01Overview

OurArea Holdings Ltd ("OurArea", "we", "us") builds property-management software used by African property owners, managers, residents and visitors. This Privacy Policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it.

This policy applies to ourareahq.com, every OurArea product (Community, Manager, Short, Listings), and every account managed through our platform. Where we act as a data processor for a customer (a property running on OurArea), the customer is the data controller; this policy describes how we, as processor, handle their data.

02What we collect

The data we collect depends on the role you have in OurArea (resident, manager, owner, visitor) and how you use the product.

Account & profile

• Name, email, phone number, role (resident / manager / owner / staff)
• Property and unit assignment, lease dates where applicable
• Profile photo (optional)
• Password — stored as a one-way bcrypt hash, never in plaintext

Operational data

• Tickets you log, attachments, status updates, photos and voice notes
• Service charge invoices, payment records, receipts
• Visitor pre-registrations, gate entries and exits, QR pass scans
• Notices sent and read receipts

Technical data

• IP address, browser type, device type, OS version
• Pages visited, features used, timestamps (for audit trail)
• Error logs (anonymized where the error doesn't relate to a specific user)

Payment data

• Payment method type (card, transfer, USSD) and the last four digits of cards
• Transaction reference IDs — issued by Paystack, Flutterwave, M-Pesa or your bank
• We never see or store full card numbers. Payment processors handle those directly.

03Why we collect it

Each category of data we collect has a specific operational purpose. We do not collect data "in case" — every field has a use.

• Account data — to give you secure access to the product
• Operational data — to run the platform (tickets, payments, visitor management, comms)
• Technical data — to keep the platform fast, secure, and debuggable
• Payment data — to process invoices and receipts, and to reconcile with banking partners
• Audit logs — to maintain the transparency that property law and your tenants require

We rely on the following legal bases under Nigeria's NDPA 2023 and equivalent African data protection laws:

• Contract — to deliver the service you signed up for
• Legitimate interest — for fraud prevention, security and operational integrity
• Legal obligation — where law (financial, tax, KYC) requires record-keeping
• Consent — for optional features (marketing emails, optional analytics)

04Who we share it with

We do not sell your data. We do not share it with advertisers. We do not provide it to third parties for their own marketing. We share data only in the following narrow, operational cases:

Within your property

Your data is shared with other users in your property only as required by role: residents see their own data, managers see operational data for their site, owners see financial data for their portfolio. Permission boundaries are explicit and visible.

Service providers

We use a small set of vetted sub-processors to operate the platform. Each is bound by a data processing agreement and limited to the data they need:

• AWS (Frankfurt and Lagos regions) — hosting and storage
• Paystack, Flutterwave — payment processing
• Twilio, Termii — SMS delivery
• Resend — transactional email
• Sentry — error monitoring (anonymized stack traces)

Legal compliance

We will disclose data when compelled by a valid legal order from a court of competent jurisdiction in Nigeria, Kenya, Ghana or another African market where we operate. We will notify the affected customer where the order permits it.

05Where & how long

Data is stored in AWS Frankfurt by default for low-latency African access. Enterprise customers can opt into AWS Lagos for data residency requirements (NDPA-aligned).

We retain data for the following periods:

• Active accounts — for the lifetime of your account, plus 90 days after deactivation
• Audit logs — 7 years, as required by Nigerian financial record-keeping rules
• Payment records — 7 years, for tax and reconciliation
• Marketing data — until you opt out, then deleted within 30 days

After the retention period, data is permanently deleted from production systems and overwritten in backups within 30 days.

06How we protect it

We treat property data like the financial data it is.

