← Back to Home

Privacy Policy

Last updated: April 27, 2026

1. Introduction

Vistadek ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information when you use our visitor management platform ("Service"). This policy applies to all users of the Service, including organization administrators, front desk operators, and visitors whose information is processed through the platform.

This policy is designed to comply with the Nigeria Data Protection Act 2023 (NDPA), the General Application and Implementation Directive (GAID), and other applicable data protection laws in jurisdictions where we operate.

2. Data Controller and Processor Roles

Vistadek operates as both a Data Controller and a Data Processor, depending on the context:

  • As Data Controller: We are the controller for account registration data, billing information, and platform usage data that we collect directly from you for our own purposes.
  • As Data Processor: When an organization uses Vistadek to manage visitor information, the organization is the Data Controller and Vistadek acts as a Data Processor, processing visitor data on behalf of and under the instructions of that organization.

3. Information We Collect

3.1 Account Information

When you register, we collect:

  • Full name and email address
  • Organization name and details
  • Password (stored in hashed form using bcrypt, never in plain text)
  • Role assignment within your organization

3.2 Visitor Data

Organizations using Vistadek may collect the following visitor information:

  • Visitor name, email, phone number, and company affiliation
  • Photographs captured during check-in (see Section 4 on Sensitive Data)
  • Visit purpose, host information, and check-in/check-out timestamps
  • Digital signatures on NDAs or other documents (where enabled by the organization)
  • Badge numbers and QR code identifiers

3.3 Automatically Collected Information

  • Browser type, device type, and operating system
  • IP address and approximate geographic location (used solely for currency localization)
  • Usage patterns and feature interaction data
  • Session duration and access timestamps

4. Sensitive and Biometric Data

Visitor photographs captured during the check-in process may constitute sensitive personal data under the NDPA. We handle this data with additional safeguards:

  • Photographs are captured only when the feature is enabled by the organization and with the visitor's awareness at the point of check-in
  • Photos are stored securely and are accessible only to authorized personnel within the relevant organization
  • Photos are not used for facial recognition, biometric profiling, or any automated decision-making
  • Organizations may configure automatic deletion of photographs after a defined retention period
  • Visitors may request deletion of their photographs by contacting the host organization

5. Lawful Basis for Processing

We process personal data only when we have a valid legal basis to do so, as required by the NDPA:

  • Performance of a contract: Processing your account data is necessary to provide the Service you have signed up for, including managing your subscription and delivering platform features.
  • Consent:Where required, we obtain your explicit consent before processing certain data. For example, visitor check-in involves the visitor's awareness and participation. You may withdraw consent at any time (see Section 9).
  • Legitimate interest: We may process data for our legitimate business interests, such as improving the Service, ensuring platform security, and preventing fraud, provided these interests do not override your fundamental rights and freedoms.
  • Legal obligation: We may process data to comply with applicable laws, regulations, or court orders.

6. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process visitor check-ins and generate badges
  • Send service-related notifications (account updates, security alerts)
  • Process payments and manage subscriptions
  • Detect and prevent fraud, abuse, and security threats
  • Generate aggregated analytics and usage reports for your organization
  • Localize pricing and content based on your geographic location
  • Comply with legal obligations

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

7. Multi-Tenant Data Isolation

Vistadek operates on a multi-tenant architecture. Each organization's data is logically isolated using tenant-level access controls. This means:

  • Your organization's visitor records, user accounts, and settings are not accessible to other organizations
  • All API requests are scoped to your authenticated tenant context
  • Platform administrators (Vistadek staff) may access aggregate, anonymized data for platform health monitoring but do not access individual visitor records without explicit authorization from the relevant organization

8. Data Sharing and Sub-Processors

We do not sell, rent, or trade your personal information. We may share data only in these circumstances:

  • Payment processors: Transaction data is shared with payment providers (e.g., Paystack, Flutterwave) solely to process your subscription payments
  • Hosting and infrastructure: Your data is stored on servers provided by our hosting provider, which maintains appropriate security certifications
  • Email services: We use third-party email providers to send transactional notifications (e.g., host alerts, account confirmations)
  • Legal requirements: When required by law, court order, or government regulation
  • Security: To investigate, prevent, or respond to suspected fraud, security incidents, or violations of our Terms of Service
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users

All sub-processors are bound by data processing agreements that require them to protect your data to standards no less protective than those described in this policy.

9. Your Rights

Under the NDPA and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations
  • Right to data portability: Request your data in a structured, commonly used, machine-readable format
  • Right to object: Object to the processing of your data where processing is based on legitimate interest
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances
  • Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact our Data Protection Officer at privacy@vistadek.com. We will respond to your request within 30 days.

For visitors whose data is processed by an organization using Vistadek, please contact the relevant organization directly to exercise your rights, as they are the Data Controller for your visitor information.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Passwords are hashed using bcrypt with per-user salts
  • All data in transit is encrypted via TLS/HTTPS
  • Session tokens are securely managed with automatic expiration
  • Role-based access control (RBAC) limits data access to authorized users
  • Audit logs track administrative actions within each organization

While we strive to use commercially acceptable means to protect your personal data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we continuously review and improve our security practices.

11. Data Retention

We retain your account and organizational data for as long as your account is active or as needed to provide the Service. Visitor records are retained according to your organization's configuration settings. Upon account deletion or termination, we will delete or anonymize your data within 90 days, unless longer retention is required by applicable law.

You may request a data export at any time through your account settings or by contacting our Data Protection Officer.

12. Children's Data

The Vistadek Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If an organization uses Vistadek to check in visitors who may be minors (e.g., in educational settings), the organization is responsible for ensuring appropriate parental or guardian consent is obtained in compliance with the NDPA and applicable child protection laws. If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete such data promptly.

13. Cookies and Tracking

Vistadek uses essential cookies for session management and authentication. We do not use third-party advertising cookies or cross-site tracking pixels. Functional cookies may be used to remember your preferences such as theme mode and currency selection. These cookies are necessary for the operation of the Service and do not require separate consent under applicable law.

14. International Data Transfers

Your data may be transferred to and processed on servers located outside your country of residence. Where such transfers occur, we ensure that appropriate safeguards are in place, including data processing agreements with our service providers that require them to protect your data to standards consistent with the NDPA and other applicable data protection laws.

15. Compliance with Nigerian Data Protection Law

In compliance with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive (GAID), we process personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes, and retain it only for as long as necessary to fulfil those purposes.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) through their official channels at ndpc.gov.ng.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email to account holders or through a prominent notice on the Service at least 14 days before they take effect. We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

17. Contact Us

For privacy-related inquiries, data access requests, or complaints, please contact our Data Protection Officer:

Data Protection Officer

Vistadek

Email: privacy@vistadek.com

© 2026 Vistadek. All rights reserved.