Resida
Legal

Privacy Policy

Effective date: June 2026 · Burdva Limited · NDPA 2023 Compliant

Burdva Limited is committed to protecting your personal data. This Policy explains precisely what data we collect, why, how long we keep it, who we share it with, and how to exercise your rights under the Nigeria Data Protection Act 2023 (NDPA).

1. Who We Are — Data Controller

1.1

Burdva Limited ("Resida", "we", "our", "us") is the data controller responsible for personal data collected through the Resida platform (resida.app and all subdomains). Resida is incorporated under the laws of the Federal Republic of Nigeria, with its registered office in Victoria Island, Lagos, Nigeria.

1.2

This Privacy Policy explains what personal data Resida collects, why we collect it, how we use and share it, how long we retain it, your rights as a data subject under the Nigeria Data Protection Act 2023 (NDPA) and its implementing regulations, and how to exercise those rights.

1.3

For all privacy and data protection matters, including Subject Access Requests, right-to-erasure requests, and data-related complaints, contact our Data Protection Officer (DPO) at privacy@resida.app.

1.4

This Policy was last updated on June 2026. We will notify registered Users by email at least 30 days before any material change takes effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

2. Definitions

2.1

"Personal Data" means any information relating to an identified or identifiable natural person (a "data subject"), as defined in Section 65 of the NDPA 2023.

2.2

"Special Category Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data, or biometric data used to uniquely identify a natural person.

2.3

"Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion.

2.4

"Sub-Processor" means a third-party service provider who processes personal data on Resida's behalf.

2.5

"DVA" means Dedicated Virtual Account — a bank account number issued through Paystack (Titan Trust Bank or Wema Bank) to facilitate Platform Wallet funding.

2.6

"AI Feature" means any functionality powered by a large language model (LLM) or multimodal AI model — specifically Google Gemini — used within the Platform.

2.7

"NDPA" means the Nigeria Data Protection Act 2023 and all related regulations and guidelines issued by the Nigeria Data Protection Commission (NDPC).

3. What Personal Data We Collect

3.1

IDENTITY DATA: Full legal name, date of birth, government-issued ID number (NIN, passport, or driver's licence); photographs including selfie/liveness capture; biometric indicators derived from liveness checks (not raw biometric templates).

3.2

CONTACT DATA: Email address, phone number (including WhatsApp-registered number), residential address, Lagos Local Government Area.

3.3

FINANCIAL DATA: Bank Verification Number (BVN); bank account number(s) provided for withdrawal; DVA account number; wallet balance and transaction history; Paystack customer code; subscription billing history; card type and last 4 digits only (raw card numbers are never stored); payment reference numbers.

3.4

KYC DOCUMENTATION: Scanned or photographed government-issued ID; utility bills or address verification documents; guarantor details provided during lease onboarding.

3.5

PROPERTY DATA: Property address, type, unit details, photos, videos, description, amenities, pricing, and occupancy history for listings created by Owners and Agents.

3.6

LEASE AND BOOKING DATA: Lease start/end dates, rent amount, payment frequency, next due date, lease status; shortlet check-in and check-out dates; inspection scheduling details.

3.7

COMMUNICATIONS DATA: In-platform chat messages (Tenant ↔ Agent ↔ Handyman threads); AI-assisted draft replies and message summaries; email and SMS delivery logs; WhatsApp message logs (inbound commands, template delivery receipts).

3.8

TECHNICAL DATA: IP address at account creation, login, and each financial transaction; browser and device type (User-Agent); session identifiers stored in Redis (5-minute TTL for OTP, 60-minute TTL for sessions, 7-day TTL for refresh tokens); API access logs.

3.9

USAGE DATA: Pages and features accessed; timestamps of actions; AI Feature calls (which feature, timestamp, charge incurred); WhatsApp commands received; referral link clicks and attribution data (ref codes, share_events).

3.10

LOCATION DATA: GPS coordinates collected from Cleaners at task check-in for proximity verification. Not collected from any other user role. Not used for profiling or marketing.

