Introduction
Cognyfai Limited ("Cognyfai", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, process, store, share, and protect personal data when you use the Heimly platform (the "Platform").
This Policy complies with the Nigeria Data Protection Act (NDPA), 2023 and applies to all Users of the Platform, including Landlords, Developers, Agents, Tenants, and Buyers.
By using the Platform, you consent to the collection and use of your data as described in this Policy. If you do not agree, please discontinue your use of the Platform.
Who We Are / Data Controller
Cognyfai Limited is the Data Controller responsible for your personal data under this Policy.
Registered Address: 5 Chief Umoh Assiak Street, Shelter Afrique Ext, Uyo, Akwa Ibom State, Nigeria.
Privacy Contact: info@heimly.ng
What Personal Data We Collect
We collect personal data in the following categories:
Account & Identity Data
- Full name, email address, and profile image (including from Google when you use Sign in with Google)
- Password (stored in hashed form; we never store plain-text passwords; not required if you sign in only via Google)
- Google account identifier when you register or sign in with Google
- Primary role (Landlord, Agent, Real Estate Broker, Real Estate Company, Tenant, or Buyer)
- User code (e.g., USR-XXXXXX)
KYC / Identity Verification Data
- KYC status and KYC verification timestamps
- CAC registration status and CAC verification timestamps
Organization & Business Data (B2B Users)
- Organization name, type, and company registration number (for companies)
- Company size and company verification status
- Team member data (names, emails, roles)
Property & Listing Data
- Property details: address, coordinates, price, size, description, property type, amenities
- Property media: photographs and videos
- Property verification documents (Certificate of Occupancy, Deed of Assignment, Utility Bills, Land Survey Plans)
- Property Trust Score, publication status, and approval/rejection records
Tenant Management Data
- Offer details (rent, service charges, tenancy dates)
- Application records (including review notes, approval/rejection reasons, withdrawal reasons)
- Lease details (start/end dates, rent type, service charge)
- Lease documents (uploaded PDFs or Word files)
- Lease signing data (signer names, emails, signature data, timestamps)
- Maintenance request records (description, category, priority, status, photos, audit trail)
Payment Data
- Payment reference numbers, amounts (NGN), and payment status
- Paystack transaction metadata (stored for auditing)
- Subscription plan history and billing records
- Saved payment card tokens (handled by Paystack; Heimly does not store full card details)
Messaging & Communication Data
- Messages sent and received through the Platform
- File attachments shared in conversations
- Message read status and timestamps
Usage & Technical Data
- Search queries, saved searches, and search history
- Browsing behaviour on the Platform (pages visited, features used)
- IP address, device type, browser type, and operating system
- Login activity and session logs
How We Collect Your Data
We collect data:
- Directly from you — when you register, create a listing, submit a KYC document, apply for a property, make a payment, or contact us.
- Automatically — via cookies, analytics trackers, and server logs when you access the Platform.
- From third parties — from Google when you choose Sign in with Google; from QoreID (NIN and CAC verification status); from Paystack (payment processing); and when team members are invited to join your Organization.
Lawful Basis for Processing
Under the NDPA 2023, we process your data on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account registration and management | Contract |
| KYC / identity verification | Legitimate Interest & Legal Obligation |
| Property listing management | Contract |
| Platform security and fraud prevention | Legitimate Interest |
| Sending transactional notifications | Contract |
| Sign in with Google | Contract & Consent |
| Website analytics (Google Analytics) | Legitimate Interest & Consent |
| Sending marketing communications | Consent |
| Compliance with Nigerian law | Legal Obligation |
How We Use Your Data
We use your personal data to:
- Create and manage your account and Organization;
- Facilitate the property management lifecycle (offers, applications, leases, maintenance, payments);
- Conduct identity and company registration through the Platform's review process and QoreID;
- Calculate and display Trust Scores;
- Process subscriptions via Paystack;
- Enable in-app messaging between Users;
- Detect, investigate, and prevent fraudulent activity and policy violations;
- Provide customer support;
- Send transactional notifications (lease updates, payment confirmations, maintenance updates);
- Improve the Platform's features and user experience (using aggregated, anonymised analytics data);
- Comply with applicable Nigerian laws and respond to lawful requests from authorities.
Third-Party Services
The Platform integrates with the following key third-party services:
| Service | Purpose | Their Privacy Policy |
|---|---|---|
| Paystack | Payment processing | paystack.com/privacy |
| QoreID | Identity verification and company registration | qoreid.com/privacy-policy |
| AWS S3 | File & media storage | aws.amazon.com/privacy |
| Google (Sign in with Google) | Account authentication via OAuth | policies.google.com/privacy |
| Google Analytics 4 | Website usage analytics | policies.google.com/privacy |
Heimly is not responsible for the privacy practices of third-party services. We encourage you to review their respective policies.
Google User Data (Sign In with Google)
When you choose Continue with Google on the Platform, you authorise Heimly (as registered on the Google OAuth consent screen) to access limited information from your Google account. This section describes how we handle that data in compliance with the Google API Services User Data Policy, including its Limited Use requirements.
Data Accessed
With your consent, we access only the Google user data required for authentication and account management, typically including:
- Your Google account identifier (subject ID)
- Email address
- Full name
- Profile picture URL
The exact fields match the permissions shown on Google's consent screen when you sign in (commonly email, profile, and openid scopes). We do not request access to your Google Drive, Gmail, Calendar, Contacts, or other Google services beyond what is needed to sign you in.
How We Use Google User Data
We use Google user data solely to:
- Create and authenticate your Heimly account;
- Display your name and profile photo on the Platform;
- Communicate with you about your account and Platform activity;
- Prevent fraud, abuse, and unauthorised access;
- Provide the features and services you request on the Platform.
