Privacy Policy
Effective date: 11 June 2026. Last reviewed: 11 June 2026.
1. Who We Are
ESP Hotel (“we”, “us”, “our”) is a boutique hotel located at 51 Ndabaningi Sithole Road, Labone, Accra, Ghana. We operate the website at esphotels.com (the “Site”) and provide accommodation, dining, spa, wellness, and event services.
For the purposes of the Ghana Data Protection Act, 2012 (Act 843), ESP Hotel is the data controller. For guests based in the European Union or United Kingdom, ESP Hotel also acts as controller under the EU General Data Protection Regulation (GDPR) and UK GDPR respectively, to the extent those instruments apply.
2. Personal Data We Collect
We collect the following categories of personal data through the Site:
| Category | Specific data | Collected via |
|---|---|---|
| Identity | Full name | Room bookings, spa bookings, event enquiries, contact/enquiry forms |
| Contact | Email address, phone number | Room bookings, spa bookings, event enquiries, contact/enquiry forms, corporate room-block enquiries |
| Reservation | Check-in/out dates, number of guests, room or suite choice | Booking forms |
| Commercial | Company name, number of rooms requested (corporate enquiries) | Corporate room-block enquiry form |
| Communications | Free-text messages, enquiry topic, subject line | Contact, enquiry, and event forms |
| Technical | IP address, browser type, error-context data | Automatically by our hosting provider (Vercel) and error-monitoring service (Sentry, when activated) |
We do not collect payment card data through the Site. If a payment deposit is required, this will be handled separately and communicated to you directly.
We do not knowingly collect special categories of personal data (such as health information) through the Site's standard forms. If you voluntarily share dietary requirements or accessibility needs, this information is used solely to fulfil your request.
3. How and Why We Use Your Data
| Purpose | Lawful basis (Ghana Act 843) | Lawful basis (GDPR, where applicable) |
|---|---|---|
| Process room, spa, and event reservations; send confirmation emails | Necessary for the performance of a contract (s.20(1)(b) Act 843) | Performance of a contract (Art. 6(1)(b) GDPR) |
| Respond to general enquiries | Consent or legitimate interest (s.20(1)(a)/(c) Act 843) | Legitimate interests (Art. 6(1)(f) GDPR) — responding to prospective guests |
| Prevent fraud and abuse; enforce rate-limiting and bot protection | Legitimate interest | Legitimate interests (Art. 6(1)(f) GDPR) — protecting the security of our services |
| Monitor and fix technical errors in the Site | Legitimate interest | Legitimate interests (Art. 6(1)(f) GDPR) |
| Comply with legal obligations | Legal obligation (s.20(1)(d) Act 843) | Legal obligation (Art. 6(1)(c) GDPR) |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Sub-Processors and Data Sharing
We share your personal data only with the following trusted service providers (“sub-processors”) who process data on our behalf. Each is bound by appropriate data-processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting for bookings, enquiries, and spa reservations | USA (AWS us-east-1 by default) |
| Resend | Transactional email delivery (booking confirmations, enquiry notifications) | USA |
| Vercel Inc. | Website hosting, edge functions, and BotID bot-protection service | USA (global CDN) |
| Upstash Redis | Rate-limiting (temporary storage of IP-derived tokens to prevent abuse) | USA / EU (region-configurable) |
| Sentry (Functional Technologies Inc.) | Error monitoring and diagnostics. Inactive until a DSN key is configured. | USA |
| PostHog, Inc. | Privacy-friendly product analytics — understanding how the Site is used. Loaded only after you accept analytics cookies via the consent banner. | USA (US Cloud) |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We may disclose personal data to law-enforcement or regulatory authorities where required by law.
5. International Transfers
The sub-processors listed above are located in the United States. Where you are an EU or UK data subject, transfers to these providers are made subject to the EU–US Data Privacy Framework (where the provider participates) or Standard Contractual Clauses (SCCs) approved by the European Commission. You may request information about the specific safeguards in place by contacting us using the details in section 11.
Under Act 843 (Ghana), transfers of personal data outside Ghana must be made with adequate safeguards. We rely on contractual commitments with each sub-processor to satisfy this requirement.
6. How Long We Keep Data
We retain personal data only for as long as necessary for the purposes set out in this policy, including compliance with legal, accounting, or reporting obligations.
- Booking and reservation records — retained for a minimum of 6 years from the date of stay or enquiry, in line with standard commercial record-keeping obligations.
- General enquiries and contact messages — retained for up to 2 years unless we have an ongoing commercial relationship.
- Error-monitoring data (Sentry) — retained for 90 days in accordance with Sentry's default retention.
- Rate-limiting tokens (Upstash Redis) — automatically expire within hours; no long-term retention.
When data is no longer needed it is deleted or anonymised.
7. Cookies and Similar Technologies
This Site uses strictly necessary and functional cookies, which are always active, and analytics cookies, which are set only after you give consent via our cookie banner.
| Cookie / storage key | Purpose | Type |
|---|---|---|
| sidebar:state | Remembers your sidebar open/closed preference | Functional (first-party) |
| esp-cookie-consent | Remembers your cookie consent choice so we don't ask again | Strictly necessary (first-party) |
| sb-* (Supabase) | Maintains your session state if you are an authenticated user | Strictly necessary (first-party) |
| ph_* (PostHog) | Privacy-friendly analytics — measures page views and feature usage to help us improve the Site. Set only with your consent. | Analytics (first-party) |
Strictly necessary and functional cookies are exempt from prior consent under the EU ePrivacy Directive and do not require a banner. Analytics cookies (PostHog) are not set until you accept them. You can change or withdraw your choice at any time using the “Cookie preferences” link in the footer; if you decline, no analytics cookies are stored.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include: encrypted data transmission (TLS), rate-limiting and bot-protection on all API endpoints, server-side input validation and HTML sanitisation, and use of reputable, contractually committed cloud infrastructure.
No method of transmission over the internet is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission of Ghana and, where required, affected individuals in accordance with Act 843.
9. Children
This Site is not directed at children under the age of 18 and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.
10. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal data:
- Right of access to your personal data held by us
- Right to correction of inaccurate or incomplete data
- Right to object to processing in certain circumstances
- Right to lodge a complaint with the Data Protection Commission of Ghana (dataprotection.org.gh)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (“right to be forgotten”) (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
- Rights related to automated decision-making (Art. 22)
- Right to lodge a complaint with your national supervisory authority
To exercise any of these rights, please contact us as set out in section 11. We will respond within 30 days. We may need to verify your identity before processing your request.
11. Privacy Contact
For all privacy and data-protection enquiries — including subject-access requests, erasure requests, or complaints — please contact:
ESP Hotel — Data Protection Contact51 Ndabaningi Sithole Road, Labone, Accra, Ghana
Email: legal@esphotel.com
Phone: +233 (54) 897 4174
If you are not satisfied with our response, you may escalate your complaint to the Data Protection Commission of Ghana.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the “Last reviewed” date at the top of this page and, where appropriate, notify you by email or a prominent notice on the Site. Your continued use of the Site after any update constitutes acceptance of the revised policy.