Privacy Policy

iAriya.com Limited is a company duly incorporated under the Companies and Allied Matters Act, 2020 (CAMA), with its registered office at 118, Murtala Mohammed Way, Ebute Metta, Lagos 101212. We are the Data Controller for personal data collected through the Platform within the meaning of the NDPA / NDPR. Where we engage third parties to process data on our behalf (e.g. payment processors, email senders, hosting providers), they act as Data Processors under binding written agreements that mirror the protections set out in this policy.

We process your personal data on one or more of the following lawful bases under §25 NDPA:

• Your consent — for marketing, optional features and certain cookies.
• Performance of a contract — to deliver bookings, ticketing and payouts.
• Legitimate interests — fraud prevention, platform safety, analytics.
• Compliance with a legal obligation — tax, AML, regulator requests.
• Vital interests — to protect a person from imminent harm at an event.

• Identity & contact: name, email, phone, profile picture, country/state, role (attendee, planner, provider, venue owner, stay host, super admin).
• Account & verification: password (hashed with bcrypt), KYC documents, business name, CAC registration number where applicable.
• Listings & content: events, venues, services, stays, shop products, AI Showcase renditions, gallery uploads, reviews, ratings.
• Transactional: bookings, ticket purchases, payouts. We do not store full card numbers — payments are tokenised by Flutterwave/CBN-licensed PSPs.
• Communications: in-platform messages, RSVP responses, email content sent via SendGrid, support correspondence.
• Device & usage: IP address, user agent, OS, referring URL, pages visited, AI-credit usage, cookies and similar identifiers.
• Location: precise location only with consent (e.g. "find venues near me"); approximate location derived from IP otherwise.

We do not knowingly collect data from children under 18. If you believe we have, contact us immediately at eventops@iariya.com.

• Provide, secure and improve the Platform and customer support.
• Process bookings, ticket sales, refunds, payouts and platform commissions.
• Verify partner identity (KYC) and prevent fraud, money-laundering or terror financing under the Money Laundering (Prevention and Prohibition) Act, 2022.
• Send transactional emails, RSVP invitations, reminders and platform announcements.
• Generate AI assets (share cards, venue showcases, marketing copy) when you opt in.
• Comply with the Federal Inland Revenue Service (FIRS), the Nigeria Data Protection Commission (NDPC), Central Bank of Nigeria (CBN) directions, court orders or other lawful demands.

We use first-party and third-party cookies, local storage, and tracking pixels for: (a) strictly necessary functions (auth, cart, security); (b) preferences (language, currency); (c) analytics (page views, conversion); (d) advertising (limited to campaigns the platform itself runs). You can refuse non-essential cookies through your browser controls. Refusing strictly-necessary cookies will impair core functionality such as sign-in.

We share personal data only as needed:

• Other users: when you book a vendor, your name, contact and event brief are shared with that vendor; vendors' public profile, ratings and listings are shared with attendees.
• Service providers: Flutterwave (payments), SendGrid (transactional email), Google Maps (map rendering), Cloud hosting providers (data storage), Emergent LLM proxy (AI features). All bound by data processing agreements.
• Authorities: NDPC, FIRS, CBN, EFCC, NPF — only when compelled by valid Nigerian law.
• Corporate transactions: in a merger, acquisition, restructuring or asset sale, your data may be transferred to the successor entity, subject to this policy.

We do not sell your personal data.

Some of our processors (e.g. SendGrid, the Emergent LLM gateway, cloud hosting) operate outside Nigeria. Such transfers are made under §41 NDPA using one of: (i) an adequacy decision by the NDPC, (ii) Standard Contractual Clauses, (iii) Binding Corporate Rules, or (iv) your explicit informed consent. We require all transferees to provide a level of protection equivalent to the NDPA.

We retain personal data only as long as necessary for the purposes set out above. By default:

• Active accounts — for the lifetime of the account.
• Closed accounts — 12 months from closure (longer where required by law).
• Transaction records — 7 years from the transaction date (FIRS / CBN tax & AML requirements).
• Marketing preferences — until you withdraw consent.
• Server logs — 90 days, then anonymised.

Under §32–§40 NDPA you have the right to:

• access a copy of your data and information about how we process it;
• rectify inaccurate or incomplete data;
• erase your data ("right to be forgotten") subject to legal retention obligations;
• restrict or object to processing, including for direct marketing;
• portability — receive your data in a structured, machine-readable format;
• withdraw consent at any time without affecting prior lawful processing;
• not be subject to a decision based solely on automated processing (including AI-credit and pricing decisions) where such decision produces a legal or similarly significant effect — you may request human review.

To exercise any right, email eventops@iariya.com. We will respond within 30 days and free of charge in most cases.

We apply technical and organisational measures appropriate to the risk, including: bcrypt password hashing, JWT-based session tokens, HTTPS-only transport, role-based access control, rate-limiting, input sanitisation against the OWASP Top 10, and encrypted backups. No system is perfectly secure; breach detection and notification follow §40 NDPA — we will notify the NDPC within 72 hours and, where the breach is high-risk, notify you without undue delay.

If you are not satisfied with how we handle your personal data, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC): No. 5 Lome Crescent, Wuse Zone 7, Abuja, FCT — Nigeria · ndpc.gov.ng · info@ndpc.gov.ng.

We may update this Privacy Policy to reflect changes in law, technology or our practices. The "Last updated" date at the top will always reflect the most recent revision. Material changes will be communicated by email and an in-platform notice at least 14 days before they take effect.