Privacy Policy

How Servease collects, uses, shares, retains, and protects your personal data.

Effective: May 19, 2026Updated: May 19, 2026

This policy explains how Servease, operated by SKYGRID-TECH ("Servease", "we", "us", "our"), processes personal data collected through the Servease mobile application and the website at serveaseapp.com.

If you have any questions, contact our team at support@skygridtech.org.

1. Scope

This policy applies to the Servease mobile app on Android (Google Play) and iOS (App Store) and to serveaseapp.com.

It applies to service customers, errand providers/runners, and visitors to the marketing site.

It does not apply to third-party sites linked from Servease — each of those has its own privacy policy.

2. Data we collect

We collect the following categories of personal data. Each category is described below with what we collect, why we collect it, and how it is collected. These category labels correspond 1:1 with the data types declared in our Google Play Data Safety form.

a) Personal identifiers

What we collect: full name, email address, phone number, user account ID, profile photo, date of birth (if provided during KYC).
Source: user input during registration and profile editing.
Why: account creation, sign-in, contact between customer and provider, customer support, regulatory KYC.

b) Device or other IDs

What we collect:
- Android device identifier (ANDROID_ID) — a stable per-device identifier read via the expo-application library.
- iOS Identifier for Vendor (IDFV) — Apple's per-vendor device identifier.
- Firebase Cloud Messaging (FCM) token — issued by Google Firebase to deliver push notifications.
- Firebase Installation ID — generated by the Firebase Installations SDK to identify each app install.
- Diagnostic device context transmitted with crash reports (device model, OS version, app version, locale) collected by Sentry and Firebase Crashlytics.
Source: collected automatically when the app starts and after sign-in.
Why:
- Delivering push notifications you have opted in to (FCM token, Installation ID).
- Enforcing one-account-per-device as a fraud-prevention and account-security control (ANDROID_ID / IDFV).
- Diagnosing crashes and app stability issues (device context attached to crash reports).
This data is transmitted to:
- Servease's own backend (for the device-binding control above).
- Google Firebase (for push delivery and crash reporting).
- Sentry (for crash reporting).

c) Account credentials

What we collect: hashed password (we never store plaintext), OAuth identity tokens issued by Google Sign-In, biometric unlock state (the biometric template never leaves the device — only a boolean "enabled" flag is stored).
Source: registration form, Google Sign-In flow, device biometric prompt.
Why: authentication.

d) KYC / identity verification data

What we collect: government-ID type and number, ID document image, selfie image, liveness-check result, BVN/NIN where applicable, address details.
Source: Dojah identity-verification SDK, embedded in the Servease app.
Why: legal/regulatory obligation (AML, anti-fraud), provider onboarding, payout eligibility.
Note: Dojah processes this data on our behalf as a sub-processor.

e) Location data

What we collect: precise GPS location (with foreground permission) and approximate location.
Source: device location services, only when the user has granted permission.
Why: matching service requests to nearby providers, route guidance for errands, fraud risk signals.

f) Photos, files, and uploaded media

What we collect: profile photos, errand-related photos, KYC documents, attachments uploaded to disputes or messages.
Source: device camera, photo library, document picker — only when the user explicitly selects content.
Why: profile display, service evidence, KYC, dispute resolution.

g) Financial information

What we collect: payment instrument metadata (last 4 digits, brand, token), wallet balance, transaction history.
Source: the user (when adding a payment method) and our payment processor.
Why: processing payments and payouts, transaction records.
We do not store full card numbers or CVV on our servers — those are handled directly by the payment processor (PCI-DSS compliant).

h) App activity

What we collect: in-app interactions (errand created, accepted, completed, cancelled), ratings and reviews you submit, messages exchanged in-app, dispute submissions.
Source: app usage.
Why: providing the service, analytics, dispute resolution, abuse prevention.

i) App info and performance

What we collect: crash logs, error stack traces, performance diagnostics, app version, OS version.
Source: Sentry and Firebase Crashlytics, automatically.
Why: detecting and fixing bugs.

j) Communications

What we collect: emails, SMS, and in-app messages you exchange with our support team.
Source: support interactions.
Why: resolving your requests; quality assurance.

3. How we collect data

Directly from you — registration, profile, errand creation, support tickets, KYC.
Automatically from your device — SDKs read identifiers, telemetry, location (with permission) when the app is running.
From third parties acting on our behalf — Dojah (KYC), Google (Sign-In identity claims), payment processor (transaction outcomes).

4. How we use data (purposes of processing)

Each purpose below maps directly to Google's Data Safety purpose taxonomy so this policy and our Play Console declaration stay aligned.

Purpose	What it covers
App functionality	Running the errand marketplace — matching, messaging, location, payments.
Account management	Creating, securing, and recovering accounts.
Fraud prevention, security, and compliance	Device binding via ANDROID_ID/IDFV, KYC, abuse detection, legal/AML obligations.
Analytics	Understanding usage to improve the product. Crash logs and diagnostics fall here.
Communications	Push notifications, transactional emails/SMS, support replies.
Personalization	Showing relevant nearby providers and remembered preferences.

