Privacy Policy

MN Luxe Home is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it. It applies to the MN Luxe Home website, mobile apps, dashboards (user, agent, agency, creator, admin) and all related services.

We comply with the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation (NDPR). Where we serve users in the United Kingdom or European Economic Area we also align with the UK GDPR and EU GDPR principles.

The categories of data we may collect:

• Account data — name, email, phone, WhatsApp, role, profile photo, password hash, sign-in history, 2FA factor metadata.
• Listing data — property details you publish: title, description, price, address, photos, videos, floor plans, availability.
• Booking data — guest details, dates, party size, special requests, booking history, refund records, dispute notes.
• Payment metadata — Paystack reference IDs, amount, currency, authorization fingerprint, transaction status. We never store full card numbers.
• KYC / verification documents — government ID, business registration, property title, utility bills, live selfie / video, GPS coordinates captured during a walkthrough. Stored privately. See Verification Policy.
• Communications — inquiries, messages, support tickets, WhatsApp click events (anonymised before send-on), email opens / clicks if you receive marketing email.
• CRM leads — when an agent or agency is paying for CRM, we log lead details (name / phone / email if shared, source, conversation history) on the agent’s behalf.
• Security and audit — IP addresses, device, user-agent, rate-limit events, security events (login, MFA, role change), append-only audit log.
• Cookies and analytics — see the Cookie Policy.

We use personal data to:

• Create and operate your account.
• Run the marketplace, listings, search, bookings, payments, and refunds.
• Run verification, KYC, and trust-and-safety checks.
• Detect and prevent fraud, abuse, and policy violations.
• Comply with legal obligations, tax, and law-enforcement requests.
• Send service emails (booking confirmations, payment receipts, security alerts) — these are required to operate the Platform and cannot be unsubscribed from.
• Send marketing emails / launch updates where you have opted in. You can opt out at any time from your account settings.
• Improve the Platform, fix bugs, and analyse aggregated usage trends.

Where required, we rely on a clear lawful basis under the Nigeria Data Protection Act and UK GDPR:

• Contract — to deliver the Platform, complete bookings, take payment, and provide support.
• Legitimate interest — to keep the Platform safe and fraud-free, to improve usability, and to recover overdue accounts.
• Consent — for marketing communications, non-essential cookies, and optional location features.
• Legal obligation — to comply with anti-money-laundering, tax, and regulatory requirements.

Every consent you give is logged with a version stamp so you can see what you agreed to, when, and from which device. You can withdraw consent at any time via Notification preferences or /data-request.

To verify agents, agencies, properties, and creator payouts we may ask for identity documents, business documents, proof of ownership, a live selfie / video, and GPS coordinates captured during a property walkthrough. We use that data to:

• Confirm you are who you claim to be.
• Confirm a property exists at the address shown.
• Help guests trust the listing.
• Comply with KYC / AML obligations.

Documents are stored in a private Supabase Storage bucket. Only authorised MN Luxe Home staff with a verified role and recent 2FA verification can access them. Documents are deleted on request unless we are legally required to retain them.

When you click a WhatsApp button on a listing we log the click (listing id, your user id if signed in, an anonymous session id otherwise) so the agent can follow up and so we can detect spam. We do not see the contents of your WhatsApp messages.

CRM lead records are visible only to the agent or agency that owns the listing and to authorised admins. You can request deletion at any time.

We use a small number of essential cookies to keep you signed in and to protect against fraud, plus optional analytics and marketing cookies where you have consented. Full details and category-by-category controls are in the Cookie Policy.

• Account data — kept while your account is active and for up to seven (7) years after closure where we have a legal / tax obligation.
• Booking and payment data — up to seven (7) years for accounting and anti-fraud purposes.
• Verification documents — until verification expires, the account is deleted, or you ask us to remove them — whichever is sooner — unless retention is legally required.
• Security and audit logs — append-only and retained for up to twenty-four (24) months for investigation purposes.
• Marketing logs — opens / clicks retained for up to twelve (12) months.

Under NDPR and (where it applies) UK GDPR you have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Erase your data (subject to legal exceptions).
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent for marketing or non-essential cookies.
• Complain to your national data-protection authority.

The fastest way to exercise any of these rights is via /data-request. We respond within thirty (30) days.

We share personal data with a small number of trusted processors, all under contract:

• Supabase — managed Postgres, authentication, storage, edge functions.
• Paystack — payment processing, card authorisation, transfers.
• Resend — transactional email delivery (where enabled).
• Cloudflare — DNS, CDN, edge runtime.
• Vercel — application hosting (where deployed).
• Mapbox — map tiles, geocoding.
• Plausible / Google Analytics — privacy-aware web analytics, only where you have consented.
• Smile ID — identity verification, where enabled.

We never sell personal data. We only share data with processors who provide a service to MN Luxe Home.

Some processors operate outside Nigeria. Where data leaves Nigeria we ensure equivalent protections through contractual safeguards (standard contractual clauses, processor agreements) consistent with NDPR and UK GDPR rules.

We protect your data with strict access controls, encryption in transit, hashed passwords, two-factor authentication for sensitive roles, append-only audit logs, rate-limiting on authentication and payments, and a strict content security policy on the web. Despite this, no system is perfectly secure. Please report suspected breaches to our privacy email immediately.

MN Luxe Home is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

We may update this policy from time to time. Material changes will be announced on the Platform and, where appropriate, by email. The “Last updated” date at the top reflects the latest revision. Your continued use of the Platform after the effective date confirms acceptance.

For privacy questions, data-protection complaints, or to exercise any of the rights above, use the contact strip below or visit /data-request.