Privacy policy

Data controller: Washed, a commercial entity being formed in Lomé, Togo.

Postal address: to be completed by the founder — operational bureau in Lomé.

Data protection officer: to be completed — the founder holds this role until a dedicated position is created.

Contact: [email protected].

Washed connects subscribers with independent service providers — washerwomen (laveuses)¹ — for one or more home visits per monthly cycle, paid by mobile money.

A vague policy protects the publisher, not the user. This text matches what our code actually does: data flows verified against PostgreSQL migrations, API code, the disputes schema, and the retention policies.

¹ "Laveuse" is the Washed product term for the service provider who performs the home laundry visit.

When you create your account we record the items listed below. The phone number is stored encrypted at rest and indexed by a fingerprint (phone_number_lookup_hash) that lets us find your account without exposing the number in plaintext in internal queries. Only the surfaces that strictly need it — OTP delivery, support, payment — decrypt it.

• First name and last name.
• Phone number in international format (for example +228 90 12 34 56). This is the primary account identifier.
• Email address (optional).
• Profile photo (optional), if you add one from screen X-26.
• Adult-age confirmation (≥ 18 years). The service is not available to minors.

We record your service address and the cues that let the service provider find you. The home GPS coordinates are stored both in plaintext for routing and assignment, and encrypted (gps_latitude_ciphertext, gps_longitude_ciphertext). On the first successful visit, the service provider confirms the exact GPS pin of your gate (verified_address) — which improves routing for subsequent visits.

During the visit window only, we collect GPS samples from the service provider (visit_location_samples) to power the in-route tracking you see on screen X-12. Each sample carries an expiration timestamp and is deleted automatically after 30 minutes. We never collect your own GPS location during the visit.

At check-in and check-out, the service provider’s GPS location is recorded on the visit record — encrypted. This is how we can verify that a visit actually took place at your home.

• Neighborhood (for example Bè, Adidogomé, Tokoin).
• Street and landmark — a free-text reference that helps the service provider find the gate.
• Approximate home GPS coordinates, captured when you enter the address.
• Verified address, set by the service provider at check-in on the first successful visit.

Payment runs through mobile money. We never ask for your mobile-money PIN. You enter it directly on your phone via the USSD or STK request sent by your provider — Washed has no access to that PIN and never receives it.

• Mobile-money provider: Mixx by Yas or Flooz.
• Mobile-money number in international format.
• Transaction identifiers returned by our payment aggregator (PayDunya) and by the mobile-money provider.

For each visit we record what is needed to coordinate the service and to resolve any dispute. Today, the subscriber app does not let you attach your own photos to a dispute — the bureau team relies on the before/after photos taken by the service provider to investigate.

• Plan (T1, T2, FE — Famille Essentiel, FC — Famille Confort per the current price grid), preferred day, preferred time slot.
• Visit statuses: scheduled, in_progress, completed, disputed, cancelled, no_show.
• Before/after visit photos captured by the service provider. S3-compatible object storage, max 5 MB, formats image/jpeg, image/png, image/webp.
• Ratings and comments (1–5, optional comment).
• Disputes: incident type (damaged_item, missing_item, worker_no_show, other) and your written description.

A few technical signals help us diagnose bugs and secure the account. Sentry error reports contain the technical context of the crash, never your phone number, address, or payment data.

On every sign-in we send a 6-digit OTP code by SMS via our provider KingSMS. We store a hashed fingerprint of that code for its short validity window — never the code in plaintext. Authenticated sessions are materialized by encrypted access and refresh tokens; a device identifier (device_id) is bound to each session so a compromised device can be revoked remotely.

• Device model and iOS version at app launch.
• Anonymous device identifier (anonymous_id) for internal navigation events.
• Screen-view events with screen name and duration. No user input is recorded in these events.
• Push notification tokens (APNS, FCM) if you accept notifications, encrypted at rest.
• Anonymized Sentry error reports only when an error occurs.

Every piece of data has a precise operational purpose: OTP sign-in, assigning the nearest available service provider, mobile-money charging via PayDunya, GPS verification of service delivery at check-in and check-out, fair resolution of disputes based on before/after photos, and measuring service quality.

Optional profile preferences (age band, household size, discovery source, signup motivation) — strictly optional, never gating access to the service, clearable at any time.

Washed never sells your data. No data is used for targeted advertising, inside or outside the app.

We share only the data strictly necessary with the technical providers that operate the service. No data is shared with advertisers, data brokers, or third-party marketing platforms. We disclose only the strictly necessary elements to Togolese authorities on written legal request, and document each transmission in the audit_events register.

• KingSMS (Togo) — sending the sign-in OTP SMS. Receives your phone number and SMS text at send time.
• PayDunya (Senegal, Côte d’Ivoire) — mobile-money payment aggregator. Receives your mobile-money number, amount, and transaction reference.
• Mixx by Yas or Flooz (Togo) — your mobile-money provider, which executes the debit. You confirm the debit on your phone.
• Fly.io (United States, infrastructure deployed in the Paris region — cdg) — hosts our API and PostgreSQL database.
• S3-compatible object storage (Paris region) — before/after photos and profile avatars.
• APNS (Apple, United States) and FCM (Google, United States) — push-notification delivery.
• Sentry — anonymized error reports.
• Cloudflare — content delivery and abuse protection. Sees your IP address and request path, never encrypted content.