We do not sell personal data. We share data only with the following categories of recipients, each of whom is bound by contract to process data only on our instructions.

Recipient	Role	Data shared	Privacy policy
Google Firebase (Cloud Messaging, Crashlytics, Installations)	Push delivery, crash reporting, install identification	Device or other IDs, App info & performance	Link
Sentry	Crash and error diagnostics	App info & performance, Device or other IDs	Link
Dojah	KYC / identity verification	KYC data, Personal identifiers, Photos (ID + selfie)	Link
Google Sign-In (Google LLC)	OAuth-based authentication	Personal identifiers (name, email)	Link
Google Maps Platform	Map rendering and geocoding	Approximate/precise location	Link
Payment processor {{TBD: confirm Paystack / Stripe / Flutterwave}}	Payment authorization, payout processing	Financial information, Personal identifiers	TBD
Cloud hosting (Amazon Web Services {{TBD: confirm provider & region}})	Storage and compute for the Servease backend	All collected data, in encrypted form	Link

We may also disclose data:

To comply with a lawful request from a regulator, law-enforcement body, or court order.
To enforce our Terms of Service or protect the rights, property, or safety of Servease, our users, or the public.
In connection with a merger, acquisition, financing, or sale of assets — subject to notice and a continuing obligation to honor this policy.

6. Legal bases for processing

For users in GDPR-style jurisdictions, we rely on the following legal bases:

Performance of a contract — account, errand fulfilment, payments.
Consent — push notifications, optional analytics, marketing communications, precise location. You can withdraw consent at any time from device settings or the app's settings screen.
Legitimate interests — fraud prevention, security, network and information integrity.
Legal obligation — KYC, tax records, response to lawful requests.

7. International data transfers

The processors listed in Section 5 may store and process data outside your country of residence (notably the United States and the European Union). Where required, we rely on standard contractual safeguards (e.g. EU Standard Contractual Clauses) or equivalent transfer mechanisms.

8. Data retention

Data category	Retention
Active account data	While the account is open, plus a 30-day grace period after deletion request.
Transaction & financial records	Period mandated by applicable tax and financial regulations (typically 5–7 years).
KYC verification records	Regulatory minimum (typically 5 years after the relationship ends).
Crash diagnostics & error logs	90 days rolling.
Support correspondence	2 years from last contact.
Anonymized / aggregated analytics	No expiry — no longer identifies any user.

9. Your rights

Access — request a copy of the data we hold about you.
Correction — request that inaccurate data be corrected (in-app via Profile, or by emailing support).
Deletion — see the Account & Data Deletion page.
Portability — request your data in a structured, machine-readable format.
Restriction / objection — restrict or object to certain processing.
Withdraw consent — turn off push notifications, location, etc. from device settings; revoke optional consents in the app.
Complain to a regulator — Nigerian users may lodge a complaint with the Nigeria Data Protection Commission (NDPC). EEA/UK users may complain to their local data protection authority. California residents may contact the California Privacy Protection Agency.

10. Children

Servease is not directed to persons under 18.
We do not knowingly collect data from anyone under 18.
If you believe a minor has provided data to Servease, contact support@skygridtech.org and we will delete it.

11. Security

All data in transit is encrypted with TLS 1.2 or higher.
Data at rest is encrypted using industry-standard algorithms.
Access to production data is role-based, logged, and limited to a minimum number of authorized personnel.
Passwords are stored as salted hashes; we never see your plaintext password.
On-device sensitive data is stored in platform-native secure storage (iOS Keychain / Android Keystore). File uploads use time-limited, pre-signed URLs.
We operate an incident-response process. In the event of a breach affecting your personal data, we will notify you and any relevant regulator within the timeframes required by applicable law.

12. Cookies and web analytics (serveaseapp.com only)

The Servease mobile app does not use browser cookies. The marketing website at serveaseapp.com may use the following:

Strictly necessary cookies — session and security cookies required for the site to function.
Analytics — {{TBD: confirm which web-analytics tool the marketing site uses — e.g. Google Analytics, Plausible, or none. If used, list each tracker, its purpose, retention, and opt-out path here.}}

If you visit the site from the EU/UK, you will see a cookie consent banner. You can withdraw or change cookie consent at any time from the banner's settings link.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via:

An in-app notice on next sign-in.
Email to the address on your account.

The "Last updated" date at the top of the page will always reflect the latest revision.

14. Contact

SKYGRID-TECH (operator of Servease)

Email: support@skygridtech.org
Postal address: {{TBD: insert registered office address}}
Data Protection Officer: {{TBD: insert name/email if appointed}}
Website: www.serveaseapp.com

We will respond to your inquiry within 30 days.