The ibo legal document

Ibo — Privacy Policy & Terms of Service

App Name: Ibo
Company / Operator: Ibo (Pvt) Ltd
Headquarters: Harare, Republic of Zimbabwe
Operating Scope: Global (all jurisdictions where users download and use the Platform)
Platforms: Android · iOS · Web
Contact Email: legal@ibo.co.zw
Data Protection Officer (DPO) Contact: dpo@ibo.co.zw
Effective Date: 6 June 2026
Last Updated: 6 June 2026

PLEASE READ THIS DOCUMENT CAREFULLY BEFORE USING THE IBO PLATFORM.
By downloading, installing, accessing, or using Ibo in any way, you acknowledge that you have read, understood, and agree to be bound by both the Privacy Policy and the Terms of Service set out in this document. If you do not agree with any part of this document, you must immediately stop using the Platform.

MULTI-JURISDICTIONAL NOTICE: Ibo is a global platform. Certain sections of this document address specific rights and obligations that apply to users in particular jurisdictions (e.g., the European Economic Area, United Kingdom, United States, South Africa, Brazil, Canada, Australia, and others). Where jurisdiction-specific provisions apply, they are clearly identified and supplement — not replace — the general provisions.

PART A — PRIVACY POLICY

1. Who We Are

Ibo is a global digital real estate marketplace operated by Ibo (Pvt) Ltd, a company incorporated under the laws of the Republic of Zimbabwe (Company Registration Number: [To be inserted]). The Platform connects property providers (landlords, freelance agents, and registered brokerages) with prospective tenants across Zimbabwe, the SADC region, and globally.

Ibo acts as the data controller (or, where applicable under local law, the "business," "responsible party," or equivalent designation) for personal data collected through the Platform. We determine how and why your personal data is processed, and we are responsible for ensuring it is handled lawfully, fairly, and transparently in accordance with applicable data protection legislation worldwide.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted for any privacy-related queries:

Data Protection Officer
Ibo (Pvt) Ltd
Email: dpo@ibo.co.zw

EEA/UK Representative

For users in the European Economic Area (EEA) and the United Kingdom (UK), our designated representative under Article 27 of the GDPR / UK GDPR is:

[To be appointed — EEA/UK Representative]
Email: eu-representative@ibo.co.zw

Registered Office

Ibo (Pvt) Ltd
Harare, Zimbabwe
Email: legal@ibo.co.zw

2. Definitions

For the purposes of this document, the following terms have the meanings given below:

Term	Meaning
Platform	The Ibo mobile application (Android and iOS) and web application (including the Admin Panel), collectively.
User	Any individual who accesses or uses the Platform, regardless of role or geographic location.
Provider	A User registered as a Landlord, Freelance Agent, or Brokerage.
Landlord	A Provider who lists properties they own directly.
Agent	A freelance individual registered as a Provider who lists properties on behalf of landlords.
Brokerage	A registered company or agency registered as a Provider on the Platform.
Tenant	A User who browses property listings and pays to unlock contact details.
Admin	Ibo staff with elevated access to manage the Platform.
Personal Data	Any information that directly or indirectly identifies a natural person, as defined by applicable data protection laws (including "personal information" under CCPA/CPRA, "personal information" under POPIA, and "dados pessoais" under LGPD).
Sensitive Personal Data / Special Categories	Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, biometric data, health data, sexual orientation, or criminal records — subject to heightened protection under most data protection regimes.
Processing	Any operation performed on Personal Data, including collection, recording, storage, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
Data Controller	The entity that determines the purposes and means of Processing Personal Data (Ibo, under GDPR and equivalent laws).
Data Processor / Service Provider	A third party that processes Personal Data on behalf of the Data Controller (e.g., Google Firebase, PesePay).
Firestore	Google Cloud Firestore, the cloud database used by Ibo to store Platform data.
Firebase	Google Firebase, the cloud infrastructure suite used by Ibo (Auth, Firestore, Storage, Functions, Hosting, Cloud Messaging).
Unlock	The act of a Tenant paying a fee to access the contact details of a property listing.
Reservation	A time-limited hold created after reservation-fee payment and linked to a property and tenant.
Acquisition Payment	A payment that finalizes a reserved property transaction and transitions listing state.
Short-Stay Booking	A booking flow for short-stay listings (period-based) handled through dedicated payment and booking records.
Float	The insurance deposit balance maintained by Brokerages on the Platform.
PesePay	The third-party payment gateway used to process Unlock, Reservation, Acquisition, Full Payment, and Short-Stay payment flows.
GDPR	The General Data Protection Regulation (EU) 2016/679.
UK GDPR	The UK General Data Protection Regulation, as retained in UK law.
CCPA / CPRA	The California Consumer Privacy Act, as amended by the California Privacy Rights Act.
POPIA	The Protection of Personal Information Act 4 of 2013 (South Africa).
LGPD	Lei Geral de Proteção de Dados (Brazil's General Data Protection Law).
PIPEDA	The Personal Information Protection and Electronic Documents Act (Canada).
PDPA	Personal Data Protection Act (as enacted in Singapore, Thailand, or other applicable jurisdictions).
SCC	Standard Contractual Clauses, as adopted by the European Commission for international data transfers.
DPA	Data Processing Agreement between Ibo and its Data Processors / Service Providers.
KYC	Know Your Customer — identity verification procedures to prevent fraud and money laundering.
AML	Anti-Money Laundering — regulatory framework to prevent money laundering and terrorism financing.

3. Scope & Applicability

3.1 Who This Document Applies To

This Privacy Policy applies to all individuals worldwide who:

Download, install, or access the Ibo mobile application (Android or iOS).
Access the Ibo web application (including the Admin Panel).
Create an account or interact with the Platform in any way.
Communicate with Ibo via email, phone, or any other channel.