3.11

ESTATE ACCESS DATA: Visitor access codes; gate entry/exit timestamps; guard identifier who processed each scan. Retained for 12 months.

3.12

HANDYMAN / CLEANER PROFESSIONAL DATA: Trade skills, base service charge, service history, ratings, availability status, GPS check-in records.

3.13

B2B COMPANY DATA: Company registration information (name, RC number, address); staff roster (names, emails, roles, branch assignments); CRM client and lead records; commission and expense records; agreement content.

3.14

AI-GENERATED METADATA: Outputs generated about you or your properties, including risk scores, fraud probability signals, property valuations, maintenance cost estimates, maintenance category classifications, lead quality scores, rent reference letter drafts, photo quality scores, and OCR extracts from identity documents. These outputs are stored as decision-support records.

4. Special Category Data

4.1

Selfie images submitted for KYC liveness verification are processed by an AI pipeline to confirm the photo is of a live person. The raw image is stored. A liveness confidence score is produced but raw biometric templates are not extracted or retained. Government-issued identity documents may reveal nationality by implication; this data is processed solely for identity verification and not analysed separately.

4.2

Resida does not collect health, political, religious, or trade union data. If any such data appears voluntarily in a free-text field (e.g., a maintenance request), it is used only to fulfil the stated purpose and is never used for profiling, marketing, or secondary processing.

4.3

Legal basis for Special Category Data: explicit consent (obtained at KYC submission) and, where applicable, necessity to comply with Nigerian financial regulatory obligations.

5. How We Collect Your Data

5.1

DIRECTLY FROM YOU: Account registration; KYC submission; property listing; lease creation or acceptance; booking submission; maintenance requests; wallet funding; subscription payment; WhatsApp inbound messages; in-app chat; feedback forms; dispute submissions.

5.2

AUTOMATICALLY: HTTP-only session cookies and local storage (authentication tokens); server-side IP and User-Agent logging per API request; Celery task metadata; Redis session data.

5.3

FROM THIRD PARTIES: Paystack — DVA account details, payment status webhooks (charge.success), transfer status, bank account name; Meta/WhatsApp — inbound messages and delivery receipts; Google Gemini — OCR extracts from submitted documents.

5.4

FROM REFERRALS: If you register via a referral link, the referring user's code is associated with your account. A share_event record is created linking your account to the referrer for reward attribution.

6. Legal Basis for Processing

6.1

CONTRACT PERFORMANCE (NDPA s.25(1)(b)): Creating your account, provisioning your DVA, executing lease and booking transactions, deducting rent, processing withdrawals, and providing Platform features.

6.2

LEGAL OBLIGATION (NDPA s.25(1)(c)): KYC identity verification and retention under the Money Laundering (Prevention and Prohibition) Act 2022 and CBN KYC directives; financial transaction records for 5+ years; responding to court orders, NFIU directives, or NDPC investigations.

6.3

LEGITIMATE INTERESTS (NDPA s.25(1)(f)): Platform security and fraud detection; anomaly detection in wallet transactions; duplicate account detection; abuse prevention; improving the Platform through anonymised usage analytics; referral attribution; sending transactional messages about your account activity; immutable audit logging for operational integrity.

6.4

CONSENT (NDPA s.25(1)(a)): Processing biometric/liveness data (KYC selfie); WhatsApp outbound notifications; SMS notifications (Termii); marketing communications; optional cookies; AI photo scoring of property images.

6.5

VITAL INTERESTS (NDPA s.25(1)(d)): If you report a safety emergency via the SOS feature or a maintenance request, we may share your details with emergency services.

6.6

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw, email privacy@resida.app or use notification preferences in your account Settings.

7. How We Use Your Personal Data

7.1

ACCOUNT MANAGEMENT: Creating and maintaining your account; authenticating identity; managing RBAC; enforcing access controls; notifying you of security events.

7.2

FINANCIAL OPERATIONS: Provisioning DVA; crediting Wallet deposits via Paystack webhook; executing rent deductions via Celery Beat at 00:00 WAT; processing late fee accrual; handyman and cleaner payouts; shortlet and event bookings; withdrawals; subscription billing; AI usage fee (₦3 per LLM call); recording all transactions in the ledger and audit log.

