Section 1
About this Policy.
1.1 This Privacy Policy describes how Avenor handles personal information about people who interact with it — including visitors to the Avenor website, applicants for membership, current and former Members, and the Visitors and Guests they bring to the network.
1.2 Avenor handles personal information under the Nigeria Data Protection Act 2023 (NDPA) and the regulations made under it by the Nigeria Data Protection Commission (NDPC). Avenor is the Data Controller in respect of personal information processed in connection with its membership operation.
1.3 This Policy is published on the Avenor website and incorporated by reference into the Membership Agreement (clause 1.3 of the Agreement). It binds Avenor. It does not require the Member or any other person to do anything; it tells them what Avenor does and what they can ask for.
1.4 The plain-English commitment that applies to the Membership Agreement applies equally to this Policy. Where a legal concept has a specific meaning under NDPA (such as Data Controller or Personal Data), the term is used with that meaning; otherwise the language is ordinary English.
1.5 Version: 1.0. Date: [date of issue]. Earlier versions, where they applied to a current Member's term, are available on request to hello@avenor.club.
Section 2
What we collect.
Avenor collects different categories of personal information depending on the person's relationship with it. Each category is set out below, with the specific items listed plainly.
2.1 From visitors to the website. When someone visits the Avenor website without applying or logging in, Avenor collects only what is technically necessary to deliver the website (such as the IP address of the requesting browser, the pages requested, and the time of the request). Avenor does not collect a visitor's name, email, or any identifying personal information at this stage.
2.2 From applicants. When someone applies for membership through the application form, Avenor collects:
(a)full name;
(b)email address;
(c)phone number;
(d)city and neighbourhood of residence or work;
(e)the tier the applicant is applying to;
(f)the applicant's written response to the question "how would you use Avenor?";
(g)the applicant's written response to the question "how did you hear of Avenor?";
(h)the name and contact details of a reference, where the applicant has chosen to provide one;
(i)the applicant's confirmation of consent to be contacted as part of the review.
Avenor does not collect, at the application stage, any information about the applicant's income, profession in detail, age, marital or family status, religion, ethnicity, political affiliation, or sexual orientation. The application is reviewed on the basis of fit and seriousness — not on demographic, professional, or financial markers.
2.3 From members (on activation and during membership). When an applicant accepts an offer of membership and completes activation, Avenor collects:
(a)identity verification information sufficient to confirm the Member is the person named in the application (the specific document Avenor may request — for example, a government-issued identification — is determined at the time of activation);
(b)payment information necessary to receive the Annual Fee and Joining Fee, processed through a third-party payment provider (see section 4);
(c)the Member's signed copy of the Membership Agreement and the Joining Terms applicable to them;
(d)an emergency-contact name and phone number (optional, requested at the Member's discretion).
Throughout the membership, Avenor collects records of the Member's bookings — the Homes booked, the dates, the Rooms taken, the Visitors and Guests on each booking, and any Booking Charges arising. Avenor also collects communications between the Member and Avenor (emails, written notes from phone conversations) for the purposes set out in section 3.
2.4 From Visitors and Guests. When a Member sponsors a Guest stay or brings a Visitor on a booking, Avenor collects the name and where relevant the contact details of the Visitor or Guest, sufficient to ensure the Home is expecting them and to identify the persons present in the network. Avenor does not collect further information about Visitors or Guests except what they themselves provide.
2.5 From declined applicants. Where an application is declined, Avenor retains a record of the application and the decision for the period set out in section 5. The same categories of information apply as in clause 2.2.
Section 3
Why we collect it.
Avenor collects each category of personal information for specific purposes. NDPA requires that each purpose be supported by a lawful basis. The purposes and bases applicable to Avenor's processing are set out below.
3.1 To deliver the website. Avenor processes technical visitor information (clause 2.1) to operate the website, maintain its security, and analyse aggregate patterns of use. Legal basis: Avenor's legitimate interest in operating its website (NDPA section 25(1)(f)).
3.2 To review applications. Avenor processes applicant information (clause 2.2) to consider applications for membership, including by conversation with the applicant during the review. Legal basis: the taking of steps at the request of the data subject prior to entering into a contract (NDPA section 25(1)(b)).
3.3 To operate the membership. Avenor processes Member information (clauses 2.3 and 2.4) to deliver the membership under the Membership Agreement — including processing payments, managing bookings, communicating about the Member's account, and resolving issues arising during a stay. Legal basis: performance of a contract to which the data subject is a party (NDPA section 25(1)(b)).
3.4 To verify identity. Avenor processes identity verification information (clause 2.3(a)) to confirm the person joining is the person who applied, and to comply with applicable legal obligations (for example, anti-money-laundering requirements where they apply). Legal basis: compliance with a legal obligation and Avenor's legitimate interest in protecting the network from fraudulent membership (NDPA section 25(1)(c) and (f)).