We do notuse Google user data for serving advertisements, building unrelated advertising profiles, or any purpose unrelated to providing and improving the Platform's core authentication and account features.
How We Share Google User Data
We do not sell Google user data. We do not share it with third parties for their independent marketing purposes. We share it only:
- With infrastructure and service providers (e.g., cloud hosting, email delivery) that process data on our behalf under contractual confidentiality and security obligations;
- Between Platform users only as described elsewhere in this Policy (e.g., your public profile or messages you send);
- When required by applicable law or a valid legal process.
Storage & Protection
Google sign-in data is stored on our secure servers alongside your Heimly account record. Data is transmitted over encrypted connections (HTTPS/TLS). Authentication sessions use secure, HTTP-only cookies. Access to stored data is restricted to authorised personnel and systems required to operate the Platform.
Retention & Deletion
We retain Google-linked account data while your Heimly account is active and as described in the Data Retention section. When you delete your Heimly account or request erasure, we delete or anonymise associated personal data subject to legal retention requirements (e.g., financial records).
To request deletion of your Heimly account and associated data, email info@heimly.ng. You may also revoke Heimly's access to your Google account at any time via Google Account permissions. Revoking Google access does not automatically delete your Heimly account; contact us if you wish to delete your account entirely.
Google Analytics
We use Google Analytics 4 (GA4) to understand how visitors use the Platform so we can improve performance, features, and user experience. GA4 is separate from Sign in with Google — analytics data is not used to re-identify you for advertising based on your Google sign-in profile.
Data Collected
Through GA4, Google may collect or process information such as:
- Pages visited, referral source, and time on site
- Device type, browser, and operating system
- Approximate geographic location (derived from IP address)
- Interaction events (e.g., clicks, scrolls) on the Platform
- Analytics cookies (e.g.,
_ga,_gid)
We configure GA4 with IP anonymisation enabled. See our Cookie Policy for cookie details.
How We Use Analytics Data
We use GA4 data to:
- Measure traffic and feature usage in aggregated form;
- Diagnose technical issues and improve page performance;
- Make informed product decisions.
We do not use Google Analytics data to sell personal information or for third-party advertising on the Platform.
Sharing & Processing
Analytics data is processed by Google LLC as our analytics provider. Google may process data on servers outside Nigeria. For how Google uses data from sites that use its services, see How Google uses information from sites or apps that use our services.
Retention & Your Choices
GA4 event data is retained according to our Google Analytics property settings (typically up to 14 months, configurable in our GA4 admin console). You can:
- Control cookies through your browser settings (see our Cookie Policy);
- Install the Google Analytics opt-out browser add-on;
- Contact us at info@heimly.ng with privacy questions.
Data Retention
We retain your personal data for as long as:
- Your account is active; or
- It is necessary to provide our services and fulfil active contracts; or
- We are required to retain it under Nigerian law.
Specific retention periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 5 years after closure |
| KYC documents | 5 years after account closure (legal compliance) |
| Lease & payment records | 7 years (standard financial record-keeping under CAMA) |
| Maintenance request records | 3 years after resolution |
| Chat messages | 2 years after the conversation is archived |
| Search history | 12 months |
| Google sign-in profile data | Duration of account + retention periods in Account information row above |
| Google Analytics event data | Up to 14 months (per our GA4 property settings) |
You may request earlier deletion of certain data subject to our legal obligations.
Data Security
We implement appropriate technical and organisational security measures to protect your data, including:
- Encrypted data storage and transmission (HTTPS/TLS);
- Hashed passwords (never stored in plain text);
- Access controls limiting data access to authorised personnel only;
- Regular security reviews.
However, no internet-based system is completely secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from events outside our reasonable control.
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected Users and the Nigeria Data Protection Commission (NDPC) in accordance with the NDPA 2023.
Your Data Subject Rights
Under the NDPA 2023, you have the following rights:
| Right | Description |
|---|---|
| Right of Access | Request a copy of the personal data we hold about you. |
| Right to Rectification | Request correction of inaccurate or incomplete data. |
| Right to Erasure | Request deletion of your data (subject to legal retention obligations). |
| Right to Object | Object to processing based on legitimate interest, including marketing. |
| Right to Portability | Receive your data in a structured, machine-readable format. |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent. |
| Right to Complain | Lodge a complaint with the Nigeria Data Protection Commission (NDPC). |
To exercise any right, contact us at info@heimly.ng. We will respond within 30 days of receiving your request.
Children's Privacy
The Platform is strictly intended for, and restricted to, individuals aged 18 and older. We do not intentionally or knowingly collect, solicit, or process personal data from minors. By using the Platform, you represent and warrant that you meet this age requirement. If we discover or are notified that an individual under 18 has created an account, we reserve the right to immediately terminate the account and permanently delete all associated personal data without prior notice. If you believe a minor has accessed the Platform, please contact us immediately at info@heimly.ng.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through:
- A notice on the Platform; and/or
- An email to your registered address at least 14 days before the change takes effect.
Your continued use of the Platform after the effective date constitutes acceptance.
Contact Us / How to Complain
For privacy-related questions, data subject requests, or complaints:
Cognyfai Limited — Privacy Team
Email: info@heimly.ng
Address: 5 Chief Umoh Assiak Street, Shelter Afrique Ext, Uyo, Akwa Ibom State, Nigeria.
If you are not satisfied with our response, you may lodge a complaint with the:
Nigeria Data Protection Commission (NDPC)
Website: ndpc.gov.ng
Email: info@ndpc.gov.ng