• Encryption in transit — TLS 1.3 for all client-server communication
• Encryption at rest — AES-256 for stored data
• Two-factor authentication — required for owner and manager roles, available for all
• Role-based access control — least-privilege by default
• Independent penetration testing — annually, by an accredited firm
• Internal access controls — most engineers cannot see customer data; any access by support is logged
• Continuous backups — point-in-time restore for the first 30 days
• Incident response — 72-hour breach notification commitment, well within legal minimums

07Your rights

Under Nigeria's NDPA, Kenya's Data Protection Act, Ghana's Data Protection Act and analogous African data protection laws, you have the following rights over your personal data:

• Access — get a copy of the data we hold about you
• Correction — fix anything inaccurate
• Deletion — request erasure (subject to retention obligations above)
• Portability — export your data in machine-readable format
• Objection — object to processing on legitimate-interest grounds
• Withdrawal of consent — for anything we process on a consent basis
• Complaint — lodge a complaint with the NDPC or your local data protection authority

To exercise any of these rights, email privacy@ourareahq.com. We respond within 30 days — usually much faster.

08Cookies & analytics

We use a minimal set of cookies. We do not use third-party tracking, advertising pixels, or session-replay tools.

Strictly necessary

• session — keeps you logged in
• csrf — protects against cross-site request forgery

Optional

• analytics — anonymized usage data via PostHog (self-hosted in Frankfurt). Opt-out in your account settings.

That's it. No Facebook Pixel, no Google Analytics, no advertising trackers. You can clear cookies any time without losing your data.

09Children

OurArea is a B2B property management product. It is not directed at children. We do not knowingly collect data from anyone under 16. If you are a property manager managing a site where minors are residents, you should not enter children's personal data into OurArea — use unit-level identifiers instead.

10Changes to this policy

When we make material changes to this policy, we'll notify account holders by email at least 30 days before the change takes effect. The version number at the top of this page reflects the current revision. Older versions are archived and available on request.

11How to reach us

OurArea Holdings Ltd, Lagos, Nigeria.

• General: hello@ourareahq.com
• Privacy: privacy@ourareahq.com
• Security disclosures: security@ourareahq.com
• Data Protection Officer: dpo@ourareahq.com

We commit to a real human response within 24 hours on every channel.

01Overview

OurArea Holdings Ltd ("OurArea", "we", "us") builds property-management software used by African property owners, managers, residents and visitors. This Privacy Policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it.

This policy applies to ourareahq.com, every OurArea product (Community, Manager, Short, Listings), and every account managed through our platform. Where we act as a data processor for a customer (a property running on OurArea), the customer is the data controller; this policy describes how we, as processor, handle their data.

02What we collect

The data we collect depends on the role you have in OurArea (resident, manager, owner, visitor) and how you use the product.

Account & profile

• Name, email, phone number, role (resident / manager / owner / staff)
• Property and unit assignment, lease dates where applicable
• Profile photo (optional)
• Password — stored as a one-way bcrypt hash, never in plaintext

Operational data

• Tickets you log, attachments, status updates, photos and voice notes
• Service charge invoices, payment records, receipts
• Visitor pre-registrations, gate entries and exits, QR pass scans
• Notices sent and read receipts

Technical data

• IP address, browser type, device type, OS version
• Pages visited, features used, timestamps (for audit trail)
• Error logs (anonymized where the error doesn't relate to a specific user)

Payment data

• Payment method type (card, transfer, USSD) and the last four digits of cards
• Transaction reference IDs — issued by Paystack, Flutterwave, M-Pesa or your bank
• We never see or store full card numbers. Payment processors handle those directly.

03Why we collect it

Each category of data we collect has a specific operational purpose. We do not collect data "in case" — every field has a use.

