← Back to HavenPilot

Privacy Policy

Last updated: March 2026 · Version 1.0

This policy applies to HavenPilot and is governed by the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework 2020, administered by the National Information Technology Development Agency (NITDA).

1. Who We Are (Data Controller)

HavenPilot is the data controller for personal data processed through this platform. HavenPilot operates an estate management operating system for luxury residential estates and HOAs, primarily in Nigeria and across Africa.

Data Protection Officer (DPO) contact: privacy@havenpilot.com

2. Personal Data We Collect

We collect the following categories of personal data depending on your role on the platform:

Residents

  • Full name, email address, phone number(s)
  • Property address and unit information
  • Emergency contacts and next-of-kin information
  • Medical profile data (blood type, allergies, conditions) — collected only with your explicit consent for emergency response purposes
  • Payment records (dues, fees, transaction history)
  • Amenity booking history and service requests

Visitors

  • Full name and phone number
  • Government-issued ID number (where ID verification is enabled by the estate)
  • Photograph (where photo capture is enabled by the estate)
  • Vehicle information
  • Visit purpose and entry/exit timestamps
  • Device fingerprint (for access pass security)

Staff, Guards, and Vendors

  • Full name, contact information, role, and badge/staff number
  • Vendors: BVN (Bank Verification Number), NIN (National Identification Number), TIN (Tax Identification Number) — required for payment processing and KYC compliance
  • GPS location data (guards only, during active shifts)

All Users

  • Account credentials (managed by Supabase Auth)
  • Device and browser information (for security and analytics)
  • IP address and session logs

3. Why We Process Your Data (Legal Basis)

Under NDPR 2019, we process personal data only where we have a lawful basis:

  • Contract performance: To deliver estate management services under the agreement between HavenPilot and your estate.
  • Legitimate interests: Security monitoring, fraud prevention, platform improvement.
  • Consent: Medical emergency data, analytics cookies, marketing communications. You may withdraw consent at any time.
  • Legal obligation: KYC data (BVN/NIN/TIN) for vendor payment processing per CBN guidelines.
  • Vital interests: Emergency medical profile access by security personnel during emergencies.

4. How We Use Your Data

  • Estate access control and visitor management
  • Security monitoring and emergency response
  • Processing of estate dues, fees, and payments
  • Maintenance request management and vendor dispatch
  • Community communication and announcements
  • Amenity booking and concierge services
  • Platform analytics and product improvement (only with consent)

5. Data Sharing and Third Parties

We do not sell your personal data. We share data with third parties only where necessary:

  • Supabase (supabase.com): Database and authentication infrastructure. Data hosted on AWS infrastructure with AES-256 encryption at rest.
  • Stripe / Paystack / Flutterwave: Payment processing. PCI-DSS compliant. Only payment-relevant data is shared.
  • Your estate management: Estate administrators and staff can access resident and visitor data within their estate.
  • Emergency services: In life-threatening emergencies, medical profile data may be shared with emergency responders.

All third-party processors are bound by data processing agreements consistent with NDPR requirements.

6. Data Retention

  • Resident profiles: Retained for the duration of residency + 2 years after departure.
  • Visitor logs: Retained for 12 months from date of visit.
  • Financial records: Retained for 7 years in compliance with Nigerian financial regulations (FIRS requirements).
  • Guard GPS logs: Retained for 90 days.
  • Application logs: Retained for 12 months.
  • Deleted accounts: Personal identifiers anonymised within 30 days of account deletion request.

7. Your Rights Under NDPR

Under NDPR 2019 and consistent with GDPR, you have the following rights. Requests are processed within 30 days:

  • Right to Access: Request a copy of personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Restrict Processing: Request suspension of processing in certain circumstances.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.

Exercise your rights in Settings → Privacy & Data or email privacy@havenpilot.com.

8. Data Security

  • AES-256 encryption at rest (via Supabase/AWS)
  • TLS 1.2+ encryption in transit
  • Row-level security policies — each user sees only their authorised data
  • Role-based access control (10 distinct roles)
  • Session timeouts and multi-factor authentication support
  • Immutable privacy audit log for accountability

9. Data Breach Notification

In the event of a personal data breach, we will notify NITDA within 72 hours of becoming aware, and affected data subjects without undue delay, as required by NDPR Implementation Framework 2020 (Section 4.1.5).

10. Cookies

We use the following cookies:

  • Essential cookies: Authentication session, security tokens. Cannot be disabled.
  • Analytics cookies: Platform usage analytics for product improvement. Requires your consent.

Manage cookie preferences via the consent banner or Settings → Privacy & Data.

11. Children's Privacy

HavenPilot is not directed at children under 13. We do not knowingly collect data from minors without parental or guardian consent. Resident profiles may include household member information for emergency purposes only, with the consent of the resident account holder.

12. Cross-Border Data Transfers

Primary data storage is on AWS infrastructure via Supabase. Data may be stored in AWS regions outside Nigeria. Where such transfers occur, we ensure adequate safeguards are in place consistent with NDPR cross-border transfer requirements (NDPR 2019 Article 2.12).

13. Changes to This Policy

We will notify you of material changes via in-app notification and require re-consent where the legal basis for processing changes. The policy version number and last-updated date are maintained at the top of this page.

14. How to Complain

If you have concerns about our data practices, contact our DPO at privacy@havenpilot.com. You also have the right to lodge a complaint with NITDA (National Information Technology Development Agency) at nitda.gov.ng.

Terms of Service·Back to HavenPilot·privacy@havenpilot.com