Legal

Privacy Policy

Version 1.0 · Effective April 2026 · Agora A1 Labs LTD, operating as ThorAI

This Privacy Policy explains how Agora A1 Labs LTD, operating as ThorAI (“we”, “our”, “us”), collects, uses, and protects information about vendors and their customers on the ThorAI platform at trythorai.com. By using ThorAI you agree to this policy.

1. Overview

ThorAI is a multi-tenant e-commerce platform. We act as a data processor on behalf of vendors (who are the data controllers for their customers' data) and as a data controller for vendor account data. We are committed to handling all personal data in accordance with the Ghana Data Protection Act (Act 843), the Nigeria Data Protection Regulation (NDPR), and the EU General Data Protection Regulation (GDPR) where applicable.

2. Data We Collect

Vendor account data

  • Full name, business name, and contact details provided at registration
  • KYC / KYB documents (government ID, business registration certificate, utility bills)
  • Bank account or Mobile Money wallet details for payout setup
  • Billing and subscription payment records
  • Login credentials (passwords are hashed: never stored in plain text)

Store and product data

  • Product listings, descriptions, pricing, and images you upload
  • Store configuration, categories, and branding assets
  • Orders, transactions, and fulfilment records

Customer data (collected on your behalf)

  • Name, email address, and phone number provided at checkout or sign-in
  • Delivery address and order history within your store
  • Session tokens and authentication events

Usage and technical data

  • IP addresses, browser type, and device identifiers
  • Pages visited, features used, and time spent on the platform
  • Error logs and performance metrics used to improve the service

3. How We Use Your Data

  • Providing the service: operating your store, processing orders, sending OTP verification codes, and enabling payment settlements.
  • Identity verification: reviewing KYC / KYB submissions to meet regulatory requirements and enable payment processing.
  • Communication: sending transactional emails and WhatsApp messages related to your account, orders, security alerts, and platform updates.
  • Platform improvement: analysing aggregated, anonymised usage data to improve features and performance.
  • Legal compliance: retaining records as required by applicable law, and responding to lawful requests from regulatory or law enforcement authorities.
  • Fraud prevention: monitoring for suspicious activity to protect vendors, their customers, and the platform.

We do not use your data or your customers' data for advertising, cross-platform tracking, or sale to third parties.

4. Data Sharing

We share data only where necessary to deliver the service:

  • Paystack: payment processing and payout settlement. Governed by Paystack's own privacy policy and PCI-DSS Level 1 compliance programme.
  • Twilio: SMS and WhatsApp OTP delivery. Phone numbers are transmitted solely to send verification codes.
  • Resend: transactional email delivery (order confirmations, account notifications).
  • Google Cloud Platform: infrastructure hosting, object storage for uploaded assets.
  • Regulators and law enforcement: where required by a valid legal obligation or court order.

All sub-processors are bound by data processing agreements that require them to protect personal data to at least the standard required by this policy.

5. Data Retention

  • Active accounts: data is retained for the duration of the vendor relationship plus 7 years to meet financial record-keeping obligations under Ghanaian law.
  • Closed accounts: upon confirmed account closure, personal data is anonymised or deleted within 90 days, except where we are required to retain it by law.
  • Customer data: retained while the vendor's store is active. Vendors may export or delete customer records at any time from the dashboard.
  • KYC documents: retained for a minimum of 5 years from the date of submission, in compliance with anti-money-laundering regulations.

6. Security

  • Data at rest is encrypted using AES-256.
  • Data in transit is protected by TLS 1.2 or higher.
  • Sensitive fields (KYC documents, payout credentials) use envelope encryption with a dedicated key-encryption key (KEK).
  • Passwords are hashed using industry-standard algorithms: never stored or logged in plain text.
  • Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.
  • We conduct periodic security reviews and respond to responsible disclosure reports at support@trythorai.com.

In the event of a personal data breach, we will notify affected vendors within 72 hours of becoming aware, and where required, notify the relevant data protection authority.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data, subject to legal retention obligations.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to certain types of processing.
  • Restriction: request that we limit how we process your data in certain circumstances.

To exercise any of these rights, email support@trythorai.com. We will respond within 30 calendar days. We may need to verify your identity before processing the request.

8. Cookies

We use a minimal set of cookies necessary to operate the platform:

  • Session cookies: maintain your logged-in state. Expire when you close your browser or your session token lapses.
  • Security cookies: CSRF protection tokens tied to your session.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics cookies. You can disable cookies in your browser settings, but this will prevent you from logging into the platform.

9. Children

ThorAI is a business platform intended for use by adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact support@trythorai.com and we will delete it promptly.

10. International Transfers

Our infrastructure is hosted on Google Cloud Platform with primary regions in the EU and US. By using ThorAI, you acknowledge that your data may be processed outside your country of residence. Where we transfer personal data outside Ghana or Nigeria, we ensure appropriate safeguards are in place: including standard contractual clauses approved by the relevant data protection authority: to protect your data to the standard required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the vendor dashboard and email at least 14 calendar days before they take effect. The “Effective” date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact

For privacy-related enquiries, data subject requests, or to report a concern:
support@trythorai.com

Agora A1 Labs LTD, operating as ThorAI
trythorai.com

Document Ref: THOR-PRIVACY-2026Version 1.0 · Effective April 2026
Privacy Policy — ThorAI | ThorAI