3.5 To respond to operational issues. Avenor processes Member, Visitor, and Guest information to operate the response described in clauses 8.4 and 8.5 of the Membership Agreement, including coordinating with the operations team, third-party providers, and where necessary emergency services. Legal basis: performance of a contract and where relevant vital interests of a natural person (NDPA section 25(1)(b) and (d)).
3.6 To protect the network. Avenor processes information about Member conduct (including conduct relating to other Members, Visitors, Guests, staff, and contractors) to investigate concerns about safety, harassment, damage, or other material breaches of the Membership Agreement. Legal basis: Avenor's legitimate interest in protecting the network's members and operation (NDPA section 25(1)(f)).
3.7 To keep records. Avenor processes a limited set of information about declined applicants and former Members to maintain records of past relationships, including records sufficient to handle a rejoining application (clause 9.7 of the Membership Agreement) or to defend a claim. Legal basis: Avenor's legitimate interest in maintaining accurate records, balanced against the data subject's rights (NDPA section 25(1)(f)).
3.8 What Avenor does not do. Avenor does not process Member, applicant, or visitor information for the following purposes:
(a)marketing to the Member by third parties;
(b)sale of personal information to third parties for any purpose;
(c)profiling for advertising, lookalike-audience generation, or similar uses;
(d)automated decision-making that produces legal or similarly significant effects on the data subject. Applications are reviewed by a real person; no application is decided by an algorithm.
Avenor will not introduce any of the purposes in clause 3.8 without first updating this Policy and notifying affected data subjects in accordance with section 11.
Section 4
Who we share it with.
Avenor is restrained in the persons and organisations with whom it shares personal information. The categories of recipient are set out below.
4.1 Within Avenor. Personal information is accessible to the staff and contractors of Avenor who need it to perform their work. At the scale of the launch operation, this is a small number of people, including the founder.
4.2 Sub-processors. Avenor engages a small number of third-party service providers to operate specific functions. Each sub-processor handles only the data necessary for its function and is bound by contract to handle that data in accordance with NDPA and this Policy. The current sub-processors are:
(a)Payment processing: [name of payment processor], used to process Annual Fee and Joining Fee payments and Booking Charges.
(b)Email and communications: [name of email/CRM provider], used to send transactional emails and maintain records of correspondence.
(c)Website hosting and infrastructure: [name of hosting provider], used to host the Avenor website and member portal.
(d)Booking system: [name of booking system provider, if external; or "developed in-house"], used to operate the booking system.
(e)Identity verification: [name of identity-verification provider, if used; or "verified manually"], used at activation to verify the identity of a new Member.
The list of current sub-processors is maintained on the Avenor website and updated when a sub-processor is added, removed, or changed. Material changes are notified in accordance with section 11.
4.3 Professional advisers. Avenor shares personal information with its professional advisers — including its legal counsel, accountants, auditors, and where relevant insurers — to the extent necessary for those advisers to provide their services. These advisers are bound by their own professional duties of confidentiality.
4.4 Regulators and law enforcement. Avenor may disclose personal information to regulators (including NDPC) or law enforcement where required by law, by court order, or to respond to a serious safety concern. Avenor does not voluntarily disclose Member information beyond what is legally required.
4.5 Within the network. Avenor does not disclose the identity, residence, or use of the network of one Member to another Member, or to a Visitor or Guest of another Member. Members do not have visibility of each other's bookings, contact details, or activity. The discretion commitment in clause 8.7 of the Membership Agreement applies to all data-handling within the network.
4.6 What Avenor does not do. Avenor does not sell personal information. Avenor does not share personal information with marketing companies, data brokers, advertising platforms, or any third party for the third party's own marketing or commercial purposes. The only categories of recipient are those set out in clauses 4.1 to 4.4.
Section 5
How long we keep it.
NDPA requires Avenor to keep personal information no longer than is necessary for the purposes for which it was collected. The retention periods for each category of data are set out below.
5.1 Visitor information (clause 2.1). Technical website logs are kept for ninety days from collection, then deleted. Aggregate (non-identifying) usage data is retained indefinitely for analytical purposes.
5.2 Applicant information (clause 2.2) — pending review. During the review process, applicant information is retained for as long as the review is active.
5.3 Applicant information — accepted. Where an application is accepted and the applicant becomes a Member, the application data becomes part of the Member's record and is retained in accordance with clause 5.4.
5.4 Member information (clauses 2.3, 2.4) — during membership. Member information is retained for the duration of the membership relationship.
5.5 Member information — after the relationship ends. When a Member's relationship with Avenor ends (whether by non-renewal, termination, or withdrawal), Avenor retains:
(a)a core record of the relationship — the Member's name, dates of membership, tier(s), and the basis on which the membership ended — for seven years from the end date. This period reflects the limitation period under Nigerian law for claims that may arise from the relationship and the period for which financial records must be retained under applicable tax and accounting law.
