privilege for all production systems.
Multi-factor authentication (MFA) for system access by staff and contractors.
Continuous monitoring, intrusion detection, and security information and event management (SIEM).
Regular vulnerability assessments, penetration testing, and security patch management.
Staff training on data protection and information security.
Documented incident response and business continuity procedures.

No method of data transmission or storage is completely secure. While we take rigorous measures, we cannot guarantee absolute security. If you believe your personal data has been compromised, please notify us promptly at Info@corenett.com.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, CoreNett will:

Notify the Data Protection Commission of Ghana within 72 hours of becoming aware of the breach, where feasible and required by law.
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights — including a description of the nature of the breach, the likely consequences, and measures taken or proposed.
Where CoreNett is acting as a data processor, notify the relevant enterprise client (controller) promptly to allow them to fulfil their notification obligations.
Maintain an internal breach register documenting all security incidents, regardless of whether external notification is required.

13. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law or contract. Key retention considerations include:

Website enquiry and contact data: retained for up to 24 months from last interaction, or until you request deletion.
Contractual and commercial records: retained for the duration of the contract and for up to 7 years thereafter, consistent with Ghanaian commercial law.
Platform transaction records: retained as required by relevant financial sector regulations (Bank of Ghana directives) and applicable client contracts.
Healthcare and clinical data: retained in accordance with Ghana Health Service guidelines, NHIA regulations, and applicable clinical standards — typically no less than 10 years for adult records.
Security and audit logs: retained for a minimum of 12 months and up to 5 years depending on regulatory requirements and incident investigation needs.

When data is no longer required, we securely delete or anonymise it in accordance with our data destruction standards.

14. Your Privacy Rights

Under the Ghana Data Protection Act, 2012 (Act 843) and applicable regulations, you have the following rights in relation to your personal data:

Right	What It Means
Right of Access	You may request confirmation of whether we hold your personal data and obtain a copy of it.
Right to Rectification	You may request correction of inaccurate or incomplete personal data.
Right to Erasure	You may request deletion of your personal data where it is no longer needed for the original purpose, or where you withdraw consent.
Right to Restriction	You may ask us to restrict processing of your data in certain circumstances (e.g., while accuracy is contested).
Right to Object	You may object to processing based on legitimate interests, including for direct marketing.
Right to Portability	You may request your data in a structured, machine-readable format for transfer to another controller.
Right to Withdraw Consent	Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to Complain	You have the right to lodge a complaint with the Data Protection Commission of Ghana (www.dataprotection.org.gh).

To exercise any of these rights, please submit a written request to Info@corenett.com. We will respond within 30 days (extendable to 60 days for complex requests, with notice). We may need to verify your identity before processing your request.

Note: Where CoreNett processes data as a data processor on behalf of an enterprise client, please direct your rights request to that organisation (the data controller) in the first instance. CoreNett will cooperate with and assist the controller in responding.

15. Children's Privacy

The CoreNett Website and our corporate products are not directed to, or intended for use by, children under the age of 18 without the involvement of a parent, guardian, or authorised adult representative.

Where our platforms process health or other data relating to minors (e.g., paediatric pharmacy records or insurance beneficiaries), this is done solely on behalf of and under the instructions of the enterprise client (the controller), which is responsible for ensuring appropriate parental or guardian consent has been obtained.

If we become aware that we have inadvertently collected personal data from a child without proper authorisation, we will promptly delete that data and notify the relevant enterprise client.

16. Third-Party Links and Integrations

The Website may contain links to third-party websites, and our platforms may integrate with external services (such as mobile money providers, laboratory information systems, or banking APIs). This Policy does not apply to those third-party sites or services.

We encourage you to review the privacy policies of any third-party services you access. CoreNett is not responsible for the data practices of third parties.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or operational circumstances. When we make material changes, we will:

Update the 'Effective Date' and 'Version' at the top of this document.
Post the revised Policy on www.corenett.com/privacy-policy.
Where we hold your contact information and the change is material, we will endeavour to notify you directly by email.

Continued use of the Website or our services after the effective date of any update constitutes your acceptance of the revised Policy.