7.3

PROPERTY AND LEASE MANAGEMENT: Enabling property listing; managing lease lifecycle (PENDING → ACTIVE → EXPIRED); scheduling next_due_date advancement; managing shortlet calendar and double-booking prevention; generating inspection codes; managing vacate notice workflows.

7.4

COMMUNICATIONS: Sending transactional emails via Resend; sending SMS OTPs via Termii; sending WhatsApp template messages via Meta Cloud API (rent reminders, savings nudges, vacancy broadcasts, inspection confirmations, maintenance alerts, rent certificates, landlord onboarding steps); facilitating in-platform three-way chat.

7.5

KYC AND COMPLIANCE: Reviewing submitted identity documents; using AI OCR to assist field extraction; making KYC decisions (always human-reviewed); retaining KYC records for audit and regulatory compliance; reporting suspicious activity to the NFIU where legally required.

7.6

FRAUD AND SECURITY: Detecting duplicate accounts via shared phone numbers or email hashing; AI-assisted fraud scan (Gemini) to identify inconsistent KYC data or anomalous wallet patterns; generating fraud probability scores stored as AI-generated metadata; creating immutable fraud_flag audit entries; notifying administrators for human review.

7.7

MARKETING AND REFERRALS: Sending promotional messages to opted-in users; tracking referral attribution (ref codes, share_events); crediting referral rewards; generating growth metrics (anonymised aggregates only).

7.8

PLATFORM IMPROVEMENT: Aggregated, anonymised usage statistics to understand feature adoption. Resida does not use individual user data to fine-tune the Gemini model — all Gemini API calls are inference-only.

8. AI and Automated Decision-Making

8.1

The Platform uses Google Gemini to provide AI Features including: listing copy generation, property valuation (AVM), maintenance triage, agreement drafting, agreement review, chat draft replies, ad copy generation, rent reference letter drafting, document OCR for KYC, photo tagging, photo quality scoring, and virtual tour narrative generation.

8.2

DATA SENT TO GOOGLE GEMINI varies by feature: (a) Listing copy: property name, location, type, price, amenities — no user identity. (b) Maintenance triage: request description only — no tenant name. (c) Agreement drafting: unit details, lease dates, rent amount, tenant name included. (d) Document OCR: image URL pointing to the document in cloud storage — fetched directly by Gemini. (e) Photo scoring: image URL only — no personal data. (f) Fraud scan: structured account summary (age, transaction volume, flag count) — name and email included. (g) Chat draft reply: recent message thread including sender names. Resida never sends BVN, raw card numbers, wallet balances, or DVA account numbers to Gemini.

8.3

DATA PROCESSING BY GOOGLE: Google LLC processes Gemini API data as a Sub-Processor under Google's API Terms and Cloud Data Processing Addendum. Google's servers are located primarily in the USA and EU. Resida has enabled "Do not use content to improve Google models" in our Gemini API configuration. Google does not use Platform user data to train AI models.

8.4

AUTOMATED PROFILING: The Platform generates the following profiles: (a) Tenant risk score: 0–100 from payment history, late fee count, support ticket count. Used to alert property managers. Not used to automatically reject tenants. (b) Lead quality score: from listing engagement data for agent prioritisation. (c) Fraud probability signal: from Gemini fraud scan and deterministic rules. Flags trigger human review — no automatic suspension. (d) Anomaly detection: Z-score analysis on wallet transaction values and frequencies. Anomalies generate administrator alerts, not automated account actions.

8.5

RIGHT NOT TO BE SUBJECT TO SOLELY AUTOMATED DECISIONS (NDPA s.34): No significant decision (account suspension, lease rejection, fraud report to NFIU) is made solely by automated means without human review. To request human review of a decision that has significantly affected you, contact privacy@resida.app.

