AfriStay Legal
Privacy Policy
How AfriStay collects, uses, and protects your personal data
Effective Date
1 June 2026
Version
1.0
Governing Law
Nigeria
1Who We Are and How to Contact Us
Smartsync Technologies Limited ("Smartsync", "Data Controller", "we", "us", "our") is incorporated in Nigeria and operates the AfriStay short-term accommodation marketplace at afristay.com.
As the Data Controller, Smartsync determines the purposes and means by which your personal data is processed. For all privacy-related enquiries, requests, and complaints, please contact our designated Data Protection Officer:
2Personal Data We Collect
2.1 Data You Provide Directly
- •Registration data: full name, email address, phone number, password (stored in encrypted form only).
- •Profile data: profile photograph, date of birth, address, nationality.
- •Identity verification documents (Hosts): copies of government-issued ID, selfie photographs, utility bills, CAC documents — stored securely with restricted admin access only.
- •Property listing data (Hosts): property address, GPS coordinates, photographs, amenity descriptions, pricing, bank account details for payout processing.
- •Booking data: check-in and check-out dates, guest count, payment information, special requests.
- •Payment data: transaction history, payout records. Card details are not stored by AfriStay and are processed exclusively by PCI-DSS certified processors.
- •Communications: messages sent through the Platform, support enquiries, complaints, and feedback.
- •Reviews and ratings: publicly visible reviews and star ratings submitted after stays.
2.2 Data Collected Automatically
- •Device data: IP address, device type, operating system, browser type and version.
- •Usage data: pages visited, search queries, bookings viewed, time spent on pages.
- •Location data: general location derived from IP address; precise GPS location where you grant permission through our mobile application.
- •Cookies and tracking technologies: see Section 7 below.
2.3 Data Received from Third Parties
- •Social login providers (Google) where you register or log in using a third-party account;
- •Payment processors (Paystack, Flutterwave) who share transaction confirmation and fraud-screening data;
- •Other users of the Platform (e.g., reviews about you from your booking counterparty).
3Legal Basis for Processing
AfriStay processes your personal data on the following legal grounds as recognised under the NDPA 2023 and NDPR 2019:
| Legal Basis | Processing Activity | Applies To |
|---|---|---|
| Contract Performance | Processing bookings, payments, cancellations, and refunds | Hosts & Guests |
| Legitimate Interests | Fraud prevention, security monitoring, improving the Platform, transactional notifications | All Users |
| Legal Obligation | Compliance with NDPA, FIRS tax obligations, CBN payment regulations, court orders | All Users |
| Consent | Marketing communications, newsletters, promotional offers, analytics cookies | Where consent given |
| Vital Interests | Emergency situations involving safety of users or third parties | Where necessary |
4How We Use Your Personal Data
4.1 Operating the Platform
- •Creating and managing your account;
- •Enabling search, browsing, and discovery of Listings;
- •Processing bookings, payments, refunds, and cancellations;
- •Facilitating communication between Guests and Hosts;
- •Sending booking confirmations, pre-arrival reminders, and post-stay receipts.
4.2 Trust and Safety
- •Verifying Host and Guest identities to prevent fraud;
- •Reviewing and moderating reviews, listings, and user content;
- •Investigating complaints, disputes, and reports of prohibited conduct;
- •Detecting, preventing, and responding to fraud, security incidents, and system abuse.
4.3 Legal Compliance
- •Complying with applicable Nigerian laws including NDPA 2023, NDPR 2019, and CBN payment regulations;
- •Responding to lawful requests from law enforcement, courts, and regulators;
- •Retaining transaction and financial records as required by Nigerian tax law.
4.4 Platform Improvement and Analytics
- •Analysing usage patterns to improve Platform functionality and user experience;
- •Conducting research and analysis (using anonymised or aggregated data where possible);
- •A/B testing, performance monitoring, and infrastructure optimisation.
4.5 Marketing and Communications (with consent)
- •Sending promotional emails and offers where you have opted in;
- •Recommending Listings based on your search and booking history;
- •Sending loyalty programme updates and referral programme notifications.
You may withdraw your consent to marketing communications at any time by clicking "Unsubscribe" in any marketing email or by contacting privacy@afristay.com.
5How We Share Your Personal Data
5.1 With Other Users
To facilitate bookings, we share limited personal data between Hosts and Guests:
- •Guests see: Host's first name, profile photo, Verified status, and Listing details;
- •Hosts see: Guest's first name, profile photo, guest count, and booking details (including phone number for check-in coordination after booking confirmation);
- •Reviews submitted are publicly visible and attributed to the reviewer's first name and profile photo.
