Privacy Policy

We use the data we collect for the following purposes:

• Account Management: To create and maintain your account, authenticate your identity, and manage your profile.
• Identity Verification: To verify your identity using BVN and government ID, ensuring platform trust and safety.
• Payment Processing: To process payments, manage escrow, calculate platform fees, and facilitate payouts to hosts.
• Platform Operations: To display listings, facilitate bookings, generate room license agreements, and enable communication between users.
• Dispute Resolution: To investigate and resolve disputes between hosts and tenants.
• Fraud Prevention: To detect and prevent fraudulent activity, including repeated failed payments, duplicate listings, and suspicious behaviour.
• Communication: To send transactional emails (booking confirmations, payment receipts, verification updates) and service-related notifications.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Platform Improvement: To analyse usage patterns and improve the Platform's functionality, performance, and user experience.

We do not sell your personal data. We share data only in the following circumstances:

• Paystack: We share necessary transaction data with Paystack for payment processing, escrow management, and host payouts.
• Identity Verification Partners: We may share verification data with third-party identity verification services (e.g., Mono, Smile ID) to validate BVN and ID documents. These partners are contractually bound to protect your data.
• Between Users: When a booking is made, limited profile information (name, verification status) is shared between the Host and Tenant. Full BVN, ID documents, and financial details are never shared between users.
• Legal Requirements: We may disclose data if required by law, court order, or government regulation, or to protect the rights, property, or safety of SpareRoom Nigeria, our users, or the public.
• Service Providers: We use hosting (Supabase, Vercel), email (Resend), analytics, and error tracking (Sentry) services. These providers process data on our behalf and are bound by data processing agreements.

We retain your personal data as follows:

• Account Data: Retained for as long as your account is active and for 2 years after account closure for legal and audit purposes.
• Verification Data: BVN data is retained in encrypted form for the lifetime of the account. ID documents are retained for 2 years after verification and then securely deleted.
• Payment Records: Retained for 7 years to comply with Nigerian tax and financial regulations.
• Booking and Agreement Records: Retained for 5 years after the booking ends.
• Dispute Records: Retained for 5 years after resolution.
• Audit Logs: Retained for 3 years.
• Usage Data: Aggregated and anonymised after 12 months.

Under the NDPR and the Nigeria Data Protection Act 2023, you have the following rights:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate or incomplete personal data.
• Right to Deletion: You can request deletion of your personal data, subject to legal retention requirements. Account deletion requests will be processed within 30 days.
• Right to Restrict Processing: You can request that we limit how we process your data in certain circumstances.
• Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to Withdraw Consent: You can withdraw your consent for data processing at any time, though this may affect your ability to use the Platform.
• Right to Object: You can object to processing of your data for certain purposes, such as direct marketing.

To exercise any of these rights, contact us at privacy@spareroomnigeria.com. We will respond within 30 days.

We implement robust security measures to protect your data:

• Encryption: BVN data is stored with encryption at rest. All data in transit is protected with TLS/HTTPS.
• Access Control: Only authorized personnel can access sensitive data. All access is logged in our audit system.
• Row Level Security: Database access is controlled through Supabase Row Level Security (RLS) policies, ensuring users can only access data they are authorised to see.
• Secure Storage: ID documents are stored in Supabase Storage with access controls. Images are not publicly accessible.
• Webhook Verification: All payment webhooks from Paystack are cryptographically verified before processing.
• Rate Limiting: We apply rate limiting on authentication, booking, and payment endpoints to prevent abuse.
• Regular Auditing: Security practices and access logs are regularly reviewed.

We use essential cookies for authentication and session management. We may also use analytics tools (Vercel Analytics) to understand how users interact with the Platform. These tools collect aggregated, anonymised data.

We do not use third-party advertising cookies or trackers.

SpareRoom Nigeria is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.

Your data may be processed by service providers located outside Nigeria (e.g., cloud hosting providers). Where this occurs, we ensure that adequate data protection measures are in place in accordance with the NDPR requirements for cross-border data transfers.

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The “Last updated” date at the top of this page indicates when the policy was last revised.

For any privacy-related enquiries, data access requests, or to exercise your rights under the NDPR, please contact:

• Data Protection Officer: privacy@spareroomnigeria.com
• General Enquiries: hello@spareroomnigeria.com
• Address: Lagos, Nigeria

You may also lodge a complaint with the National Information Technology Development Agency (NITDA) if you believe your data protection rights have been violated.