Data Management Policy

4.1 Data Minimisation

We collect only the data that is strictly necessary for the stated purpose. Where a service can function with less data, we do not collect more. Form fields are designed to request only essential information, and optional fields are clearly marked. We periodically review data collection points to ensure continued compliance with this principle.

4.2 Purpose Limitation

Data is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes. If a new use for existing data is identified, we assess whether it is compatible with the original purpose. If it is not compatible, we obtain fresh consent from the data subject before proceeding.

4.3 Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Users are provided with tools to review and correct their data through account settings. Inaccurate data is rectified or erased without unreasonable delay upon discovery or upon request from the data subject.

4.4 Storage Limitation

Personal data is retained only for as long as is necessary to fulfil the purpose for which it was collected, or as required by law. We have established specific retention periods for each data category (see Section 10). When the retention period expires, data is securely deleted or irreversibly anonymized.

4.5 Lawfulness, Fairness, and Transparency

All data collection is based on a lawful basis: consent, contractual necessity, legal obligation, or legitimate interest. We provide clear, accessible information about what data we collect and why, through our Privacy Policy and at the point of collection. No data is collected through deceptive means.

5.1 PostgreSQL Database

The primary relational database stores user accounts, property listings, transaction records, agent profiles, enquiry records, reviews, subscription data, and administrative records. PostGIS extensions are used for geospatial property data.

Security: Encrypted at rest (AES-256). Connections encrypted via TLS. Access restricted by role-based credentials. Automated daily backups with encrypted offsite storage. Point-in-time recovery enabled.

5.2 Cloudflare R2 Object Storage

Property images, agent profile photos, identity verification documents, development project media, and other uploaded files are stored in Cloudflare R2. Files are organised by type and associated entity ID.

Security: Encrypted at rest. Access controlled via signed URLs with expiry. Sensitive documents (identity verification) stored in a separate, access-restricted bucket with enhanced logging. Public property images served via Cloudflare CDN.

5.3 Redis

Redis is used for session token management, rate limiting, and caching of frequently accessed data such as search results and listing counts. No persistent personal data is stored in Redis.

Security: Password-protected instance. TLS-encrypted connections. No external network exposure. Session tokens are cryptographically random and expire according to the defined schedule (see Section 10).

5.4 AI Cache

AI-generated content (market insights, property descriptions, valuation estimates) is cached to reduce redundant API calls and improve response times. The cache stores only property-related and market-related data; no personal user data is cached.

Security: 7-day time-to-live (TTL) with automatic purge. Cache entries are keyed by content hash, not user identity. Encrypted at rest. Admin can force-purge the entire cache at any time.

6.1 Consumers (Property Seekers)

6.2 Realtors (Agents and Agencies)

6.3 Developers (Property Developers)

6.4 Administrators

7.1 Data Sent to AI Providers

The following categories of data may be sent to external AI providers for processing:

• Property details (type, location, size, price, features, description text)
• Market statistics (average prices, transaction volumes, neighbourhood data)
• Search query parameters (location, price range, property type filters)
• Neighbourhood and area information (public data)

7.2 AI Providers Used

AI processing is routed through OpenRouter, which provides access to the following models: Google Gemini and Qwen. Provider selection is based on availability, cost, and task suitability. All providers are bound by their respective data processing terms, and we select only providers that do not use customer data for model training.

7.3 Personal Data Exclusion

No personal user data is sent to AI providers. AI requests contain only property data, market statistics, and search parameters. User names, email addresses, phone numbers, financial data, and identity documents are never included in AI processing requests. Requests are stripped of any personally identifiable information before transmission.

7.4 AI Cache Retention

AI-generated responses are cached locally for a maximum of 7 days. Cache entries are automatically purged after the TTL expires. Cache keys are based on content hashes, not user identifiers. There is no long-term storage of AI-generated content beyond the cache period unless the content has been explicitly saved to a listing or report.