3.2 Territorial Scope

Ibo processes Personal Data globally. This Privacy Policy is designed to comply with the most stringent applicable data protection requirements, including but not limited to:

Jurisdiction	Applicable Law
European Economic Area (EEA)	GDPR (Regulation 2016/679)
United Kingdom	UK GDPR + Data Protection Act 2018
Switzerland	Federal Act on Data Protection (nFADP)
United States — California	CCPA / CPRA
United States — Virginia	Virginia Consumer Data Protection Act (VCDPA)
United States — Colorado	Colorado Privacy Act (CPA)
United States — Connecticut	Connecticut Data Privacy Act (CTDPA)
United States — Other states	As applicable (Utah, Texas, Oregon, Montana, etc.)
South Africa	POPIA (Act 4 of 2013)
Zimbabwe	Data Protection Act (Chapter 11:12), Cyber and Data Protection Act, 2021
Brazil	LGPD (Lei 13.709/2018)
Canada	PIPEDA + Provincial laws (Alberta PIPA, BC PIPA, Quebec Law 25)
Australia	Privacy Act 1988 + Australian Privacy Principles (APPs)
Singapore	Personal Data Protection Act 2012 (PDPA)
Thailand	Personal Data Protection Act B.E. 2562 (2019)
India	Digital Personal Data Protection Act, 2023 (DPDPA)
Kenya	Data Protection Act, 2019
Nigeria	Nigeria Data Protection Act, 2023
SADC Member States	Applicable national data protection legislation
Other jurisdictions	Applicable local privacy and data protection laws

Where there is a conflict between this Privacy Policy and mandatory local law, the local law prevails for users in that jurisdiction.

3.3 What This Document Does NOT Cover

This Privacy Policy does not apply to:

Third-party websites, applications, or services linked from the Platform (see Section 24).
The practices of property Providers once contact details have been shared through the Unlock system — Providers are independent data controllers for any data they collect from Tenants outside the Platform.
Any offline interactions between Tenants and Providers that occur after an Unlock.

4. Information We Collect

We collect the following categories of Personal Data, depending on your role on the Platform:

4.1 Information Collected from All Users

Data Element	Purpose	CCPA Category
Full name	Account registration, identification	Identifiers
Email address	Login credential, communications, account recovery	Identifiers
Password	Authentication (stored in hashed form via Firebase Auth; never stored in plaintext)	N/A (hashed)
Phone number	Account identification, verification, contact purposes	Identifiers
Gender	Demographic context (options: Male, Female, Transgender, Prefer not to say)	Protected characteristics
National ID number (Zimbabwe users)	Identity verification / KYC	Government identifiers
Government-issued ID (non-Zimbabwe users)	Identity verification / KYC (where required by local law)	Government identifiers
Profile photograph	Optional; uploaded to Firebase Storage	Biometric-adjacent (visual)
Role & account type	Tenant, Landlord, Freelance Agent, or Brokerage	Commercial information
Device & platform information	Platform detection (Android, iOS, Web), recorded at login	Internet/electronic activity
Login timestamps	Date and time of each successful login	Internet/electronic activity
IP address	Collected by Firebase and PesePay infrastructure; security, fraud detection	Internet/electronic activity
Session preference	"Remember Me" selection	Internet/electronic activity
Theme preference	Light / dark / system theme setting	Internet/electronic activity
Notification read status	Which in-app notifications have been read	Internet/electronic activity
Push notification token(s)	FCM tokens for push notification delivery	Internet/electronic activity
Account status metadata	Status values (`active`, `suspended`, `account_deleted`, `pending_verification`) and audit timestamps	Inferences/profile
Phone/email verification status	Verification state, provider, and timestamps for registration flow	Identifiers
App version	The version of the Ibo app in use	Internet/electronic activity
Device operating system & version	Technical environment information	Internet/electronic activity

4.2 Additional Information Collected from Providers (Landlords & Agents)

Agent licence / accreditation number — for Freelance Agents.
Years of experience — for Freelance Agents.
Property listings data — all fields entered when creating a property listing (see Section 4.4).

4.3 Additional Information Collected from Brokerages

Company / agency name — the registered trading name.
Companies Registry number — the official incorporation / registration number.
Company street address, city, and country — registered office address.
ZIMRA / Tax clearance number (or local equivalent) — optional; for tax compliance.
Company phone number — office contact number.
Company email address — official business email.
Company logo — uploaded image, stored in Firebase Storage.
Brokerage float balance — the current insurance deposit balance in USD.
Brokerage subscription fee — the agreed fee level in USD.
Brokerage commission rate — the agreed percentage deducted per Unlock.
Float top-up history — records of all float deposits made via PesePay.
Brokerage ledger entries — a full audit trail of all float debits and credits.

4.4 Property Listing Data

When a Provider creates a property listing, we collect:

Property title, description, and location (suburb, city, country).
Property type, classification, location density type, and orientation.
Monthly rental price (USD) and security deposit amount.
Number of bedrooms, bathrooms, bathroom type, kitchens, and related structural details.
Room quantity, boarding room type, and full-house total rooms (where applicable).
Bills included/excluded (WiFi, Water, Electricity).
Amenities and proximity facilities.
Geographic coordinates (latitude and longitude) — used to display the property on a map.
Institution coordinates (latitude and longitude) — for boarding/student-type properties.
Availability date.
Period-of-stay configuration (for short-stay listings).
Tenant requirements (preferences expressed by the Provider).
Contact number — the phone number tenants receive after unlocking; this is never shown to tenants who have not paid to unlock the property.
For Agent listings: the Agent's full name and contact number, and the landlord's name.
For Brokerage listings: the individual broker's name and contact number, and all brokerage company details.
Property images — uploaded to Firebase Storage.
Listing status (pending, approved, rejected, flagged).
Admin moderation notes (approval/rejection/flagging timestamps and rejection reasons).
Listing lifecycle state (active, inactive, relisted).

