Privacy Policy

Last updated: May 8, 2026

1. Who we are

This policy explains how Stayza Pro Limited (“Stayza,” “we,” “us”), a company registered in the Federal Republic of Nigeria, handles personal data when you use the Stayza Pro platform — including shortlet agent dashboards on subdomains such as yourbusiness.stayza.pro and the booking experiences hosted on them.

We process personal data in line with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR) and the implementation guidelines issued by the Nigeria Data Protection Commission (NDPC).

2. What we collect

  • Account information: name, email, phone, role (guest or shortlet agent), business name, CAC certificate (shortlet agents only), bank details for payouts (shortlet agents only).
  • Identity verification: phone OTP, document verification status, bank-account name match results.
  • Booking data: property selected, dates, guests, special requests, payment status, dispute history, reality-card acknowledgements.
  • Payment data:Paystack reference IDs and amounts. Card details never reach our servers — they are collected and stored by Paystack as a CBN-licensed Payment Solution Service Provider.
  • Communications:WhatsApp messages and in-app chats with our AI assistant Sàbí and with hosts, including any voice notes you submit.
  • Technical data: IP address, browser, device, referring URL, session timing, error logs.

3. Why we process it (legal bases)

  • Performance of contract— running your bookings, payouts, escrow releases, and dispute resolution.
  • Legal obligation— KYC/KYB checks, record retention for tax (FIRS) and AML purposes.
  • Legitimate interest— fraud detection, platform security, service quality, fraud-flagged anomaly review.
  • Consent— marketing communications and the use of your conversation history to improve the Sàbí AI assistant. You can withdraw consent at any time via your account settings.

4. Who we share it with

We do not sell personal data. We disclose it only to the following categories of recipients, each bound by a data processing agreement:

  • Paystack— payment authorisation, transfers and refunds.
  • Twilio— WhatsApp and SMS delivery for booking notifications and OTPs.
  • Cloudinary— storage of property images.
  • OpenAI— processing user messages on a zero-retention basis to power Sàbí replies. Your messages are not used to train OpenAI’s public models.
  • Hosting and infrastructure— Vercel (frontend) and Railway (backend, database, Redis).
  • Your host— if you are a guest, necessary booking details (name, dates, contact email, special requests) are shared with the shortlet agent whose property you book.
  • Authorities— where we are legally required to disclose data to regulators, tax authorities or law enforcement.

5. International transfers

Some of our processors host data outside Nigeria (primarily the EU and the United States). For each transfer we rely on either the recipient country’s adequacy status under the NDPA or Standard Contractual Clauses with the processor.

6. How long we keep it

  • Booking, payment and tax records: 7 years after the booking, in line with FIRS requirements.
  • Account profile data: until you delete the account, then a 90-day grace window before erasure.
  • Chat history with Sàbí: 24 hours in our short-term cache, up to 12 months in long-term storage if you keep an active account.
  • CAC and identity documents: 7 years from the end of the shortlet agent relationship (AML retention).

7. Your rights under the NDPA

You have the right to access your data, correct inaccuracies, ask us to delete it, restrict or object to processing, port it to another service, and lodge a complaint with the Nigeria Data Protection Commission. Most of these rights can be exercised from your account settings; for anything you cannot self-serve, email privacy@stayza.pro and we will respond within 30 days.

8. How we secure your data

Data in transit is protected with TLS 1.2+. WiFi passwords and similar sensitive fields are encrypted at rest. Access to production systems is limited to authorised personnel under role-based controls. Refresh tokens are stored as HttpOnly cookies and never exposed to JavaScript. We do not store payment card numbers.

9. Children

Stayza Pro is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us and we will delete the account.

10. Changes to this policy

We may update this policy as the platform and applicable law evolve. Material changes will be announced by email at least 30 days before they take effect, or earlier if required by law.

11. Contact and Data Protection Officer

Stayza Pro Limited · Lagos, Nigeria.
Privacy and DPO enquiries: privacy@stayza.pro
General support: hello@stayza.pro