Privacy Policy

Last updated: 28 April 2026.

This Privacy Policy describes how Qace Homes ("we", "us", "our") collects, uses, discloses, and safeguards your information when you use our property-management software platform (the "Service"). It applies to landlords, property managers, business administrators, employees, tenants, owners, vendors, and any other person whose information passes through the Service.

We operate the Service in Nigeria and South Africa. References below to the NDPA are to the Nigeria Data Protection Act 2023; references to POPIA are to South Africa's Protection of Personal Information Act 4 of 2013. Where you are based outside these jurisdictions, we apply the same standards as a baseline.

If you do not agree with this Policy, please do not use the Service.

Who is the controller of your data

When a property-management business (a "Workspace") signs up for the Service and uploads information about its properties, units, leases, tenants, owners, and vendors, that business is the data controller ("responsible party" under POPIA) for that information. Qace Homes acts as the data processor ("operator" under POPIA), processing the information on the Workspace's behalf and according to its instructions.

For information you submit to us directly — for example as a Workspace owner registering for the Service, or as a tenant accepting an invitation — Qace Homes is the controller.

This Policy covers both roles.

What we collect

We collect the following categories of personal information:

• Account information — full name, email address, phone number, password (stored as a salted hash, never in plain text), display name, profile photo (optional).
• Workspace and tenancy information — organisation name and type (individual landlord, business), property addresses, unit details, lease terms, rent amounts and schedules, tenant and owner contact details, occupancy history, payment history, maintenance request history.
• Identity verification — where required for tenant onboarding or commercial verification, copies of government-issued ID, proof of address, or proof of income, uploaded by the responsible Workspace.
• Payment and financial information — bank account details for invoicing, references attached to bank-transfer payments, screenshots of payment proof. We do not store credit-card numbers or card-verification codes; if a card-payment integration is used in future, that integration will be operated by a PCI-DSS-compliant payment processor and card data will not pass through our servers.
• Device and usage information — IP address, user-agent, pages visited, timestamps, error logs, device identifiers for our mobile app, and cookies (see our Cookie Policy).
• Communications — emails, in-app messages, and support tickets you exchange with us, plus any attached documents.
• Public-portfolio visitor information — for visitors to a public portfolio link, we collect a hashed, truncated version of the IP address (/24 for IPv4), country derived from that IP, the user-agent, and the referring URL. Raw IP addresses are not retained.

We do not collect special-category ("sensitive") personal information unless a Workspace uploads it (for example, an ID document containing biometric data). When this happens, the Workspace is responsible for the lawful basis of that processing under NDPA section 30 / POPIA section 26.

We do not knowingly collect information from children under 16. If you believe a child has supplied us with personal information without parental consent, contact us and we will delete it.

How we use the information

We use personal information to:

• provide, maintain, and improve the Service, including delivering features that the responsible Workspace has configured (invoicing, lease tracking, payment matching, maintenance routing, public listings, notifications);
• authenticate you, prevent fraud, and protect the security of accounts and data;
• communicate with you about your account, transactions you initiate, security alerts, and changes to terms or this Policy (these are not marketing messages and you cannot opt out of them while you have an active account);
• send service updates and product announcements where you have consented to receive them — you may opt out at any time from the Settings page or by clicking "unsubscribe" in any such email;
• comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service;
• generate aggregated, de-identified analytics that we may publish (for example, "average rent in Lagos in Q3 2026"). De-identified data is not personal information for the purposes of NDPA/POPIA.

We do not sell personal information. We do not "share" personal information for cross-context behavioural advertising as defined under any current African data-protection law.

Lawful basis for processing

Where the NDPA or POPIA requires us to identify a lawful basis (or, under POPIA, a "lawful ground" under section 11), the bases we rely on are:

• Performance of a contract with you — to provide the Service after you accept the Terms.
• Compliance with a legal obligation — for record-keeping, tax, anti-money-laundering, or court-ordered disclosure.
• Legitimate interest — for fraud prevention, network security, abuse detection, and product improvement, where those interests are not overridden by your rights and freedoms.
• Your consent — for marketing communications, optional analytics cookies, and any non-essential profile information you choose to add. Consent can be withdrawn at any time without affecting prior processing.