4.5 Transaction & Payment Data

Payment amount, currency (USD), payment reference number, and payment method metadata.
Payment provider used (PesePay).
Payment status lifecycle (e.g., pending, redirect_pending, success, failed).
Payment category and type (e.g., unlock fee, reservation fee, acquisition, full rent/deposit, short-stay, brokerage top-up).
Timestamps of payment initiation, redirect, verification, and completion.
Property, tenant, and provider identifiers associated with each payment.
Transaction type discriminator (unlock, reservation, acquisition, rent, deposit).
For Brokerage unlocks: float balance before and after the deduction, deduction amount, and ledger entry reference.
For Provider payouts and platform fees: split metadata, fee rates, net amounts, and settlement records.
Provider earnings ledger entries (for landlords, agents, and brokerages) including gross amount, platform fee, net amount, and payout status.

Note: Ibo does not store full credit/debit card numbers, CVV codes, mobile money PINs, or bank account details. All payment card/mobile money data is processed and stored exclusively by PesePay in accordance with PCI-DSS standards.

4.6 Reservation and Booking Data

Reservation records, including reservation ID, tenant ID, provider ID, property ID, status, and expiry timestamp.
Short-stay booking records, including booking ID, period value/unit, status, and related transaction identifiers.
Acquisition linkage between reservation and final settlement transaction where applicable.

4.7 Unlock Records

A permanent record that a specific Tenant has unlocked a specific property.
The associated Transaction ID.
The timestamp of the unlock.

4.8 Review Data

Star rating, selected review categories, optional comment text, review context (tenant/provider), and creation timestamp.

4.9 Notification Data

The content of in-app notifications sent to you.
Whether each notification has been read.
The type of notification (including listing moderation outcomes, unlock outcomes, payment outcomes, reservation/acquisition/booking status updates, account status updates, welcome/system messages).

4.10 Content Reporting Data

Reports submitted by users about policy-violating content or users.
Reporter identity, target type (property/user), target ID, reason code, details text, and timestamps.
Admin resolution status and outcomes.

4.11 User Blocking Data

Records of users you have chosen to block.
Blocker and blocked user identifiers, names, roles, and timestamps.

4.12 Technical & Usage Data

IP address (collected by Firebase and PesePay infrastructure).
Device operating system and version.
App version.
Browser type and version (web users).
Crash reports and error logs (via Firebase Crashlytics).
Feature usage patterns within the app (e.g., screens visited, search filters applied, interaction events).
Approximate geolocation derived from IP address.

4.13 Information We Do NOT Collect

Ibo does not intentionally collect:

Biometric identifiers (fingerprint, facial geometry) — profile photos are not processed for biometric identification purposes.
Genetic data.
Health or medical information.
Trade union membership.
Precise geolocation on a continuous or background basis — GPS is used only on-demand for the map picker feature (Providers) and auto-locate (with your permission).
Social Security Numbers (except where Zimbabwe National ID applies for KYC purposes).
Contents of private communications between Tenants and Providers conducted outside the Platform.

5. How We Collect Information

We collect information in the following ways:

5.1 Directly From You

When you register an account, complete your profile, create a property listing, submit a review, make a payment, submit a content report, or contact us.
When you adjust preferences (theme, notification settings).
When you interact with in-app features (searching, filtering, viewing properties, unlocking).

5.2 Automatically

Through the Firebase SDK embedded in the app, which records technical and usage data (see Section 4.12).
Through server logs and infrastructure monitoring.

5.3 Through Payment Processing

PesePay provides us with payment status, reference information, and gateway metadata after processing a transaction. We do not receive full card numbers or mobile money PINs from PesePay.

5.4 Through Firebase Cloud Functions

Our server-side functions process payment, reservation, acquisition, and booking outcomes; generate notifications; write protected financial/audit records; and manage account lifecycle events.

5.5 Through Recovery and Verification Flows

Account recovery callables validate role/subtype and phone/email matches before returning recovery responses.
Phone and email verification flows (Firebase Auth, OTP) capture verification state and timestamps.

5.6 Through Routing/Map Services

When you use route and map features, origin/destination coordinates may be transmitted to Google Maps and/or OSRM (Open Source Routing Machine).

5.7 From Your Device

With your explicit permission, we access your device's GPS/location services when you use the map picker to set a property's geographic coordinates (Providers only) or when the app auto-locates your position to assist map navigation. Location access is always on-demand and never runs in the background.

6. Legal Bases for Processing

We process your Personal Data on the following legal bases under Article 6(1) GDPR:

Legal Basis	Examples
Performance of a contract (Art. 6(1)(b))	Processing your registration, enabling listings, executing payment flows (unlock, reservation, acquisition, full payment, short-stay), managing your account lifecycle.
Legitimate interests (Art. 6(1)(f))	Fraud prevention, platform security, service improvement, analytics, sending service-related notifications, enforcing our Terms of Service. Our legitimate interests do not override your fundamental rights and freedoms.
Legal obligation (Art. 6(1)(c))	Retaining transaction records for tax and regulatory compliance, responding to lawful court orders, AML/KYC requirements.
Consent (Art. 6(1)(a))	Sending marketing communications, push notification delivery, accessing device GPS for map features, processing certain cookies. You may withdraw consent at any time.

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights and freedoms. You may request details of this assessment by contacting our DPO.

6.2 Under CCPA / CPRA (California Residents)

Under the CCPA/CPRA, we process Personal Information for the following "business purposes":

Performing services (account management, property listing, payment processing).
Security and fraud prevention.
Debugging and error repair.
Internal research for technology development.
Verifying and maintaining quality and safety.

We do not "sell" or "share" (for cross-context behavioural advertising) your Personal Information as those terms are defined under the CCPA/CPRA.

6.3 Under POPIA (South African Users)

Processing is justified under one or more of the following conditions:

The data subject has consented.
Processing is necessary for the performance of a contract.
Processing is necessary for compliance with a legal obligation.
Processing is necessary to protect a legitimate interest of the data subject.
Processing is necessary for the proper performance of a public law duty.