7.5 User Rights Regarding AI Data

Users may request deletion of AI-generated insights associated with their account or properties at any time by contacting us at info@smartestateio.com or through in-app settings. Upon receiving such a request, we will delete any cached AI outputs and remove AI-generated content from the user's listings within 48 hours.

8.1 Role-Based Access Control (RBAC)

The platform enforces strict role-based access control across four primary roles:

• Consumer: Access to own account data, saved properties, search history, enquiries, and reviews. No access to other users' personal data or administrative functions.
• Realtor: Access to own profile, listings, leads (enquiries received), subscription data, and inspection records. Can view consumer contact details only for enquiries directed to them. No access to other realtors' leads or business data.
• Developer: Access to own company profile, development projects, investment listings, and applications received. Similar access boundaries as realtors, scoped to development-related data.
• Admin: Full platform access including user management, listing moderation, audit logs, system configuration, and analytics. Admin access is logged and auditable.

8.2 Admin IP Whitelist

Access to the administrative panel is restricted to pre-approved IP addresses. Requests from non-whitelisted IPs to admin endpoints are rejected with a 403 Forbidden response. The IP whitelist is maintained by the system administrator and reviewed monthly. Changes to the whitelist are logged in the admin audit trail.

8.3 Authentication

All authenticated endpoints use JSON Web Tokens (JWT) for stateless authentication. Token management follows these specifications:

• Access tokens: Short-lived (7-day expiry), used for API request authentication.
• Refresh tokens: Longer-lived (30-day expiry), used solely to obtain new access tokens. Stored securely and rotated on use.
• Token invalidation: Tokens are invalidated on logout, password change, and account deactivation.
• OAuth: Google OAuth is supported as an alternative authentication method. OAuth tokens are validated server-side and do not replace the platform's JWT mechanism.

8.4 Two-Factor Authentication (2FA)

Two-factor authentication is mandatory for all administrator accounts. 2FA is available and recommended for all other user types. We support time-based one-time passwords (TOTP) via standard authenticator applications. Backup recovery codes are provided at 2FA enrolment and should be stored securely by the user.

9.1 Right of Access

You have the right to request a copy of all personal data we hold about you. We will provide this data in a commonly used, machine-readable format (JSON or CSV) within 30 days of receiving a verified request. You may request your data through the account Settings page ("Download Your Data") or by emailing us.

9.2 Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete personal data. Most data can be corrected directly through your account settings. For data that cannot be self-corrected, submit a rectification request and we will process it within 14 days.

9.3 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data. Upon account deactivation, your profile and listings are hidden immediately. After 30 days, personal data is permanently deleted unless retention is required by law (e.g., financial records retained for 7 years per Nigerian tax law). Requests for erasure may be denied where data retention is legally mandated.

9.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller. We support export of account data, listing data, enquiry records, and saved searches in JSON format.

9.5 Right to Restrict Processing

You have the right to request restriction of processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful, or where we no longer need the data but you require it for legal claims. Restricted data will be stored but not actively processed.

9.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interest or for direct marketing purposes. Where you object to processing for direct marketing, we will cease processing immediately. For other objections, we will assess whether our legitimate grounds override your interests.

9.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You may withdraw consent through your account settings or by contacting us directly.

11.1 Soft Deletion

When a user deactivates their account, all associated data is soft-deleted: the account is flagged as inactive, and all profiles, listings, and personal data are hidden from public view. The user may reactivate within 30 days. After 30 days, hard deletion is initiated.

11.2 Hard Deletion

Hard deletion permanently removes data from the primary database and all active storage systems. This includes: account records, profile data, uploaded files (images, documents) from Cloudflare R2, session tokens from Redis, and cached data. Database records are deleted using cascading deletions to ensure referential integrity.

11.3 Backup Purge

Deleted data may persist in backup systems for up to 90 days after hard deletion. Backups are encrypted and access-controlled. Data in backups is not actively processed and will be purged as backup rotation cycles complete. We do not restore deleted data from backups except in the event of a system failure requiring full recovery.