Our code applies the retention table defined in the data_retention_policies migration (0037). On account deletion we keep only the accounting and audit records required by Togolese law and the OHADA convention for the necessary duration — typically payment records and the associated audit_events.

• Account, profile, phone number — account lifetime plus 24 months; anonymization after deletion except where accounting requires retention.
• Address, GPS, landmarks — account lifetime plus 12 months; the exact pin is deleted on account deletion.
• Visit photos (before/after) — visible to you for 12 months after the visit; internal operational policy 90 days, or dispute closure plus 180 days if the photo served as evidence.
• In-route GPS samples — deleted automatically 30 minutes after capture.
• Notifications (delivery logs) — 90 days; aggregated delivery-rate metrics only beyond that.
• Claims, disputes, safety events — 36 months; redaction of free-text personal items after closure where possible.
• Audit events (audit_events) — 5 years, retention imposed by OHADA accounting and contractual practice. Table immutable by SQL construction — no UPDATE or DELETE possible.
• Sessions and authentication tokens — until expiry or revocation.

As a user you have the following rights. We respond to any request within a maximum of 30 calendar days. If you disagree with our response, you may file a complaint with the Togolese personal-data protection authority (IPDCP).

How to exercise these rights: from the app, on the Privacy & data screen (X-27) for export and deletion. By email to [email protected] for any other request, mentioning the phone number tied to your account.

• Right of access — view the data we hold about you from X-27 or by email.
• Right to rectification — update your name, address, mobile-money number, profile photo, and preferences directly in the app.
• Right to erasure — request account deletion from X-28. The bureau reviews the request; your data is anonymized or deleted within 30 days, except accounting and audit records the law requires us to retain.
• Right to portability — request an export from the "Download my data" button on X-27. The request is recorded as subscriber_privacy_request of type export; delivered within roughly 30 days.
• Right to object — opt out of certain processing (push notifications). Opting out of processing strictly necessary for the service prevents us from providing the service.
• Right to restriction — pause the processing of certain data during dispute investigation.

No system is invulnerable. In case of a significant security incident affecting you, we notify you without undue delay — typically within 72 hours — by in-app notification and by email if we have a verified address on file.

• In-transit encryption — TLS 1.2 or higher on all app-API communication, via Cloudflare and Fly.io.
• At-rest encryption — sensitive data (phone number, GPS, push tokens, device identifiers) encrypted at the application layer via AES-256-GCM. Key rotation tooled and executed per the internal runbook.
• Lookup fingerprints — HMAC indexing of the phone number with a database-specific salt. The fingerprint is not reversible.
• Country isolation (Row-Level Security) — a Togo operator can only read Togo records. The rule is enforced even for the table owner.
• Immutable audit — every sensitive action writes an immutable record to audit_events; the table allows neither UPDATE nor DELETE by SQL construction.
• Restricted operator access — two-factor authentication (TOTP); credentials managed through Fly.io secrets. No secret is exposed in code or in client apps.

The Washed service is restricted to adults (≥ 18 years). At signup you confirm legal age. We do not knowingly create accounts for minors. If we discover that an account was created by a minor, we delete it and purge the associated data as quickly as possible.

The Washed iOS app contains no advertising trackers. The only third-party SDKs embedded are Sentry (anonymized error reports only), Capacitor and its official plugins (notifications, camera, geolocation, storage — no network telemetry), APNS (Apple) and FCM (Google) only for push notifications triggered by our server.

The marketing site washedafrica.com may use aggregated traffic-analytics tools (Cloudflare Web Analytics), with no advertising cookie and no sharing with third-party marketing platforms.

Our main infrastructure is hosted in Paris (Fly.io region cdg). Your data transits and resides in a country with a data-protection framework equivalent to the European General Data Protection Regulation (GDPR).

A few providers are based outside the European Union — APNS and FCM in the United States for push notifications, PayDunya in Senegal and Côte d’Ivoire for mobile-money payment. The data transmitted to these providers is strictly limited to what is necessary for their function.

We may modify this policy to reflect a service evolution or a new legal obligation. For a substantive change we notify you by in-app notification on the next launch and by email if we have a verified address on file.

You have 30 days to review the changes and, if appropriate, delete your account if they do not suit you. A minor change (spelling fix, drafting clarification) does not trigger this notification.

Version history is kept in the application source repository.

This policy is governed by Togolese law. For personal-data processing, it draws on European GDPR standards and the emerging case law of sub-regional authorities (CDP of Senegal, CDP of Benin) pending the effective deployment of the IPDCP in Togo.

Any dispute relating to this policy falls under the jurisdiction of the courts of Lomé.