6.4 Under LGPD (Brazilian Users)

Legal bases under Article 7 of the LGPD include:

Consent of the data subject.
Compliance with a legal or regulatory obligation.
Execution of a contract or preliminary procedures related to a contract.
Exercise of rights in judicial, administrative, or arbitration proceedings.
Legitimate interests of the controller or third party.
Protection of the data subject's or third party's life or physical safety.

6.5 Under Other Applicable Laws

In jurisdictions not specifically listed above, we rely on the legal bases most closely analogous to those described in Sections 6.1–6.4, as permitted under local law.

7. How We Use Your Information

We use the information we collect for the following purposes:

7.1 Account Management

To create, authenticate, and manage your account.
To verify your identity using your National ID or equivalent government-issued identification and other registration details.
To enforce role-based access control (Tenant vs. Provider vs. Admin).
To support role-aware account recovery workflows using email + phone verification and masked recovery hints.
To remember your login session when you select "Remember Me."
To manage phone and email verification flows during registration.
To send you a welcome notification upon first registration.

7.2 Platform Operations

To display property listings to Tenants.
To allow Providers to create, edit, and manage their property listings (including multi-image galleries and unit configurations).
To submit new listings for Admin review and moderation.
To notify Providers of listing approval, rejection, or flagging decisions.
To process Unlock eligibility and enforce contact-gating rules.
To manage reservation holds, acquisition settlement, and short-stay booking workflows.
To send Tenants unlock success/failure notifications.
To notify Tenants when a property they have unlocked is updated or removed.
To notify Providers when a Tenant unlocks one of their listings.
To display interactive maps for property location setting (Providers) and directions (Tenants post-unlock).
To process and display user reviews and ratings.
To manage user blocking and content reporting features.

7.3 Payment Processing

To initiate and track payments through PesePay.
To verify payment outcomes through redirect polling, webhook/callback verification, and reconciliation jobs.
To record and display your payment history.
To generate and store transaction records.
To maintain Provider earnings and ledger records (for landlords, agents, and brokerages) and apply configured fee splits.
To process provider payout requests and maintain payout audit trails.

7.4 Safety, Security & Compliance

To detect and prevent fraudulent activity, fake listings, identity theft, and abuse of the Platform.
To comply with AML/KYC regulatory obligations.
To suspend accounts that violate our Terms of Service.
To respond to legal requests from law enforcement, regulators, or courts in any applicable jurisdiction.
To maintain audit trails for regulatory compliance.
To enforce sanctions compliance and screen against embargoed jurisdictions or sanctioned parties.

7.5 Communications

To send in-app notifications about account and listing events.
To send push notifications via Firebase Cloud Messaging (FCM) — only if you have granted notification permission.
To respond to support requests and queries.
To send service-related transactional communications (e.g., payment confirmations, account updates).
To send marketing communications — only where you have given explicit opt-in consent, or where otherwise permitted by applicable law (e.g., soft opt-in for existing customers under UK PECR).

7.6 Platform Improvement

To analyse usage patterns and improve the app experience.
To identify and fix bugs and performance issues.
To develop new features based on aggregated user behaviour.
To conduct internal research and development.

7.7 Legal Proceedings

To establish, exercise, or defend legal claims.
To comply with court orders, subpoenas, or other legal processes in any jurisdiction.

We do not sell your Personal Data. We do not share your Personal Data for cross-context behavioural advertising. We share your data only in the following circumstances:

8.1 Between Users — Controlled Disclosure via the Unlock System

The contact details of a Provider (landlord's phone number, agent's contact, or brokerage contact details) are never displayed publicly. They are only shared with a Tenant after that Tenant has successfully paid the Unlock fee or has obtained equivalent access through a qualifying full payment. See Section 9 for full details of this system.

8.2 With Firebase / Google (Data Processor)

All data is stored on Google Firebase infrastructure (Firestore, Firebase Storage, Firebase Authentication, Firebase Hosting, Firebase Cloud Functions, Firebase Cloud Messaging). Google processes this data as a data processor on our behalf under a Data Processing Agreement (DPA). Google's privacy policy applies to their infrastructure: https://policies.google.com/privacy. Google's GDPR commitments are documented at: https://firebase.google.com/support/privacy.

8.3 With PesePay (Data Processor)

When you initiate any supported payment flow (including unlock, reservation, acquisition, full rent/deposit, short-stay, or brokerage top-up), relevant transaction details are shared with PesePay, our payment gateway. PesePay processes payment information in accordance with its own privacy policy and PCI-DSS standards and is responsible for the security of card/mobile money data during the payment process. Ibo does not store full card numbers or mobile money PINs.

8.4 With Our Admin Team

Ibo staff (Admins) have access to all Platform data for the purposes of moderation, support, compliance, and platform operations. Admin access is subject to confidentiality obligations and internal access controls.

8.5 Legal & Regulatory Compliance

We may disclose your Personal Data to law enforcement, regulators, courts, or governmental authorities if we are required to do so by applicable law in any jurisdiction, a valid court order, a lawful subpoena, or to protect the rights, property, or safety of Ibo, our users, or the public.

8.6 Business Transfers

In the event of a merger, acquisition, reorganisation, asset sale, bankruptcy, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you of any such transfer and, where required by law, seek your consent.

8.7 Professional Advisors

We may share your Personal Data with our legal, financial, and professional advisors on a confidential basis for the purposes of obtaining professional advice.

We may share your data with third parties not described above if you give us explicit consent to do so.

8.9 Categories of Personal Data Disclosed (CCPA Disclosure)

For the purposes of California law, in the preceding 12 months we have disclosed the following categories of Personal Information for "business purposes":

Category	Disclosed To
Identifiers (name, email, phone)	Firebase/Google, PesePay, other users (via Unlock system)
Internet/electronic activity	Firebase/Google
Commercial information (transactions)	Firebase/Google, PesePay
Geolocation data	Google Maps, OSRM
Government identifiers (National ID)	Stored in Firebase/Google (for KYC)

We have not sold or shared (for cross-context behavioural advertising) any Personal Information in the preceding 12 months.

