Section 1
Controller & Identity
DOT (Digital Okonma Technologies Ltd.) (“NestFlow”, “we”, “our”, or “us”) operates the NestFlow CRM platform , a property management and short-term rental CRM accessible at www.nest-flow-crm.xyz. NestFlow is owned by DOT, Company Registration Number: 9345217.
| Field | Value |
|---|---|
| Company Name | DOT (Digital Okonma Technologies Ltd.) |
| Registered Address | Ibeju/Lekki, Lagos, Nigeria |
| Data Protection Officer | Jim Okonma |
| DPO Contact | jim.okonma@gmail.com |
| Privacy Inquiries | privacy@nest-flow-crm.xyz |
| General Inquiries | hello@nest-flow-crm.xyz |
Section 2
Scope
This policy applies to:
- Platform users , Admins, Receptionists, Agents, and Tenants with accounts on the Service.
- Guests , Individuals whose booking or contact data is entered into the platform by a user on their behalf.
- Website visitors , Anyone who visits our marketing website or documentation.
- Enterprise clients , Companies or individuals who subscribe to the Service to manage their properties.
Section 3
Data We Collect
3.1 Account Registration Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| First name, Last name | Account identification, communications | Contract performance |
| Email address | Authentication, service notifications | Contract performance |
| Password (bcrypt-hashed) | Authentication , never stored in plain text | Contract performance |
| Role (Admin / Receptionist / Agent / Tenant) | Access control and service delivery | Contract performance |
| Phone number (optional) | Two-factor authentication, communications | Legitimate interests |
| Home / office address (optional) | Profile completion | Legitimate interests |
| Profile photograph (optional, via Cloudinary) | Visual identification within the platform | Consent |
3.2 Tenant-Specific & Agent-Specific Data
Tenants provide additional data required for property check-in compliance:
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Government ID type (Passport, Driver's Licence, National ID) | Identity verification, regulatory compliance | Legal obligation / Contract |
| Identity document number | Identity verification | Legal obligation |
| Identity document file upload (via Cloudinary) | Compliance record-keeping | Legal obligation |
| Emergency contact name, phone, and relationship | Safety and welfare | Legitimate interests |
| Agency name (agents) | Professional identification | Contract performance |
| Real estate licence number (agents) | Regulatory compliance | Legal obligation |
| Commission percentage (agents, if applicable) | Payment calculation | Contract performance |
3.3 Booking & Payment Data
| Data Field | Source | Purpose |
|---|---|---|
| Guest full name, email, phone | User input | Booking record & confirmation |
| Check-in / check-out dates and times | User input | Service delivery |
| Special requests | User input | Service customisation |
| Paystack transaction reference | Paystack | Payment reconciliation |
| Payment status (pending / successful / failed / refunded) | Paystack callback | Booking lifecycle |
| Card type, bank name, last 4 digits | Paystack webhook | Receipt display |
| Payment channel (card / bank transfer) | Paystack webhook | Analytics |
| Amount paid and date/time | Paystack | Financial records |
3.4 WhatsApp & AI Chat Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| WhatsApp phone number | Message routing, contact identification | Legitimate interests / Contract |
| Display name | Contact identification | Legitimate interests |
| Message content | Service delivery, communication history | Contract performance |
| Prompt text you submit to the AI | AI response generation | Contract performance / Consent |
| AI response content | Service delivery | Contract performance |
| Conversation history | Session continuity | Contract performance |
3.5 Automatically Collected Data
| Data | Retention | Notes |
|---|---|---|
| JWT access tokens (client-side only) | Session duration | Never persisted to server storage |
| Refresh token hashes (bcrypt-hashed) | 7 days or until logout | HttpOnly cookie; hash only |
| Login timestamp | 12 months | Stored in lastLogin field |
| Session IP address | 90 days (audit logs) | Used for anomaly detection |
| User agent string | 90 days (audit logs) | Used for session management |
| Email delivery status (via Resend) | 90 days | Sent / delivered / bounced / failed |
3.6 Data We Do Not Collect
We do not collect the following:
- Biometric data
- Health or medical information
- Precise geolocation (unless voluntarily entered as an address)
- Social media credentials
- Data from children under 16 years of age
Section 4
Legal Bases for Processing
We process personal data under the following legal bases (applicable under GDPR Article 6 and equivalent laws). Where we rely on legitimate interests, we have conducted a balancing test confirming our processing does not override your rights.
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing user accounts | Performance of a contract (Art. 6(1)(b)) |
| Processing bookings and payments | Performance of a contract (Art. 6(1)(b)) |
| Identity document verification for tenants | Legal obligation (Art. 6(1)(c)) |
| Security monitoring, fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Sending marketing emails | Consent (Art. 6(1)(a)) |
| Audit logging | Legal obligation / Legitimate interests |
| AI chat processing | Contract / Consent |
| WhatsApp communications | Contract / Legitimate interests |
| Analytics and platform improvement | Legitimate interests (Art. 6(1)(f)) |
| Compliance with tax and financial regulations | Legal obligation (Art. 6(1)(c)) |
Section 5
How We Use Your Data
- 1
Provide the Service
Create and manage accounts, process bookings, handle payments, send notifications, enable staff communications.
- 2
Verify identity
Confirm tenant identity documents to comply with short-stay regulatory requirements.
- 3
Process payments
Initiate and confirm Paystack transactions, track payment status, issue invoices and receipts.
- 4
Facilitate communications
Send transactional emails via Resend, route WhatsApp messages via Meta Business API, provide AI-powered responses.
- 5
Ensure security
Detect and prevent unauthorised access, fraud, and abuse; maintain audit trails.