5.2 With Service Providers
We engage third-party service providers who process personal data on our behalf under strict data processing agreements. Each provider is contractually bound to process data only for specified purposes and in accordance with applicable law:
| Provider | Service | Data Processed |
|---|---|---|
| Supabase (PostgreSQL) | Database hosting | All personal and transactional data |
| Cloudinary | Image storage | Property photos, verification documents |
| Paystack / Flutterwave | Payment processing | Transaction data (no raw card data retained by AfriStay) |
| Resend / SendGrid | Email delivery | Name, email address, booking references |
| Twilio | SMS/WhatsApp messaging | Phone number, booking information |
| Vercel | Application hosting | Web traffic data, IP addresses |
| Google Analytics | Usage analytics | Anonymised browsing and usage data |
5.3 Legal and Regulatory Disclosures
We may disclose personal data to law enforcement, courts, regulators, or other government bodies where required by applicable Nigerian law, or where necessary to protect AfriStay's legal rights, investigate fraud, or protect the safety of users or third parties.
5.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of AfriStay's business, personal data may be transferred to the acquiring entity. Affected users will be notified in advance of any such transfer.
6Data Retention
AfriStay retains personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to any applicable legal retention requirements:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of account, plus 90 days after deletion request |
| Booking and transaction records | 7 years (FIRS tax compliance — CITA / PITA) |
| Identity verification documents | 5 years from last completed booking |
| Financial and payout records | 7 years (CAMA / FIRS requirement) |
| Marketing consent records | Until consent withdrawn, plus 12 months |
| Customer support correspondence | 3 years from resolution |
| Security and audit logs | 2 years |
| Anonymised analytics data | Indefinite (no personal identifiers retained) |
When your personal data is no longer required, it is securely deleted or anonymised in accordance with industry-standard data destruction procedures.
8Your Data Subject Rights
Under the Nigeria Data Protection Act 2023 and NDPR 2019, you have the following rights. Submit a written request to privacy@afristay.com. We will respond within 72 hours of receiving a verified request.
| Right | What It Means |
|---|---|
| Right of Access | Request a copy of all personal data AfriStay holds about you (Data Subject Access Request). |
| Right to Rectification | Request correction of inaccurate or incomplete personal data. |
| Right to Erasure | Request deletion of your data where it is no longer necessary for the purpose collected, subject to AfriStay's legal retention obligations. |
| Right to Restriction | Request that we restrict processing of your data in certain circumstances (e.g., while a dispute is under investigation). |
| Right to Data Portability | Request your personal data in a structured, machine-readable format for transfer to another service. |
| Right to Object | Object to processing based on legitimate interests, including profiling and direct marketing. |
| Right to Withdraw Consent | Where processing is based on your consent, withdraw it at any time without affecting lawfulness of prior processing. |
| Right to Lodge a Complaint | Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng if you believe your rights have been violated. |
9Data Security
AfriStay implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction:
- •All data in transit is encrypted using TLS 1.2 or higher;
- •All data at rest is encrypted using AES-256 encryption on our database infrastructure;
- •Payment credentials are never stored by AfriStay — processed exclusively by PCI-DSS certified processors;
- •Identity verification documents are stored in a restricted environment with access controls limiting access to AfriStay admin personnel only;
- •All staff with access to personal data are trained in data protection obligations and bound by confidentiality agreements;
- •Multi-factor authentication (MFA) is mandatory for all AfriStay administrator accounts.
In the event of a data breach affecting your rights and freedoms, AfriStay will notify the Nigeria Data Protection Commission and affected data subjects within 72 hours of becoming aware of the breach, in accordance with section 40 of the NDPA 2023.
10International Data Transfers
AfriStay's primary operations and data storage are located in Nigeria. However, some service providers (including Cloudinary, Vercel, and Google Analytics) are located outside Nigeria and the ECOWAS region.
Where we transfer personal data outside Nigeria, we ensure adequate safeguards are in place as required by the NDPA 2023, including:
- •Standard contractual clauses or data processing agreements with each recipient;
- •Verification that the receiving jurisdiction provides an adequate level of data protection; or
- •Other legally recognised transfer mechanisms as approved by the NDPC.
11Children's Privacy
The AfriStay Platform is not directed to or intended for use by individuals under the age of 18. AfriStay does not knowingly collect personal data from minors. If you believe that a minor has provided personal data to AfriStay without parental consent, please contact privacy@afristay.com immediately and we will take steps to delete that information promptly.
12Changes to This Privacy Policy
AfriStay may update this Privacy Policy to reflect changes in our data practices, legal obligations, or business operations. Material changes will be communicated to registered users by email and/or prominent notice on the Platform at least fourteen (14) days before taking effect. The date of the most recent revision is displayed at the top of this document.
Your continued use of the Platform after the effective date of any revised Privacy Policy constitutes your acknowledgement of the changes. Where applicable law requires explicit consent for material changes, we will seek such consent before the changes take effect.
13Contact and Complaints
For any questions, requests, or concerns regarding this Privacy Policy or our data practices:
Also see our Terms of Service — which governs your use of the AfriStay Platform and is incorporated into this Privacy Policy by reference.
© 2026 Smartsync Technologies Limited. All rights reserved. This Privacy Policy is effective as of 1 June 2026.
© 2026 Smartsync Technologies Limited · Lagos, Nigeria
For legal enquiries: legal@afristay.com