9. Contact Information Gating — The Unlock System

A core privacy feature of the Ibo Platform is the Unlock System, which protects the contact details of property Providers from public exposure:

Property listings are publicly visible to all authenticated Tenants, but the contact phone number of the Provider (and agent/brokerage contact details where applicable) is hidden by default. Contact details are stored in a separate, access-controlled subcollection (properties/{id}/contact) that is never returned in standard property queries.
To access contact details, a Tenant must pay a non-refundable Unlock fee of USD $10 per property (or obtain equivalent access through a qualifying full payment flow).
Upon successful payment verification by our backend (Firebase Cloud Functions), an Unlock record is permanently created linking the Tenant to that property.
The Tenant then gains access to the Provider's contact details within the app, and can also view map directions to the property.
A reservation payment alone does not grant contact access; contact access is controlled exclusively by Unlock/full-payment access rules.
The Unlock is permanent — once unlocked, the Tenant retains access to the contact details even if the listing is later updated.
The Provider receives a notification that one of their properties has been unlocked.
For Brokerage listings, an additional commission (15% of the unlock fee by default) is deducted from the Brokerage's float balance at the time of unlock.

This system ensures that Provider contact information is only accessible to users who have demonstrated genuine intent by completing a payment, protecting Providers from spam and unsolicited contact.

10. Data Storage, Security & Infrastructure

10.1 Where Data Is Stored

All Platform data is stored in Google Cloud Firestore (a NoSQL cloud database) and Firebase Storage (for images and files). Firebase services operate on Google Cloud infrastructure. By default, the primary Firestore database is hosted in the United States (us-central1). Google may replicate data across multiple data centres for redundancy and performance purposes.

10.2 Security Measures

We implement the following technical and organisational security measures:

Firebase Authentication — all passwords are hashed using industry-standard algorithms (bcrypt/scrypt); we never store plaintext passwords.
Firestore Security Rules — granular server-side rules enforce that:
- Users can only read and write their own data.
- Tenants cannot access contact details without a valid Unlock record.
- Financial and protected records (transactions, unlocks, reservations, shortStayBookings, earnings ledgers, payout requests) are server-controlled (Cloud Functions / Admin SDK) and cannot be client-written.
- Admin-only fields (such as listing status, float balances, and account suspension status) cannot be modified by regular users.
- Content reports are validated for required fields and reporter identity.
- User block lists are restricted to the owning user.
HTTPS / TLS — all data in transit between your device and our servers is encrypted using TLS 1.2 or higher.
Firebase Storage Rules — image files are protected by authentication and ownership checks. Property images use signed download URLs with token-based access. Profile photos and company logos are restricted to the owning user for writes.
Role-based Access Control — enforced at both the app layer and the Firestore rules layer; Admin, Provider, and Tenant roles each have strictly defined permissions.
Cloud Functions — sensitive operations (payment verification, unlock creation, reservation/booking settlement, float deductions, earnings recording, payout processing, account-status automation) are performed server-side in a trusted environment, not on user devices.
Immutable Financial Records — transaction, unlock, reservation, booking, and ledger records are created exclusively by Cloud Functions and cannot be modified or deleted by client applications.
Employee Access Controls — Admin access is logged and subject to internal security policies.
Encryption at Rest — Google Cloud encrypts all data at rest using AES-256 encryption by default.
Regular Security Audits — we periodically review our security rules, access controls, and infrastructure configuration.

10.3 PCI-DSS Compliance

Ibo does not process or store payment card data directly. All payment card and mobile money processing is handled by PesePay, which maintains PCI-DSS compliance. Ibo is not a PCI-DSS merchant and does not fall within PCI-DSS scope.

10.4 Limitations

No security system is perfect. While we take all reasonable precautions consistent with industry best practices, we cannot guarantee absolute security of your data. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (see Section 27).

11. Data Retention

We retain your Personal Data for the following periods:

Data Category	Retention Period	Justification
Account profile data	Active account lifetime; on deletion request, account is transitioned to `account_deleted` state with legally required audit fields retained for up to 7 years.	Contractual performance; legal compliance
Property listings	Retained while active or archived; deleted/hidden listings may be retained for up to 7 years for audit, dispute handling, and fraud prevention.	Legitimate interest; legal compliance
Transaction records	7 years from transaction date.	Tax, audit, and regulatory compliance (Zimbabwean Revenue Authority, GDPR Art. 17(3)(b), CCPA business purpose retention)
Unlock records	7 years from unlock date, or longer where required for dispute/audit integrity.	Legitimate interest; legal compliance
Reservation records	Retained for operational, dispute, and audit purposes; active financial records retained up to 7 years.	Contractual performance; legal compliance
Short-stay booking records	Retained for operational, dispute, and financial audit purposes (up to 7 years where applicable).	Contractual performance; legal compliance
Provider earnings ledger entries (landlord, agent, brokerage)	7 years from entry date.	Tax and regulatory compliance
Brokerage float ledger entries	7 years from entry date.	Tax and regulatory compliance
Brokerage subscription records	7 years from creation date.	Tax and regulatory compliance
Provider payout request records	7 years from creation date.	Tax and regulatory compliance
Reviews	Retained until deleted under policy or account lifecycle controls, subject to moderation/audit requirements; maximum 3 years post-account deletion.	Legitimate interest
Content reports	3 years from resolution, or longer if required for ongoing investigation or legal proceedings.	Legitimate interest; legal obligation
Notification records	12 months from creation, unless legal/incident retention is required.	Legitimate interest
FCM token metadata	Retained while valid for notification delivery; invalid/unregistered tokens are removed when detected.	Contractual performance
Profile photos & images	Until deleted by the user/admin or account closure, plus a backup/replication grace period of up to 30 days.	Contractual performance
Login/session logs	12 months (or longer where incident/legal retention applies).	Legitimate interest; security
Crash/error logs	90 days, subject to incident investigation needs.	Legitimate interest
IP addresses	12 months (embedded in access logs).	Security; fraud prevention
Block list entries	Until the user removes the block or the account is deleted.	Contractual performance

After the applicable retention period, data is securely deleted or irreversibly anonymised. Where anonymisation is used, the resulting data can no longer be re-identified and is no longer considered Personal Data.

