Privacy Policy

1. Introduction

Onile, operated by Ereko Labs ("we," "our," or "us"), is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our property management platform (the "Platform").

This policy is designed to comply with the Nigeria Data Protection Regulation (NDPR), the Nigeria Data Protection Act 2023 (NDPA), and the European Union General Data Protection Regulation (GDPR) where applicable to Users in the European Economic Area (EEA).

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

2. Data Controller

Ereko Labs, trading as Onile, is the data controller responsible for your personal data. For any data protection enquiries, you may contact our Data Protection Officer at:

3. Data We Collect

We collect the following categories of personal data:

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Contractual Necessity (Art. 6(1)(b)): Processing necessary to perform our contract with you, including providing access to the Platform, managing your account, processing payments, and facilitating property transactions.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as fraud prevention, platform security, analytics, and improving our services, provided these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where we process identity verification data, biometric photographs, or send marketing communications, we do so based on your explicit consent, which you may withdraw at any time.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with Nigerian law, including the NDPR, NDPA, tax regulations, and any applicable anti-money laundering requirements.

5. How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your account on the Platform.
• To verify your identity for trust and safety purposes.
• To facilitate property searches, applications, and tenancy management.
• To process payments, subscriptions, and financial transactions.
• To enable communication between Landlords, Tenants, Property Management Companies, and Domestic Workers.
• To send you transactional emails (e.g. account verification, payment receipts, application updates).
• To send marketing communications (only with your consent).
• To detect and prevent fraud, abuse, and security incidents.
• To analyse usage patterns and improve the Platform.
• To comply with legal obligations and respond to lawful requests from authorities.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share your data with the following categories of third parties:

• Identity Verification Providers: Government-vetted and approved identity verification providers who process your NIN and identity documents to verify your identity. These providers are bound by strict data protection agreements.
• Payment Processors: A trusted payment service provider that facilitates easy, fast, and secure online and in-person payments for African businesses. This provider processes your payment transactions but does not have access to your Platform account data.
• Email Service Providers: To deliver transactional and marketing emails on our behalf.
• Other Users: Certain information (such as your name, verified status, and Listing details) may be visible to other Users of the Platform as necessary for the services to function.
• Legal and Regulatory Authorities: When required by law, court order, or to protect our rights, property, or safety.

7. International Data Transfers

Your personal data is stored on private databases with military-grade encryption. Some of our service providers may process data in jurisdictions outside Nigeria or the European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where the destination country provides an adequate level of data protection.
• Data processing agreements with all third-party providers that meet NDPR and GDPR requirements.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods include:

• Account data: Retained for as long as your account is active, and for up to 2 years after account deletion for legal compliance.
• Identity verification data: Retained for the duration of your account and up to 5 years after account closure, as required by Nigerian anti-money laundering regulations.
• Financial transaction records: Retained for a minimum of 6 years as required by Nigerian tax and financial regulations.
• Usage and technical data: Retained for up to 24 months for analytics and security purposes.
• Communications data: Retained for the duration of the relevant tenancy or service relationship, and up to 12 months thereafter.

9. Your Rights (GDPR Articles 15–22 & NDPR)

Under the GDPR and NDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention requirements. This is also known as the "right to be forgotten."
• Right to Restriction (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produces legal effects concerning you.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@onile.co. We will respond to your request within 30 days, or within the timeframe required by applicable law.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience on the Platform. These include:

• Essential Cookies: Required for the Platform to function, including authentication cookies that keep you logged in and role-based access cookies.
• Preference Cookies: Store your settings and preferences, such as language, theme (light/dark mode), and regional settings.
• Analytics Cookies: Help us understand how Users interact with the Platform so we can improve our services.

You can manage cookie preferences through your browser settings. Please note that disabling essential cookies may affect the functionality of the Platform.

11. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at privacy@onile.co.

12. Data Security

We take the security of your personal data seriously. Your data is stored on private databases with military-grade encryption. We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure password hashing using industry-standard algorithms.
• Role-based access controls to limit data access to authorised personnel only.
• Regular security assessments and monitoring.
• Secure authentication mechanisms including HTTP-only cookies and JSON Web Tokens.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining the highest standards of data protection.

13. Nigeria Data Protection Regulation (NDPR) Compliance

In accordance with the NDPR and the Nigeria Data Protection Act 2023 (NDPA), we confirm that:

• We process personal data lawfully, fairly, and in a transparent manner in relation to data subjects.
• Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• We ensure that personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• We take reasonable steps to ensure that personal data that is inaccurate is erased or rectified without delay.
• Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
• We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Nigerian data subjects have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if they believe their data protection rights have been violated.

14. Right to Lodge a Complaint (GDPR)

If you are located in the European Economic Area and believe that your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority under GDPR Article 77. You may also contact us directly, and we will endeavour to resolve your concern promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform functionality. When we make material changes, we will notify you by posting the updated policy on the Platform and updating the "Last updated" date at the top of this page. We may also send you an email notification for significant changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: