Privacy Policy

Effective Date: February 2026 | Last Updated: February 2026

1. Introduction

CARAT is a premium event ticketing platform operated by Grayco Technologies Limited, a company registered in Ghana with its principal office in Accra, Ghana. For purposes of data protection law, Grayco Technologies acts as a Controller for end-user data. For event organisers using the platform, we may also act as a data processor.

This Privacy Policy complies with the Data Protection Act, 2012 (Act 843), the EU General Data Protection Regulation (GDPR, EU Regulation 2016/679) where applicable, and West African regional data protection frameworks.

2. Data We Collect

Customer Data

  • Full name
  • Email address
  • Phone number
  • Billing information
  • Event attendance records
  • Account credentials (if registered)

Transaction Data

  • Payment references
  • Payment method
  • Order history

Note: Card details are not stored by CARAT. Payments are processed through PCI-DSS-compliant providers such as Paystack.

Technical Data

  • IP address
  • Browser type
  • Device information
  • Usage logs
  • Cookies

3. Legal Basis (GDPR Standard)

We process personal information under the following legal bases:

  • Contractual necessity — to fulfil ticket purchases and event access
  • Legal obligation — compliance with tax and anti-fraud laws
  • Legitimate interest — security, analytics, and fraud prevention
  • Consent — for marketing communications (where applicable)

4. Purposes of Processing

  • Ticket issuance and QR code validation
  • Entry verification at events
  • Customer support
  • Service improvement
  • Fraud detection and prevention

5. Data Sharing

We share data with payment processors and IT hosting providers only where necessary. We may also share information with legal authorities when required by law. We do not sell your personal data.

6. International Transfers

Where data is transferred outside Ghana, we ensure appropriate safeguards are in place, including contractual clauses or equivalent protections that meet recognised data protection standards.

7. Data Retention

We retain financial records as required by law. Personal data is retained until deletion is requested, unless law requires longer retention.

8. Your Rights

You have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request erasure of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise your rights, contact us at privacy@carat.events.

9. Security Measures

  • Encryption via HTTPS
  • Role-based access controls
  • Payment tokenisation via Paystack
  • Secure cloud infrastructure
  • Audit logging

10. Children

CARAT does not knowingly collect data from children under 16 without parental consent.

11. Governing Law

This policy is governed primarily by the laws of the Republic of Ghana. For EU residents, GDPR rights are additionally maintained.