11.1 Retention Exceptions

In certain circumstances, we may retain data beyond the periods specified above:

To comply with a legal hold or court order.
To resolve an ongoing dispute or investigation.
Where required by applicable anti-money laundering legislation.
Where the data has been fully anonymised and is used solely for statistical or research purposes.

11.2 Data Minimisation

We apply the principle of data minimisation: we only collect and retain Personal Data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

12. International Data Transfers

12.1 Where Your Data Goes

Your Personal Data is stored on Google Firebase infrastructure, which is hosted in data centres primarily in the United States. Additionally, data may be replicated to other Google Cloud regions worldwide for performance and redundancy. PesePay processes payment data in its own infrastructure.

By using the Platform, you acknowledge that your data may be transferred to, stored, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

12.2 Safeguards for International Transfers

We implement the following safeguards to protect your data during international transfers:

For EEA/UK/Swiss Users:

Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers of Personal Data to countries outside the EEA/UK that have not received an adequacy decision. Google's Data Processing Terms incorporate SCCs.
UK International Data Transfer Agreement (IDTA): For UK-originating transfers, we use the UK IDTA or the UK Addendum to the EU SCCs, as appropriate.
Swiss-U.S. Data Privacy Framework: Where applicable.
Supplementary Measures: We implement additional technical and organisational measures where necessary, as recommended by the EDPB (Recommendations 01/2020).
Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the legal framework of the destination country and ensure adequate protection.

For South African Users (POPIA):

Transfers are made in compliance with Section 72 of POPIA, which requires that the recipient is subject to comparable data protection laws, binding corporate rules, or contractual protections.

For Brazilian Users (LGPD):

International transfers comply with Chapter V of the LGPD, relying on standard contractual clauses or the data subject's specific and highlighted consent.

For Canadian Users (PIPEDA):

Transfers comply with PIPEDA's accountability principle. We ensure through contractual arrangements that personal information transferred to third parties receives a comparable level of protection.

For All Users:

Data Processing Agreements (DPAs): We maintain DPAs with all sub-processors that process Personal Data on our behalf (see Appendix B).
Encryption in Transit: All data transfers use TLS 1.2 or higher encryption.

By creating an account and using the Platform, you explicitly consent to the transfer of your Personal Data to jurisdictions described in this Section 12. Where consent is not the appropriate legal basis for transfer under your local law, we rely on the alternative safeguards described above.

13. Your Rights — Global Overview

Regardless of your location, Ibo is committed to honouring the following core data protection rights for all users:

Right	Description
Access	Request a copy of the Personal Data we hold about you.
Rectification	Correct inaccurate or incomplete Personal Data. You can update most profile information directly in the app.
Erasure / Deletion	Request deletion of your Personal Data, subject to legal retention obligations.
Restriction	Request that we limit how we process your data in certain circumstances.
Portability	Request a copy of your data in a structured, commonly-used, machine-readable format.
Objection	Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent	Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
Non-Discrimination	We will not discriminate against you for exercising any of your privacy rights.
Lodge a Complaint	File a complaint with the relevant supervisory authority in your jurisdiction.

How to Exercise Your Rights

To exercise any data protection right, contact us at:

Email: dpo@ibo.co.zw
Subject line: "Data Rights Request — [Your Right]"

We will:

Acknowledge your request within 5 business days.
Verify your identity before processing the request (we may ask for government-issued ID or account verification).
Respond substantively within 30 calendar days (or within the shorter period required by your local law — e.g., 15 days under LGPD, 45 days under CCPA).
Inform you if an extension is needed (up to a maximum of 60 additional days where permitted).

All requests are free of charge, unless manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse the request, as permitted by applicable law.

In addition to the rights described in Section 13, if you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following specific rights under the GDPR / UK GDPR:

You have the right to obtain confirmation of whether we process your Personal Data and, if so, to receive a copy of that data together with information about the purposes, categories, recipients, retention periods, transfer safeguards, and the source of data.

You have the right to have inaccurate Personal Data corrected without undue delay.

You have the right to request erasure of your Personal Data where:

The data is no longer necessary for the purposes for which it was collected.
You withdraw consent and there is no other legal basis for processing.
You object to processing and there are no overriding legitimate grounds.
The data has been unlawfully processed.
Erasure is required to comply with a legal obligation.

Exceptions: We may retain data where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for archiving purposes in the public interest (Art. 17(3) GDPR). Financial transaction records are retained for 7 years under Zimbabwean tax law.

You may request restriction of processing where you contest accuracy, processing is unlawful, we no longer need the data but you need it for legal claims, or you have objected to processing pending verification.

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit it to another controller where processing is based on consent or contract and carried out by automated means.

You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. See Section 25 for our automated decision-making practices.

14.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For UK residents: The supervisory authority is the Information Commissioner's Office (ICO), https://ico.org.uk.

For Swiss residents: The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), https://www.edoeb.admin.ch.

15. Your Rights — California Residents (CCPA / CPRA)

If you are a California resident, the following disclosures and rights apply under the CCPA/CPRA:

15.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the categories of Personal Information described in Section 4. Specifically:

Identifiers (name, email, phone, IP address, National ID).
Internet or electronic network activity (login timestamps, device info, feature usage, crash reports).
Geolocation data (GPS coordinates via map picker, IP-derived approximate location).
Commercial information (transaction records, payment history, listing data).
Protected classification characteristics (gender).
Government-issued identifiers (National ID).
Audio, electronic, visual information (profile photos, property images).
Inferences (account status, role, preferences).