(b)booking records and Booking Charges records for seven years from the end date, on the same basis.
(c)the signed Membership Agreement and Joining Terms for seven years from the end date.
(d)communications between the former Member and Avenor for three years from the end date.
After the relevant retention period ends, the information in each category is deleted or anonymised.
5.6 Declined applicants (clause 2.5). Where an application is declined, the applicant's information is retained for two years from the date of the decision, then deleted. This period allows Avenor to handle a reapplication or a query about the original decision; beyond two years, the information is no longer needed.
5.7 Visitor and Guest information (clause 2.4). Information about a Visitor or Guest is retained as part of the sponsoring Member's record, on the basis set out in clauses 5.4 and 5.5.
5.8 Identity verification information (clause 2.3(a)). Identity verification documents are retained only for as long as necessary to complete the verification, then either deleted or replaced with a record that verification was completed (without retaining the document itself). The maximum retention is one year from the date of verification.
5.9 Longer retention. Where a longer retention period is required by law (for example, by tax or anti-money-laundering regulation), or where a dispute or legal claim is reasonably anticipated, Avenor may retain the relevant data for the longer period. Where this applies, Avenor retains only the data necessary for the specific purpose and applies the original retention period to all other data.
Section 6
How we protect it.
NDPA requires Avenor to apply appropriate technical and organisational measures to protect personal information. The measures Avenor applies are set out below.
6.1 Access controls. Access to personal information is restricted to those staff and contractors of Avenor who need it for their work. Each person accessing personal information does so through individual credentials. Credentials are not shared.
6.2 Encryption. Personal information held in databases is encrypted at rest. Personal information transmitted between systems (including through the website and the member portal) is encrypted in transit using current standards.
6.3 Authentication. Member accounts are protected by individual credentials. Avenor encourages each Member to use a strong, unique password and to enable any additional security measures offered by the member portal.
6.4 Storage and infrastructure. Personal information is held with the hosting providers named in clause 4.2. These providers maintain commercially appropriate physical and network security at their facilities, audited periodically.
6.5 Staff and contractor obligations. Staff and contractors of Avenor who have access to personal information are bound by written confidentiality and data-protection obligations. They are trained in the requirements of this Policy and of NDPA. Breach of these obligations may result in termination of the relationship with the person concerned and where appropriate referral to authorities.
6.6 Vendor due diligence. Avenor reviews sub-processors before engaging them, including their data-protection practices and their NDPA compliance. Engagement is by written contract that includes data-protection obligations.
6.7 Incident response. Avenor maintains a process for responding to personal-data breaches. Where a breach is likely to result in a risk to the rights and freedoms of affected data subjects, Avenor notifies NDPC within seventy-two hours of becoming aware of the breach, in accordance with NDPA section 40. Where the breach is likely to result in a high risk to the data subject, Avenor notifies the affected data subjects without undue delay.
6.8 What no measures can guarantee. No security measure is absolute. Avenor applies the measures set out above in good faith but cannot guarantee that personal information will never be compromised. Where a compromise occurs, Avenor responds in accordance with clause 6.7.
Section 7
Your rights.
NDPA grants data subjects specific rights in relation to their personal information. The rights and the way to exercise each one are set out below. Each right is exercised by writing to hello@avenor.club.
7.1 Right to information. A data subject is entitled to know what personal information Avenor holds about them, how it is being processed, and the legal basis for the processing. The information needed to exercise this right is set out throughout this Policy.
7.2 Right of access. A data subject is entitled to a copy of the personal information Avenor holds about them, in a structured and readable format. Avenor responds to access requests within thirty days, as required by NDPA. There is no charge for a first access request in any year; reasonable charges may apply to repeat or excessive requests.
7.3 Right to rectification. A data subject is entitled to have inaccurate personal information about them corrected, and incomplete information completed. Avenor acts on rectification requests promptly.
7.4 Right to erasure. A data subject may request that their personal information be erased where:
(a)the information is no longer necessary for the purpose for which it was collected;
(b)the data subject has withdrawn consent (where consent was the lawful basis);
(c)the data subject objects to the processing and there is no overriding legitimate ground;
(d)the information has been unlawfully processed.
Avenor responds to erasure requests by erasing the information where the request is well-founded under NDPA, or by explaining why erasure is not possible (for example, because a legal retention obligation applies under clause 5.9).
7.5 Right to restrict processing. A data subject may request that processing of their information be restricted in specified circumstances, including where they contest the accuracy of the information or have objected to the processing pending a decision.
7.6 Right to data portability. Where processing is based on consent or contract performance, a data subject is entitled to receive the information they have provided to Avenor in a structured, commonly used, machine-readable format, and to transmit it to another controller.