For tenants, owners, and other individuals invited into a Workspace, the Workspace's lawful basis governs the processing it directs. We process on its behalf, under contract, and only for the purposes it has set.

Who we share information with

We share personal information only as follows:

• Within a Workspace. Information about a property, lease, tenant, owner, or vendor is visible to other authorised members of the same Workspace, scoped by their role.
• With sub-processors who operate parts of our infrastructure. These include our cloud hosting provider, our database provider, our email-delivery provider, our error-monitoring provider, and our SMS/push-notification provider. Each is bound by a written agreement that mirrors the obligations of this Policy and prohibits use of the data for any other purpose. A current list of sub-processors is available on request.
• With AI inference sub-processors. The Qace Homes AI Assistant feature sends your natural-language prompts and the results of portfolio data lookups to one of the following third-party AI inference providers, depending on your configuration tier: Google AI Studio (Gemini) (development and free-tier path), Groq Cloud (low-latency open-source model inference), and OpenRouter (multi-provider routing layer used in production). Your prompts and the resulting tool-call results are sent to the configured provider only for the duration of the request; we do not allow these providers to train models on your data on paid tiers. Personally identifying information — including national ID numbers, full bank account numbers, and card numbers — is redacted from tool returns before they are sent to any AI provider. See the PII redaction section in our documentation for the full field matrix.
• With your consent or on your direction — for example, when you explicitly share a portfolio link, an application link, or a viewing-booking link with a third party.
• For legal reasons — when we believe in good faith that disclosure is required to comply with a court order, statute, or government request, or to protect the rights, property, or safety of Qace Homes, our users, or the public.
• In a corporate transaction — if Qace Homes is involved in a merger, acquisition, financing, or sale of assets, personal information may transfer as part of that transaction. We will notify you of any change of controller and your rights as a result.

We do not transfer personal information outside Nigeria or South Africa except to sub-processors we use. Where transfer to a country without an equivalent data-protection regime is unavoidable, we apply contractual safeguards in line with NDPA section 41 and POPIA section 72.

How long we keep information

We keep personal information for as long as you have an account with us, plus a reasonable period after closure for legal record-keeping, dispute resolution, and tax compliance. The default retention period after account closure is seven years for invoicing and payment records (matching the standard tax-record retention period in Nigeria and South Africa) and 30 days for transient operational logs.

A Workspace administrator may export or delete a Workspace's data at any time from the Settings page, subject to legal-hold obligations.

Your rights

Subject to the applicable law, you have the right to:

• access the personal information we hold about you;
• rectify information that is inaccurate or incomplete;
• erase personal information when there is no longer a lawful basis for processing it;
• restrict or object to processing in certain circumstances;
• port your information to another service in a structured, commonly used, machine-readable format;
• withdraw consent at any time where processing is based on your consent;
• lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng or the South African Information Regulator at inforegulator.org.za.

If you wish to exercise any of these rights against information held by a Workspace, contact the Workspace directly. We will support the Workspace in fulfilling the request.

If you wish to exercise any of these rights against information held by Qace Homes as controller, contact us at the email below. We respond within 30 days.

Security

We protect personal information using industry-standard measures: TLS encryption in transit, encryption at rest for production databases, role-based access control, audit logging, multi-factor authentication for staff accounts, and rotation of credentials. No system is impenetrable, but we maintain a written security programme commensurate with the sensitivity of the data.

If we become aware of a security incident affecting personal information, we will notify the responsible Workspace and, where required, the relevant supervisory authority and affected individuals, within the time limits prescribed by NDPA / POPIA.

Cookies and tracking

We use a small set of cookies that are essential to the operation of the Service (session, anti-CSRF, locale preference). We use no third-party advertising or cross-site tracking cookies. See our Cookie Policy for the full breakdown.

Children

The Service is not directed at children under 16. We do not knowingly process the personal information of children under 16 without verifiable parental consent.

Changes to this Policy

We may update this Policy. The "Last updated" date at the top reflects the most recent change. For material changes, we will give you reasonable notice through the Service and, where appropriate, by email.

Contact us

If you have questions about this Policy, want to exercise a right, or want to make a complaint, contact us:

• Email: privacy@qacehomes.com
• Postal: Qace Homes, [office address — TBD before launch], Nigeria

Our designated Data Protection Officer can be reached at the same email.