15.2 Right to Know / Access

You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.

15.3 Right to Delete

You have the right to request deletion of your Personal Information, subject to legal exceptions (e.g., completing transactions, detecting fraud, complying with legal obligations, maintaining financial records).

15.4 Right to Correct

You have the right to request correction of inaccurate Personal Information we maintain about you.

15.5 Right to Opt-Out of Sale/Sharing

We do not sell your Personal Information and do not share it for cross-context behavioural advertising. Therefore, there is no need to opt out. However, if our practices change, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.

15.6 Right to Limit Use of Sensitive Personal Information

We do not use or disclose Sensitive Personal Information for purposes beyond those permitted under the CPRA (i.e., we use it only for providing the services you request).

15.7 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights (e.g., by denying services, charging different prices, or providing different quality of service).

15.8 Authorised Agents

You may designate an authorised agent to submit requests on your behalf. We may require proof of the agent's authority and may still require you to verify your identity directly.

15.9 Financial Incentive Programs

We do not offer financial incentives related to the collection, retention, or sale of Personal Information.

15.10 How to Submit a Request

Email: dpo@ibo.co.zw with subject line "CCPA Request"
Response time: Within 45 calendar days (with a possible 45-day extension if necessary, with notice).

16. Your Rights — South African Users (POPIA)

If you are located in South Africa, the following rights apply under the Protection of Personal Information Act (POPIA):

16.1 Right to Access (Section 23)

You have the right to request confirmation of whether we hold Personal Information about you and to access that information.

16.2 Right to Correction (Section 24)

You may request correction, deletion, or destruction of Personal Information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.

16.3 Right to Object (Section 11(3))

You may object to processing on reasonable grounds related to your particular situation, unless legislation permits such processing.

16.4 Right to Object to Direct Marketing (Section 69)

You may object at any time to the processing of your Personal Information for direct marketing purposes.

16.5 Right to File a Complaint

You may file a complaint with the Information Regulator (South Africa):

Website: https://www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za

16.6 Cross-Border Transfers (Section 72)

Transfers of your Personal Information outside South Africa comply with Section 72 of POPIA. See Section 12 for details.

17. Your Rights — Brazilian Users (LGPD)

If you are located in Brazil, the following rights apply under the Lei Geral de Proteção de Dados (LGPD):

17.1 Rights Under Article 18

You have the right to:

Confirmation of the existence of Processing.
Access to your Personal Data.
Correction of incomplete, inaccurate, or outdated data.
Anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data.
Portability of your data to another service provider (upon express request and subject to commercial and industrial secrecy).
Deletion of data processed with your consent (except where legal retention applies).
Information about public and private entities with whom we share your data.
Information about the possibility of denying consent and the consequences thereof.
Revocation of consent.

17.2 Data Protection Authority (ANPD)

You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD):

Website: https://www.gov.br/anpd

17.3 Response Time

We will respond to your requests within 15 calendar days as required by the LGPD.

18. Your Rights — Canadian Users (PIPEDA / Provincial Laws)

If you are located in Canada, the following apply under PIPEDA and applicable provincial privacy legislation:

We obtain meaningful consent for the collection, use, and disclosure of your Personal Information. Consent may be express or implied depending on the sensitivity of the information and your reasonable expectations.

18.2 Right to Access

You have the right to request access to your Personal Information held by us and to be informed of its use and disclosure.

18.3 Right to Challenge Accuracy

You may challenge the accuracy and completeness of your Personal Information and have it amended as appropriate.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform you of the implications of withdrawal.

18.5 Right to Complain

You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

Website: https://www.priv.gc.ca

For Quebec residents: Commission d'accès à l'information du Québec (CAI): https://www.cai.gouv.qc.ca

19. Your Rights — Australian Users (Privacy Act 1988)

If you are located in Australia, the following apply under the Privacy Act 1988 and the Australian Privacy Principles (APPs):

19.1 Right to Access (APP 12)

You have the right to request access to your Personal Information held by us.

19.2 Right to Correction (APP 13)

You have the right to request correction of your Personal Information if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

19.3 Right to Anonymity (APP 2)

Where practicable, you have the option of not identifying yourself or using a pseudonym when dealing with us. However, we may not be able to provide our services to you without verifying your identity.

19.4 Cross-Border Disclosure (APP 8)

Before disclosing Personal Information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar privacy regime.

19.5 Right to Complain

You may file a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au

20. Your Rights — Other Jurisdictions

20.1 Zimbabwean Users

Your rights are protected under the Cyber and Data Protection Act (Chapter 12:07) and any successor legislation. You may contact the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) for data protection complaints.

20.2 Singapore Users (PDPA)

You have rights of access, correction, and withdrawal of consent under the Personal Data Protection Act 2012. Complaints may be filed with the Personal Data Protection Commission (PDPC): https://www.pdpc.gov.sg.

20.3 Thailand Users (PDPA)

You have rights of access, rectification, erasure, restriction, portability, objection, and complaint under the PDPA B.E. 2562. Complaints may be filed with the Personal Data Protection Committee (PDPC).

20.4 Indian Users (DPDPA)

You have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correction, erasure, grievance redressal, and nomination of a representative. Complaints may be filed with the Data Protection Board of India.

20.5 Kenya Users (Data Protection Act)

You have rights of access, rectification, erasure, and objection under the Data Protection Act, 2019. Complaints may be filed with the Office of the Data Protection Commissioner: https://www.odpc.go.ke.

20.6 Nigeria Users (NDPA)

You have rights under the Nigeria Data Protection Act, 2023, including access, rectification, erasure, restriction, portability, and objection. Complaints may be filed with the Nigeria Data Protection Commission (NDPC).

20.7 Other SADC Member States

Users in SADC member states (Botswana, Eswatini, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, Tanzania, Zambia, etc.) are entitled to the data protection rights provided under their respective national data protection legislation. We will comply with applicable local requirements.

