At Conveya, we take your privacy seriously. This policy explains exactly what data we collect, why we collect it, how we protect it, and what rights you have over it. We are committed to full compliance with the Nigeria Data Protection Act 2023 (NDPA).
Contents
Conveya Technologies Ltd ("Conveya", "we", "us", "our") operates the Conveya platform, a B2B SaaS product for real estate companies. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our platform and website.
Data Controller: Conveya Technologies Ltd, Lagos, Nigeria Email: hello@conveya.ng
We are committed to protecting your privacy and processing your data in accordance with the Nigeria Data Protection Act 2023 (NDPA) and its implementing regulations.
We collect data in two contexts: (a) data you provide when using our platform, and (b) data about how you interact with our website.
Account and profile data: When you create an organisation account or a user account, we collect name, email address, phone number, organisation name, and role.
Customer and transaction data: When you use Conveya to manage your real estate business, data about your customers (their names, emails, phone numbers, payment records) and transactions (sales, payments, commissions) is stored on our platform. You are the data controller for your customers' data; we process it on your behalf as a data processor.
Payment and billing data: When you subscribe to Conveya, we process subscription billing data through Paystack. We store subscription status, plan details, and billing history. We do not store full card numbers or bank account credentials.
Usage and technical data: We automatically collect IP addresses, browser type, device information, pages visited, and time spent on the platform to operate and improve the Service.
Communications: If you contact us via email or any other channel, we retain records of those communications.
We use your personal data for the following purposes:
(a) Providing the Service: To create and manage your account, process your subscription, and deliver all features of the Conveya platform.
(b) Communications: To send you service-related communications, including account notifications, product updates, and support responses. You may opt out of marketing communications at any time.
(c) Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, abuse, and violations of our Terms.
(d) Analytics and improvement: To understand how the Service is used and to improve its features, performance, and reliability. We use aggregated and anonymised data for this purpose.
(e) Legal obligations: To comply with applicable Nigerian laws, tax obligations, and regulatory requirements, including responding to lawful requests from government authorities.
(f) Billing: To process subscription payments, manage renewals, and handle billing disputes.
Under the NDPA, we process your personal data on the following legal bases:
Contract performance: Processing necessary to provide the Service you have subscribed to.
Legitimate interests: Processing for fraud prevention, security, analytics, and service improvement, where such interests are not overridden by your rights.
Legal obligation: Processing required to comply with applicable Nigerian law.
Consent: Where we rely on consent (such as for marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
When you use Conveya to manage your customers, realtors, and transactions, you are the data controller for that personal data, and we are the data processor acting on your instructions.
You are responsible for ensuring that your collection and use of your customers' personal data complies with all applicable laws, including the NDPA and, where applicable, SCUML requirements under the Money Laundering Prohibition Act.
We process your customers' data solely to provide you with the Service. We will not use your customers' data for our own purposes, sell it, or disclose it to third parties except as required to provide the Service or as required by law.
If any of your customers submits a data subject request (such as a right of access or erasure request), you are responsible for handling that request. We will cooperate with you to fulfil such requests within the timeframes required by the NDPA.
We do not sell your personal data. We share data only in the following limited circumstances:
Service providers: We use trusted third-party providers to operate the Service, including cloud hosting (DigitalOcean), email delivery (Resend), SMS delivery (Termii), payment processing (Paystack), error monitoring (Sentry), and DNS management (Cloudflare). These providers process data on our behalf under appropriate data processing agreements.
Payment gateways: If you configure your own Paystack or Flutterwave gateway for collecting payments from your customers, we pass transaction data to those gateways under your merchant account. We do not receive your customers' card data directly.
Legal requirements: We may disclose data where required to comply with a legal obligation, court order, or government request under Nigerian law.
Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you in advance.
Our website uses cookies and similar tracking technologies to operate and improve the Service.
Essential cookies: Required for the Service to function, including session management and authentication tokens. These cannot be disabled.
Analytics cookies: We use anonymous analytics to understand website traffic and usage patterns. No personally identifiable information is shared with analytics providers.
You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.
Your data is stored on servers operated by DigitalOcean in data centres with industry-standard physical and network security controls.
We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or alteration. These measures include encryption at rest and in transit (TLS 1.2+), role-based access controls, regular security reviews, and secure development practices.
We use Argon2id for password hashing, industry-standard JWT for authentication, and HTTP-only cookies for session management.
While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, and we encourage you to use strong, unique passwords and to notify us immediately of any suspected security breach.
We retain your personal data for as long as your account is active or as needed to provide the Service.
Upon cancellation of your subscription, we retain your data for 90 days, during which you may request an export. After 90 days, we delete or anonymise your data, except where we are required by law to retain it longer (for example, financial records required for tax purposes).
Financial and transaction records may be retained for up to seven (7) years to comply with Nigerian tax law and accounting requirements.
Data in backups may persist for up to 30 additional days after deletion from active systems.
As a data subject under the Nigeria Data Protection Act 2023, you have the following rights:
Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate or incomplete data.
Right to erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records.
Right to restrict processing: You may request that we limit how we process your data in certain circumstances.
Right to data portability: You may request your data in a machine-readable format.
Right to object: You may object to processing based on our legitimate interests.
Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time.
To exercise any of these rights, contact us at hello@conveya.ng. We will respond within 30 days. We may ask you to verify your identity before processing your request. You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).
The Service is intended for use by businesses and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
Some of our third-party service providers may process data outside Nigeria. Where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with the NDPA, including contractual protections requiring providers to maintain equivalent data protection standards.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the platform at least 14 days before the changes take effect.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
We keep a history of previous versions of this policy, which is available on request.
For any privacy-related questions, requests, or complaints, contact our Data Protection Officer:
Email: hello@conveya.ng Conveya, Lagos, Nigeria
If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.
Privacy questions or requests?
hello@conveya.ngWe respond to all privacy requests within 30 days, as required by the NDPA.