- 6
Provide support
Diagnose issues using audit logs correlated by request IDs.
- 7
Comply with legal obligations
Maintain financial records, respond to lawful requests from authorities.
- 8
Improve the Service
Aggregate, anonymised analytics on feature usage, error rates, and performance.
We do not sell your personal data to any third party.
Section 6
Data Retention
| Data Category | Retention Period | Deletion Mechanism |
|---|---|---|
| User account data (active) | Duration of account + 30 days | Soft delete → PII erasure on request |
| User account data (deleted) | 30 days post-deletion | Automated purge |
| Booking records | 7 years (financial/legal) | Anonymisation of PII after 7 years |
| Payment transaction records | 7 years (tax regulation) | Retained in anonymised form |
| Identity documents (tenant ID uploads) | Duration of tenancy + 1 year | Cloudinary deletion on erasure request |
| Audit logs (authentication, data access) | 12 months hot / 24 months cold archive | Automated rotation |
| WhatsApp message history | 12 months | Configurable per enterprise client |
| AI chat conversation history | 30 days | Configurable per enterprise client |
| Email delivery logs | 90 days | Automated purge |
| JWT refresh token hashes | 7 days (or logout) | Automatic expiry |
| Anonymised analytics data | Indefinite | Not personally identifiable |
Section 7
Third-Party Sub-Processors
We share data only as necessary with the following sub-processors, all bound by data processing agreements or equivalent contractual protections:
| Sub-Processor | Category | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Paystack | Payment processing | Email, transaction amount, card metadata | Nigeria / Global | PCI-DSS, contractual DPA |
| Cloudinary | Media storage | File content, metadata (images, ID docs) | USA (Akamai CDN) | Standard Contractual Clauses |
| Resend | Transactional email | Recipient email, email body | USA | DPA, SOC 2 |
| Meta (WhatsApp) | Messaging | Phone number, message content | USA / Global | Meta Data Processing Terms |
| OpenAI (or equivalent) | AI inference | Sanitised prompt text | USA | DPA, SOC 2, GDPR addendum |
| MongoDB Atlas | Database hosting | All application data | AWS / Paris (eu-west-3) | DPA, SOC 2, ISO 27001 |
International Data Transfers
Where sub-processors process data outside your home jurisdiction, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) , Approved by the European Commission, applied to EEA transfers
- Adequacy decisions , Where applicable under GDPR
- NDPR-compliant transfer agreements , For Nigerian data subjects under NDPA 2023
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
refresh_token | Authentication (HttpOnly, Secure, SameSite=Strict) | Maintains authenticated session | 7 days |
oauth_state | Security (HttpOnly, Secure, SameSite=Lax) | CSRF protection during OAuth flows | 10 minutes |
| Session cookie | Functional | Application state | Session |
Section 9
Your Rights
GDPR Rights (EEA, UK, Switzerland)
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold | Submit SAR to privacy@nest-flow-crm.xyz |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Update in profile settings or email us |
| Erasure / Right to be Forgotten (Art. 17) | Request deletion of your personal data | Email with "Data Deletion Request" |
| Restriction (Art. 18) | Restrict processing in certain circumstances | Email privacy@nest-flow-crm.xyz |
| Data Portability (Art. 20) | Receive your data in machine-readable JSON format | Use /account/export endpoint or email us |
| Object (Art. 21) | Object to legitimate interest or direct marketing processing | Email privacy@nest-flow-crm.xyz |
CCPA Rights (California, USA)
California residents have the right to know, delete, opt-out of sale (we do not sell personal information), and non-discrimination. Submit requests to privacy@nest-flow-crm.xyz or call +2349034572737.
NDPR Rights (Nigeria)
Nigerian data subjects have rights under the NDPR 2019 and the NDPA 2023, including access, correction, deletion, and objection. Contact our DPO at privacy@nest-flow-crm.xyz.
Response timeline: We respond to all verifiable data subject requests within 30 days, extendable by a further 60 days for complex requests with notification.
Section 10
Security Measures
Encryption
- TLS 1.2+ for all data in transit (HTTPS enforced)
- AES-256-GCM for PII fields at rest
- bcrypt (cost factor 12) for passwords
- Encrypted MongoDB connections with TLS
Access Control
- RBAC with four distinct roles , verified server-side on every request
- JWT access tokens expire in 15 minutes
- Refresh tokens rotate on every use
- Token reuse detection invalidates all sessions
Infrastructure
- Application containers run as non-root users
- Rate limiting on all endpoints (stricter for auth/AI)
- Input validation via whitelisted DTOs
- NoSQL injection prevention middleware
Monitoring
- Structured audit logs for authentication and data access
- Sensitive data actively redacted from all logs
- Production errors never expose stack traces
- HMAC-SHA256 verification on all webhooks
Section 11
Data Breach Notification
In the event of a personal data breach, we will:
- 1
Contain the breach and assess the risk of harm to affected individuals.
- 2
Notify the relevant supervisory authority (e.g., NITDA under NDPR, the ICO under UK GDPR) within 72 hours of becoming aware, where required.
- 3
Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms.
- 4
Document all breaches in an internal breach register, regardless of whether notification is required.
Section 12
Children's Privacy
The Service is not directed to children under 16 years of age (or a higher age where required by local law). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verified parental consent, we will delete that data promptly. If you believe we have inadvertently collected data about a child, contact us at privacy@nest-flow-crm.xyz.
Section 13
Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will:
- Update the “Last Updated” date at the top of this document.
- Send an email notification to all registered users for material changes.
- For enterprise clients, provide at least 30 days' advance notice before changes take effect.