• Account data — to give you secure access to the product
• Operational data — to run the platform (tickets, payments, visitor management, comms)
• Technical data — to keep the platform fast, secure, and debuggable
• Payment data — to process invoices and receipts, and to reconcile with banking partners
• Audit logs — to maintain the transparency that property law and your tenants require

We rely on the following legal bases under Nigeria's NDPA 2023 and equivalent African data protection laws:

• Contract — to deliver the service you signed up for
• Legitimate interest — for fraud prevention, security and operational integrity
• Legal obligation — where law (financial, tax, KYC) requires record-keeping
• Consent — for optional features (marketing emails, optional analytics)

04Who we share it with

We do not sell your data. We do not share it with advertisers. We do not provide it to third parties for their own marketing. We share data only in the following narrow, operational cases:

Within your property

Your data is shared with other users in your property only as required by role: residents see their own data, managers see operational data for their site, owners see financial data for their portfolio. Permission boundaries are explicit and visible.

Service providers

We use a small set of vetted sub-processors to operate the platform. Each is bound by a data processing agreement and limited to the data they need:

• AWS (Frankfurt and Lagos regions) — hosting and storage
• Paystack, Flutterwave — payment processing
• Twilio, Termii — SMS delivery
• Resend — transactional email
• Sentry — error monitoring (anonymized stack traces)

Legal compliance

We will disclose data when compelled by a valid legal order from a court of competent jurisdiction in Nigeria, Kenya, Ghana or another African market where we operate. We will notify the affected customer where the order permits it.

05Where & how long

Data is stored in AWS Frankfurt by default for low-latency African access. Enterprise customers can opt into AWS Lagos for data residency requirements (NDPA-aligned).

We retain data for the following periods:

• Active accounts — for the lifetime of your account, plus 90 days after deactivation
• Audit logs — 7 years, as required by Nigerian financial record-keeping rules
• Payment records — 7 years, for tax and reconciliation
• Marketing data — until you opt out, then deleted within 30 days

After the retention period, data is permanently deleted from production systems and overwritten in backups within 30 days.

06How we protect it

We treat property data like the financial data it is.

• Encryption in transit — TLS 1.3 for all client-server communication
• Encryption at rest — AES-256 for stored data
• Two-factor authentication — required for owner and manager roles, available for all
• Role-based access control — least-privilege by default
• Independent penetration testing — annually, by an accredited firm
• Internal access controls — most engineers cannot see customer data; any access by support is logged
• Continuous backups — point-in-time restore for the first 30 days
• Incident response — 72-hour breach notification commitment, well within legal minimums

07Your rights

Under Nigeria's NDPA, Kenya's Data Protection Act, Ghana's Data Protection Act and analogous African data protection laws, you have the following rights over your personal data:

• Access — get a copy of the data we hold about you
• Correction — fix anything inaccurate
• Deletion — request erasure (subject to retention obligations above)
• Portability — export your data in machine-readable format
• Objection — object to processing on legitimate-interest grounds
• Withdrawal of consent — for anything we process on a consent basis
• Complaint — lodge a complaint with the NDPC or your local data protection authority

To exercise any of these rights, email privacy@ourareahq.com. We respond within 30 days — usually much faster.

08Cookies & analytics

We use a minimal set of cookies. We do not use third-party tracking, advertising pixels, or session-replay tools.

Strictly necessary

• session — keeps you logged in
• csrf — protects against cross-site request forgery

Optional

• analytics — anonymized usage data via PostHog (self-hosted in Frankfurt). Opt-out in your account settings.

That's it. No Facebook Pixel, no Google Analytics, no advertising trackers. You can clear cookies any time without losing your data.

09Children

OurArea is a B2B property management product. It is not directed at children. We do not knowingly collect data from anyone under 16. If you are a property manager managing a site where minors are residents, you should not enter children's personal data into OurArea — use unit-level identifiers instead.

10Changes to this policy

When we make material changes to this policy, we'll notify account holders by email at least 30 days before the change takes effect. The version number at the top of this page reflects the current revision. Older versions are archived and available on request.

11How to reach us

OurArea Holdings Ltd, Lagos, Nigeria.

• General: hello@ourareahq.com
• Privacy: privacy@ourareahq.com
• Security disclosures: security@ourareahq.com
• Data Protection Officer: dpo@ourareahq.com

We commit to a real human response within 24 hours on every channel.