Privacy Policy

CoopWave is a cloud-based cooperative finance management platform operated by CoopWave, headquartered in Buea, South West Region, Cameroon. We provide software tools for cooperatives, SACCOs, Njangi groups, microfinance institutions, and agricultural cooperatives across Africa to manage their members, savings, loans, and accounting operations.

In the context of data protection, CoopWave acts as a data processor with respect to the personal data of cooperative members — we process this data on behalf of the cooperative (the data controller). CoopWave acts as a data controller with respect to the personal data of cooperative administrators and staff users who hold accounts directly with CoopWave.

For questions about this Privacy Policy, contact us at info.coopwave@gmail.com.

We collect the following categories of information through the platform:

We use the data we collect for the following purposes:

• Providing the Service: Delivering all platform features — member management, savings and loan tracking, accounting tools, member portal access, and reporting.
• Account management: Creating and maintaining your cooperative account, authenticating users, managing staff roles and permissions, and handling password and PIN resets.
• Communications: Sending transactional emails such as password reset links, staff invitation emails, and important account notifications. We do not send unsolicited marketing emails without your consent.
• Billing and payments: Processing subscription payments and maintaining billing records. Payment card and mobile money data is handled entirely by our third-party processors and is not stored on CoopWave servers.
• Security and fraud prevention: Monitoring for suspicious activity, unauthorized access attempts, and other threats to the integrity of the platform and your cooperative's data.
• Platform improvement: Analyzing aggregated, anonymized usage data to understand how the platform is used and to improve features, performance, and user experience. Individual cooperative data is never used for this purpose without anonymization.
• Legal compliance: Fulfilling obligations under applicable laws, responding to lawful government or regulatory requests, and enforcing our Terms of Service.

We are committed to aligning our data processing practices with internationally recognized data protection principles, including those of the EU General Data Protection Regulation (GDPR) as a reference framework. Our legal bases for processing personal data are:

• Contractual necessity: Processing required to perform the contract we have with you — operating your cooperative account, delivering the Service, and managing subscriptions.
• Legitimate interests: Processing for our legitimate business interests, such as maintaining platform security, preventing fraud, improving the Service, and communicating service-related updates, provided these interests do not override your fundamental rights.
• Legal obligation: Processing required to comply with applicable laws, regulatory requirements, court orders, or government demands.
• Consent: For any processing that is not covered by the above bases — for example, optional marketing communications — we will obtain your explicit consent, which you may withdraw at any time.

With respect to cooperative member data that is entered by the cooperative administrator, the cooperative is the data controller and is responsible for identifying and documenting the appropriate legal basis for collecting and processing its members' personal data under applicable Cameroonian law and any other laws that apply to its operations.

CoopWave does not sell, rent, or trade your data or your cooperative members' data to any third party for marketing or commercial purposes. We share data only with the third-party service providers necessary to operate the platform, and only to the extent required for those services. Our current sub-processors are:

Each of these processors has agreed to handle data in accordance with applicable data protection standards and maintains their own published privacy and security policies. We encourage you to review their policies for details on how each processor handles data.

Beyond the processors listed above, we may also disclose data where required by law — for example, in response to a court order, subpoena, government investigation, or to protect the safety, rights, or property of CoopWave, our users, or the public. We will notify affected users of such disclosures where legally permitted.

Data isolation is a foundational architectural principle of the CoopWave platform. Each cooperative registered on CoopWave is assigned its own unique, completely isolated PostgreSQL database schema within our infrastructure. This is sometimes called a "schema-per-tenant" multi-tenancy model.

What this means in practice:

• All member records, financial transactions, savings data, loan data, accounting entries, and settings for a cooperative are stored exclusively within that cooperative's schema.
• No other cooperative can access, view, or query your cooperative's data — ever. The database-level isolation makes cross-tenant data leakage structurally impossible.
• CoopWave's own technical staff can access tenant schemas only for authorized support, debugging, or maintenance purposes, and only with appropriate authorization controls in place.
• Each cooperative accesses the platform through its own unique subdomain (e.g., yourcoopname.coopwave.cm), which is resolved to the correct schema at the infrastructure level.

This isolation architecture ensures that the confidentiality of each cooperative's financial and member data is protected at both the application and database levels, not just through access control policies.

We retain personal and cooperative data for as long as your account is active or as needed to provide the Service. Specifically:

• Active accounts: All data is retained for the duration of your active subscription so you can access it at any time.
• After account closure or subscription cancellation: Your cooperative's data is retained in a read-only state for 30 days after account closure or termination, giving you time to export your data. After this 30-day period, data is permanently and securely deleted from our systems.
• Billing records: We retain billing and payment records for up to 7 years to comply with financial record-keeping obligations, even after an account is closed.
• Server logs: Access and error logs are retained for up to 90 days for security monitoring purposes, after which they are automatically purged.
• Legal holds: If data is subject to a pending legal dispute, regulatory investigation, or lawful preservation request, we will retain that data beyond the above periods until the matter is resolved.

We encourage all cooperative administrators to export a full copy of their data before closing their account. CoopWave provides data export tools within the platform's settings area.

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Right to access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data where there is no legitimate reason for us to continue processing it (subject to legal retention requirements).
• Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request that we provide your personal data in a structured, commonly used, machine-readable format so that you can transfer it to another service.
• Right to object: You may object to the processing of your personal data where we rely on legitimate interests as the legal basis.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at info.coopwave@gmail.com. We will respond within 30 days of receiving your request.