11.4 Anonymization

Where data must be retained for statistical, analytical, or legal purposes beyond the retention period, it is irreversibly anonymized. Anonymization removes all personally identifiable information such that the data subject cannot be identified directly or indirectly. Anonymized data is not considered personal data and may be retained indefinitely for market analysis and platform improvement.

11.5 Verification Document Disposal

Identity documents and professional certificates submitted for verification are stored in an access-restricted Cloudflare R2 bucket. Once verification is complete, original documents are deleted and only the verification status (verified/not verified) and verification date are retained. If a user requests deletion before verification is complete, all uploaded documents are immediately and permanently removed.

Phase 1: Detection and Assessment (within 24 hours)

• Identify and confirm the breach through monitoring systems, user reports, or third-party notifications.
• Contain the breach by isolating affected systems, revoking compromised credentials, and blocking unauthorised access vectors.
• Assess the scope: determine what data was affected, how many data subjects are impacted, and the likely severity of harm.
• Preserve evidence for forensic investigation and potential legal proceedings.
• Assemble the incident response team including the Data Protection Officer, technical lead, and management.

Phase 2: Regulatory Notification (within 72 hours per NDPR)

• Notify the National Information Technology Development Agency (NITDA) within 72 hours of becoming aware of the breach, as required by the NDPR.
• The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• If full details are not available within 72 hours, provide an initial notification with available information and supplement with additional details as they become available.

Phase 3: User Notification

• Where the breach is likely to result in a high risk to the rights and freedoms of individuals, affected users will be notified without undue delay.
• Notifications will be sent via email and, where appropriate, via in-app notification.
• Notifications will describe the nature of the breach in clear language, the data involved, what we are doing to address it, and recommended protective actions the user should take (e.g., changing passwords).

Phase 4: Remediation

• Implement permanent fixes to the vulnerability that caused the breach.
• Conduct a full security review of related systems.
• Force password resets for affected accounts where appropriate.
• Revoke and reissue any compromised API keys, tokens, or credentials.
• Update security controls, monitoring rules, and access policies as needed.

Phase 5: Post-Incident Review

• Conduct a thorough post-incident review within 14 days of incident closure.
• Document root cause, timeline, impact, response effectiveness, and lessons learned.
• Update this Data Management Policy, the incident response plan, and any other affected policies based on findings.
• Implement additional preventive measures to reduce the likelihood of similar incidents.
• Report findings to management and the Data Protection Officer.

Nigeria Data Protection Regulation (NDPR) 2019

Issued by NITDA, the NDPR establishes the framework for data protection in Nigeria. It mandates lawful processing, data subject consent, breach notification within 72 hours, and the appointment of a Data Protection Officer for organisations processing the data of more than 2,000 data subjects. Smart Estate MLS complies with all NDPR requirements.

Nigeria Data Protection Act (NDPA) 2023

The NDPA supersedes and strengthens the NDPR, establishing the Nigeria Data Protection Commission (NDPC) as the primary regulatory body. It introduces enhanced requirements for data processing, cross-border transfers, and data subject rights. Smart Estate MLS aligns its practices with the NDPA's provisions, including registration with the NDPC and compliance with the Act's data processing principles.

General Data Protection Regulation (GDPR)

Where Smart Estate MLS processes personal data of individuals located in the European Economic Area (EEA), or where services are offered to individuals in the EEA, the GDPR applies. We implement GDPR-compliant practices across all data processing activities to ensure consistent protection regardless of the data subject's location.

Cybercrimes (Prohibition, Prevention, etc.) Act 2015

This Act criminalises various forms of cybercrime in Nigeria, including unauthorised access to computer systems, identity theft, and fraud. Smart Estate MLS implements technical and organisational measures to prevent cybercrimes affecting the platform, and cooperates with law enforcement authorities in the investigation of cyber incidents as required by the Act.