9. WhatsApp Integration and Meta Data Processing

9.1

When you interact with Resida via WhatsApp, your phone number, message content, and delivery metadata are processed by Meta Platforms Ireland Ltd under Meta's Privacy Policy and Business Messaging Terms.

9.2

Inbound WhatsApp messages are received via Meta Cloud API webhook, stored to process your command, and retained for 90 days. Outbound template delivery logs are retained for 90 days.

9.3

Multi-step WhatsApp conversational sessions store state in Redis with a 30-minute TTL. Abandoned sessions are automatically purged at TTL expiry.

9.4

To opt out of WhatsApp notifications, send UNSUBSCRIBE to our WhatsApp Business number or email privacy@resida.app. Critical security notices may still be sent.

10. Referral, Attribution, and Growth Data

10.1

Sharing a referral link (resida.app/register?ref=YOUR_CODE) generates share_events records containing: referring user ID, ref code, channel parameter (whatsapp, instagram, copy, etc.), and timestamp. No personal data about the person who clicks is collected before they register.

10.2

On registration via a referral link, your account is associated with the referrer's code. This association is stored permanently as part of the audit record and is used to credit referral rewards and generate anonymised growth metrics.

10.3

Referral rewards are credited to the referring user's Wallet as a CREDIT transaction. Resida does not withhold tax on referral income. Users are responsible for declaring referral income under applicable Nigerian tax law.

11. Location Data

11.1

GPS coordinates are collected only when a registered Cleaner submits a task check-in. The browser's Geolocation API (with explicit permission) provides latitude and longitude, compared against the unit's registered coordinates using the Haversine formula. Check-in is accepted within 300 metres.

11.2

GPS coordinates are stored in the cleaning task record, visible to the property manager, and retained for 12 months then deleted.

11.3

Resida does not collect continuous or background location data. Geolocation is requested only at check-in, with a standard browser permission prompt. Location data is never used for marketing or profiling.

12. How We Share Your Data

12.1

BETWEEN USERS: (a) Tenant name, phone, email, and KYC status are visible to the Agent and Owner of their occupied unit. (b) Requester's name, unit address, and request description are visible to the assigned Handyman. (c) Guest name and booking dates are visible to the property Host.

12.2

SUB-PROCESSORS (all under data processing agreements): (a) Paystack (PCI-DSS Level 1): payment processing, DVA provisioning, recurring billing — name, email, phone, BVN, bank account number. Servers: Nigeria. (b) Google LLC (Gemini API): AI Feature processing — feature-specific data per Section 8.2. Servers: USA and EU. (c) Amazon Web Services (AWS S3): file storage — images and documents. Servers: EU and/or USA. (d) Cloudinary (alternative storage): same scope as AWS S3. (e) Resend: transactional email — recipient email address and email body. Servers: USA. (f) Termii: SMS delivery — recipient phone number and message body. Servers: Nigeria and EU. (g) Meta Platforms Ireland Ltd: WhatsApp delivery — phone number and message content. Servers: EU and USA. (h) Redis: session caching and Celery broker — hashed session tokens and OTP codes. Servers: configured cloud region.

12.3

LEGAL AND REGULATORY: Resida may disclose data to government authorities, law enforcement, courts, or regulators (NDPC, NFIU, CBN, LASRERA) as required by Nigerian law. We will notify affected Users where legally permissible.

12.4

CORPORATE TRANSACTIONS: In a merger or acquisition, personal data may be transferred to the acquiring entity under the same privacy protections. We will notify Users before any such transfer.

12.5

Resida does not sell your personal data. We do not share your data with advertisers or data brokers.

13. International Data Transfers

13.1

Your personal data may be transferred to and processed in countries outside Nigeria — including the USA and EU — by our Sub-Processors (Google Gemini, AWS S3, Resend, Meta). Nigeria has not made adequacy decisions in respect of these jurisdictions.

13.2

For all international transfers, Resida ensures appropriate safeguards under NDPA Schedule 2, including: Standard Contractual Clauses (SCCs) with each Sub-Processor; verification that Sub-Processors maintain appropriate security certifications (ISO 27001, SOC 2, PCI-DSS, GDPR compliance); and data minimisation — only the minimum necessary data is transmitted per purpose.