Note for cooperative members: If you are a member of a cooperative that uses CoopWave, and you wish to access, correct, or delete your personal data, you should contact your cooperative administrator directly. The cooperative — not CoopWave — is the data controller for member data and is responsible for responding to member data rights requests.

CoopWave uses a minimal and purposeful approach to cookies and browser storage. We do not use advertising cookies, tracking pixels, or any third-party analytics cookies that monitor your behavior across other websites.

The storage mechanisms we use are limited to:

• Authentication tokens (localStorage): When you log in to the staff dashboard or member portal, we store JWT access and refresh tokens in your browser's local storage. These tokens authenticate your session and are used exclusively for that purpose. They are removed when you log out.
• Session and security cookies: Strictly necessary cookies used to maintain session integrity and protect against cross-site request forgery (CSRF) attacks, where applicable.

Because we use only strictly necessary cookies and local storage for authentication — and no advertising, analytics, or tracking cookies — we do not display a cookie consent banner. If our cookie use changes in the future, we will update this policy and implement appropriate consent mechanisms.

You can clear all locally stored authentication data by logging out of the platform or by clearing your browser's local storage. However, doing so will require you to log in again on your next visit.

CoopWave takes the security of your data seriously and implements a range of technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and CoopWave's servers is encrypted using TLS (HTTPS).
• Encryption at rest: Data stored in our PostgreSQL databases on Railway is encrypted at rest using industry-standard encryption.
• Password hashing: All staff account passwords are hashed using Django's built-in PBKDF2 hashing algorithm with a salt. Member PINs are also stored in hashed form and are never stored in plain text.
• JWT authentication with token rotation: Access tokens expire after 24 hours. Refresh tokens rotate on every use and expire after 7 days, limiting the window of exposure if a token is compromised.
• Role-based access control: Staff members can only access functionality appropriate to their assigned role (Admin, Treasurer, Loan Officer, Accountant). No user can access another cooperative's data.
• Schema-level data isolation: Each cooperative's data is stored in a completely separate PostgreSQL schema, providing database-level isolation beyond application-level access controls.
• Infrastructure security: Our hosting providers (Railway and Vercel) maintain their own security certifications, network isolation, and infrastructure controls.

While we implement rigorous security measures, no system is perfectly secure. We cannot guarantee absolute security against all threats. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users as soon as reasonably practicable and take all appropriate remedial action.

If you discover a security vulnerability, please report it responsibly to info.coopwave@gmail.com rather than disclosing it publicly. We are committed to working with security researchers to address any issues promptly.

CoopWave does not impose a platform-wide minimum age for cooperative members. This is intentional: many cooperatives in Cameroon and across Africa include junior savings programs, youth wings, or family account structures where minors participate under the supervision of a guardian or cooperative administrator.

The determination of minimum age eligibility for membership is governed entirely by each individual cooperative's bylaws, membership rules, and applicable local law. The cooperative administrator is responsible for ensuring that member enrollment complies with their cooperative's membership criteria and with any applicable legal requirements concerning the registration and financial dealings of minors.

The CoopWave staff portal (the management interface used by cooperative administrators and staff) is intended for use by adults aged 18 and over.

If you believe that personal data concerning a child has been collected through the platform in a manner inconsistent with the cooperative's rules or applicable law, please contact the cooperative's administrator or reach out to us at info.coopwave@gmail.com.

CoopWave's infrastructure relies on third-party hosting providers whose servers may be located outside of Cameroon:

• Railway — Our backend application and PostgreSQL databases are hosted on Railway's infrastructure. Railway operates servers in multiple regions, which may include servers in the European Union or the United States. By using CoopWave, you acknowledge that your cooperative's data may be processed in these regions.
• Vercel — Our frontend application is deployed on Vercel's global edge network (CDN), which serves users from the nearest geographic node. Vercel operates nodes worldwide. Static frontend assets and edge-processed requests may pass through servers in any region where Vercel operates.

Cameroon does not yet have a comprehensive data protection law with explicit cross-border transfer restrictions comparable to the EU's GDPR. However, CoopWave is committed to ensuring that appropriate safeguards are in place wherever data is processed. Our sub-processors (Railway and Vercel) both maintain industry-standard security practices, operate under their own data protection policies, and comply with applicable regulations in their operating jurisdictions.

We continuously monitor the evolving regulatory landscape in Cameroon and across Africa and will update our data transfer practices as needed to remain compliant with applicable legal requirements.

We may update this Privacy Policy from time to time to reflect changes in our data practices, the platform's features, applicable laws, or our third-party processors. We will indicate the date of the most recent update at the top of this page.

For significant changes — such as new categories of data collected, new third-party processors, or material changes to how data is used — we will notify cooperative administrators by email to the address associated with their account at least 14 days before the changes take effect.

Your continued use of the Service after any revised Privacy Policy takes effect constitutes your acceptance of the revised policy. If you do not agree with the revised policy, you must stop using the Service.

Previous versions of this Privacy Policy are available upon request by emailing info.coopwave@gmail.com.

If you have any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact us. We aim to respond to all data-related inquiries within 10 business days.

Also see our Terms of Service for the full agreement governing your use of the CoopWave platform.