7.7 Right to object. A data subject may object to processing based on Avenor's legitimate interests. Avenor will stop processing on those grounds unless Avenor has compelling legitimate grounds that override the data subject's interests, or the processing is needed for the establishment, exercise, or defence of a legal claim.
7.8 Right not to be subject to automated decision-making. A data subject is entitled not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on them. Avenor does not engage in such automated decision-making in any case (clause 3.8(d)).
7.9 Right to withdraw consent. Where Avenor processes information on the basis of consent, the data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
7.10 Right to complain to NDPC. A data subject who believes Avenor has breached NDPA in handling their personal information has the right to complain to the Nigeria Data Protection Commission. The current contact details for NDPC are at ndpc.gov.ng. A complaint to NDPC does not require the data subject to have first raised the matter with Avenor, although raising it with Avenor first is often the faster route to resolution.
Section 8
International transfers.
8.1 NDPA restricts the transfer of personal information outside Nigeria. Avenor may transfer personal information outside Nigeria in connection with the sub-processors listed in clause 4.2 where any of those providers operate, host, or process data outside Nigeria. The current providers and the countries in which they operate are set out in the sub-processor list maintained on the Avenor website.
8.2 Where a transfer outside Nigeria occurs, Avenor relies on one or more of the bases permitted by NDPA section 41, including:
(a)a decision by NDPC that the recipient country provides adequate protection;
(b)contractual safeguards approved by NDPC, including standard contractual clauses;
(c)the necessity of the transfer for the performance of a contract with the data subject or pre-contractual steps requested by the data subject;
(d)the data subject's explicit consent, where applicable.
8.3 For each sub-processor that operates outside Nigeria, Avenor has assessed the relevant basis and entered into contractual arrangements that include the safeguards required by NDPA. The current basis applicable to each sub-processor is recorded in Avenor's processing record and available to NDPC on request.
8.4 Avenor does not transfer personal information to jurisdictions where adequate protection is not available without specific safeguards being put in place.
Section 9
Children's data.
9.1 Avenor is a membership network for adults. Membership is not available to a person under the age of eighteen. The application process is not directed to children and Avenor does not knowingly collect personal information from a person under the age of eighteen for the purpose of providing membership.
9.2 Where a Member's household includes children (in the sense defined in clause 5.9 of the Membership Agreement — the Member's own children living with them), Avenor processes the children's names only to the extent necessary to identify the persons present on a booking. Avenor does not collect further information about a Member's children and does not retain children's information separately from the Member's record.
9.3 Where Avenor becomes aware that it has inadvertently collected information from a person under the age of eighteen in any other context, that information is deleted promptly. A parent or guardian who becomes aware that their child has provided information to Avenor may request its deletion by writing to hello@avenor.club.
Section 10
Cookies and tracking on the website.
10.1 The Avenor website uses a small number of cookies and similar tracking technologies for specific purposes. The detail of what is set, by whom, for what purpose, and for how long is published in the Cookie and Tracking Notice on the Avenor website.
10.2 The Cookie and Tracking Notice forms part of Avenor's privacy disclosures. It is updated when the cookies or tracking technologies in use change.
10.3 Where applicable, cookie consent is requested through the cookie consent mechanism on the website. A visitor may change their consent preferences at any time.
Section 11
Changes to this Policy.
11.1 Avenor may update this Privacy Policy from time to time. Updates are issued as new versions of the Policy and dated.
11.2 Material changes — changes that affect the categories of data collected, the purposes of processing, the categories of recipients, or the rights of data subjects — are notified to current Members by email at the address Avenor holds for them, and to other affected persons where Avenor has a means of contacting them. The notification is sent at least thirty days before the change takes effect, where the timing of the change allows.
11.3 Non-material changes — clarifications, corrections, or formatting updates that do not affect the substance of the Policy — are published as a new version without separate notification. The version date on the Policy reflects the most recent update.
11.4 Archive. Earlier versions of this Policy are maintained in Avenor's archive and are available to a current Member, where the earlier version applied during their term, on request to hello@avenor.club.
Section 12
Contact us.
12.1 Privacy queries. Questions, requests to exercise data-subject rights under section 7, or any other matter relating to this Policy are addressed by writing to hello@avenor.club. Avenor responds to privacy queries within fourteen days; substantive responses to rights requests are made within thirty days, in accordance with NDPA.
12.2 Data Protection Officer. Avenor's Data Protection Officer (or where Avenor has not appointed a DPO, the person currently responsible for privacy matters) is reachable through the same address. The current name of the responsible person is recorded in Avenor's processing record and is provided on request.
12.3 Complaints to NDPC. A data subject who is dissatisfied with how Avenor has handled their personal information may complain to the Nigeria Data Protection Commission. Current contact details for NDPC are published at ndpc.gov.ng. Avenor encourages a data subject to raise the matter with Avenor first, but this is not required before complaining to NDPC.