13.3

You may obtain further information about international transfer safeguards by contacting privacy@resida.app.

14. Data Retention Schedule

14.1

ACCOUNT DATA: Retained for account lifetime plus 5 years from closure (Nigerian financial regulations).

14.2

KYC DOCUMENTS: Account lifetime plus 5 years from closure (AML/KYC requirements). Rejected applicants who never activated: 90 days.

14.3

FINANCIAL TRANSACTION RECORDS: Retained indefinitely on the primary ledger for audit; archived to cold storage after 7 years.

14.4

AUDIT LOGS: Retained indefinitely. Immutable — cannot be deleted by any user including Super Admins.

14.5

IN-PLATFORM CHAT MESSAGES: 3 years from last message in the thread, then deleted.

14.6

WHATSAPP LOGS (Inbound & Outbound): 90 days from message timestamp.

14.7

REDIS SESSION DATA: OTP: 5-minute TTL. Sessions: 60-minute TTL. Refresh tokens: 7-day TTL. WhatsApp sessions: 30-minute TTL. All auto-purged at TTL expiry.

14.8

AI-GENERATED METADATA: Retained for lifetime of the associated entity (user account, property, lease). Deleted with the entity.

14.9

GPS CHECK-IN DATA (Cleaners): 12 months from cleaning task date.

14.10

ESTATE GATE LOGS: 12 months from gate event date.

14.11

PROPERTY PHOTOS AND FILES: 12 months after a property is permanently deleted. KYC documents per clause 14.2.

15. Your Rights Under the NDPA 2023

15.1

RIGHT OF ACCESS (NDPA s.34(1)(a)): Request a copy of all personal data we hold, including purposes, categories, recipients, retention period, and source.

15.2

RIGHT TO RECTIFICATION (NDPA s.34(1)(b)): Request correction of inaccurate or incomplete data. Many fields can be updated directly in account Settings.

15.3

RIGHT TO ERASURE (NDPA s.34(1)(c)): Request deletion of data no longer necessary, where consent is withdrawn, or where processing was unlawful — subject to legal retention obligations (audit logs, financial records, KYC) which override this right.

15.4

RIGHT TO RESTRICT PROCESSING (NDPA s.34(1)(d)): Request restriction while accuracy is contested, processing is unlawful but erasure is contested, or an objection is pending.

15.5

RIGHT TO DATA PORTABILITY (NDPA s.34(1)(e)): Request your personal data in a structured, machine-readable format (JSON or CSV) for data processed on the basis of consent or contract.

15.6

RIGHT TO OBJECT (NDPA s.34(1)(f)): Object to processing based on legitimate interests. Resida will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

15.7

RIGHT NOT TO BE SUBJECT TO SOLELY AUTOMATED DECISIONS (NDPA s.34): Resida does not make significant decisions solely by automated means. You may request human review of any decision that has significantly affected you.

15.8

HOW TO EXERCISE YOUR RIGHTS: Email privacy@resida.app with subject line "Data Subject Request — [Right Name]". Resida acknowledges within 5 business days and responds substantively within 30 days. We may request proof of identity.

15.9

COMPLAINTS: If unsatisfied with Resida's response, lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

16. Security Measures

16.1

Technical and organisational measures include: (a) TLS 1.2+ encryption for all data in transit. (b) bcrypt password hashing with salt — plain-text passwords never stored. (c) Short-lived JWT tokens with Redis-backed real-time blocklist for instant revocation on logout. (d) Single-use 6-digit OTP codes valid for 5 minutes, hashed before storage. (e) Row-level SELECT FOR UPDATE locks on all wallet operations to prevent race conditions. (f) Paystack webhooks verified via HMAC-SHA512 against x-paystack-signature before any state change. (g) Immutable audit log on all critical actions (wallet changes, lease changes, KYC decisions, role changes). (h) RBAC enforced on every API endpoint via FastAPI dependency injection. (i) No raw card numbers, BVN, or passwords stored — always processed or hashed.

16.2

Resida uses containerised infrastructure (Docker) with environment-variable-based secret management. Secrets are never hardcoded. Source code is in a private GitHub repository with branch protection and CI/CD via GitHub Actions.

16.3

While Resida takes reasonable precautions, no internet-based system is completely secure. You are responsible for keeping your credentials confidential and using a secure device and network.

17. Data Breach Notification

17.1

In the event of a personal data breach likely to risk the rights and freedoms of data subjects, Resida will: (a) Notify the NDPC within 72 hours of becoming aware, in accordance with NDPA s.40; and (b) Notify affected data subjects without undue delay where the breach is likely to result in high risk.

17.2

Breach notifications will include: nature of the breach; categories and approximate number of individuals and records affected; likely consequences; and measures taken or proposed.

17.3

To report a suspected security incident, contact security@resida.app. Our incident response team acknowledges within 4 hours and begins investigation within 12 hours.

18. Cookies and Tracking Technologies

18.1

STRICTLY NECESSARY COOKIES: HTTP-only session cookies and local storage are used to maintain your authenticated session (access and refresh tokens). These are required for the Platform to function and cannot be disabled without logging you out.

18.2

The Platform does not use third-party advertising cookies, tracking pixels, or cross-site behavioural tracking scripts.

18.3

The Public Discovery Portal (Next.js) may use lightweight anonymised analytics cookies to measure content performance. No personal data is attached to these records.

18.4

If Resida adds new cookie types, we will update this Policy and display a cookie consent banner before placing non-essential cookies.

19. Children's Privacy

19.1

The Platform is intended for users aged 18 and over. We do not knowingly collect or process personal data from individuals under 18.

19.2

If you believe a person under 18 has created an account, contact privacy@resida.app immediately. We will investigate and, if confirmed, delete the data and close the account within 14 days.

20. Marketing Communications

20.1

Resida may send promotional communications (new features, offers, market reports) by email, SMS (Termii), or WhatsApp to users who have opted in.

20.2

Opt out at any time by: clicking "Unsubscribe" in any marketing email; sending UNSUBSCRIBE to our WhatsApp Business number; updating notification preferences in account Settings; or emailing privacy@resida.app with subject "Opt-Out — Marketing".

20.3

Opting out of marketing does not affect transactional messages (rent receipts, security alerts, KYC status, booking confirmations), which are essential to the contract and cannot be opted out while your account is active.

21. Data Protection Officer

21.1

Resida has appointed a Data Protection Officer (DPO) as required under the NDPA 2023. The DPO oversees Resida's data protection programme, advises on data protection impact assessments, responds to Subject Access Requests, liaises with the NDPC, and manages data breach response.

21.2

DPO contact: privacy@resida.app. Requests acknowledged within 5 business days, substantive response within 30 days.

21.3

Resida is registered with the Nigeria Data Protection Commission as a Data Controller under the NDPA 2023.

22. Changes to This Privacy Policy

22.1

Resida may update this Privacy Policy to reflect changes in data processing practices, legal requirements, or Platform features.

22.2

Material changes will be communicated by email to your registered address at least 30 days before they take effect, with an in-platform notice.

22.3

Non-material changes (clarifications, typographical corrections, updated Sub-Processor addresses) may be made without notice and will be reflected in the "last updated" date.

22.4

Previous versions of this Policy are available on request from privacy@resida.app.

23. Complaints and Contact

23.1

For privacy concerns, contact our DPO at privacy@resida.app. We will investigate and respond within 30 days.

23.2

If unsatisfied with our response, lodge a complaint with the Nigeria Data Protection Commission (NDPC): Website: ndpc.gov.ng | Address: Plot 1288 Tigris Crescent, Off Aguiyi Ironsi Street, Maitama, Abuja, FCT, Nigeria.

23.3

Contact details: DPO: privacy@resida.app | Support: support@resida.app | Security: security@resida.app | Disputes: disputes@resida.app | Legal: legal@resida.app