20.8 Users in Jurisdictions Without Specific Data Protection Laws

Even where your jurisdiction does not have comprehensive data protection legislation, Ibo voluntarily extends the core rights described in Section 13 to all users globally.

21. Children's Privacy

21.1 Age Requirement

The Ibo Platform is intended for users who are 18 years of age or older. We do not knowingly collect Personal Data from persons under the age of 18 (or the applicable age of digital consent in their jurisdiction, if different — e.g., 16 under GDPR in some member states, 13 under COPPA in the United States).

21.2 Verification

Registration requires identity verification (National ID for Zimbabwe users, or equivalent government-issued identification) which is typically only issued to persons of legal age. Our Terms of Service further require users to be 18 or over.

21.3 Discovery of Underage Users

If we become aware that we have collected Personal Data from a person under the applicable age of consent without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe a minor has registered on the Platform, please contact us immediately at dpo@ibo.co.zw.

21.4 COPPA Compliance (U.S.)

The Platform is not directed at children under 13. We do not knowingly collect Personal Information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA). If we discover such collection, we will delete the information immediately.

22. Push Notifications

We use Firebase Cloud Messaging (FCM) to send push notifications to your device. Push notifications are used to alert you to important events, including:

Listing approval, rejection, or flagging (Providers).
Unlock success or failure (Tenants).
Payment confirmation/outcome updates (Tenants and Providers).
Reservation, acquisition, and short-stay booking status updates.
Property updates or removals for unlocked properties (Tenants).
Account suspension or status change notices.
System, welcome, and administrative messages.
Provider payout status updates.
Float-related notifications (Brokerages).

To deliver these notifications, we store and process your FCM device token(s). Invalid/unregistered tokens may be removed automatically during delivery error handling.

You may disable push notifications at any time through your device's system settings. Disabling push notifications does not affect in-app notifications, which are always delivered. You may also control notification preferences within the app's settings.

23. Cookies, Local Storage & Tracking Technologies

23.1 Mobile App (Android & iOS)

The Ibo mobile app does not use browser cookies. It uses local device storage to persist:

Your session preference ("Remember Me").
Your theme setting (light/dark/system).
Cached UI state for performance.

This data is stored on your device and is not transmitted to our servers unless you use the Platform's features.

23.2 Web Application (Admin Panel)

The Ibo web application may use:

Cookie/Storage Type	Purpose	Duration	Required?
Session cookies	Maintain your logged-in state (Firebase Auth)	Session	Essential
Local storage	Cache user preferences, improve performance	Persistent	Essential
Firebase Analytics cookies	Usage analytics (where enabled)	Up to 2 years	Non-essential

These are first-party cookies/storage entries. We do not use third-party advertising cookies, tracking pixels, or cross-site trackers.

For users in the EEA and UK, we comply with the ePrivacy Directive (2002/58/EC) and the UK Privacy and Electronic Communications Regulations (PECR). We will obtain your consent before setting any non-essential cookies. Essential cookies (required for basic Platform functionality) do not require consent.

23.4 Do Not Track (DNT)

Some browsers offer a "Do Not Track" (DNT) signal. As there is no industry consensus on how to respond to DNT signals, we do not currently alter our data collection practices in response to DNT signals. If a universal standard is adopted, we will reassess this position.

23.5 Global Privacy Control (GPC)

We honour Global Privacy Control (GPC) signals as a valid opt-out request under applicable laws (including CCPA/CPRA). If your browser sends a GPC signal, we will treat it as a request to opt out of any applicable "sale" or "sharing" of Personal Information (though we do not currently engage in such practices).

24. Third-Party Links & Services

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

Third-party services integrated with or used by the Platform include:

Service	Purpose	Privacy Policy
Google Firebase	Authentication, database, storage, hosting, notifications, Cloud Functions	policies.google.com/privacy
PesePay	Payment processing	pesepay.com
Google Maps Platform	Property location display, geocoding, and directions	policies.google.com/privacy
OSRM (Open Source Routing Machine)	Route calculation for map directions	project-osrm.org
WhatsApp	Optional contact channel post-unlock (when Provider shares a WhatsApp-enabled number)	whatsapp.com/legal/privacy-policy

25. Automated Decision-Making & Profiling

25.1 Current Practices

Ibo does not currently use automated decision-making or profiling that produces legal effects or similarly significantly affects users. Specifically:

Listing moderation decisions (approval, rejection, flagging) are made by human Admin reviewers.
Account suspension decisions are made by human Admins.
Payment verification outcomes are determined by PesePay's payment processing systems based on financial institution responses (not by Ibo's own algorithms).

25.2 Automated Processes

The following processes are automated but do not constitute "solely automated decision-making" as they either do not produce legal effects or are subject to human oversight:

Brokerage float freeze: Automatically triggered when a Brokerage's float balance falls below the safety threshold. This is a rule-based calculation (not profiling) and is immediately reversible upon top-up.
Unlock record creation: Automatically created upon verified payment. This is a transactional operation, not a decision about the user.
Notification generation: Automatically triggered by platform events.

25.3 Future Changes

If we introduce automated decision-making or profiling that produces legal effects in the future, we will:

Update this Privacy Policy.
Implement meaningful human oversight mechanisms.
Provide you with the right to obtain human intervention, express your point of view, and contest the decision, as required by GDPR Art. 22 and equivalent laws.

26. Data Protection Impact Assessments

Where required by applicable law (e.g., GDPR Art. 35), we conduct Data Protection Impact Assessments (DPIAs) before commencing any type of processing that is likely to result in a high risk to the rights and freedoms of individuals. DPIAs are reviewed and updated as necessary.

27. Data Breach Notification

27.1 Our Commitment

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33, POPIA Section 22, LGPD Art. 48, and equivalent laws).
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34, or as required by other applicable laws — e.g., without unreasonable delay under the CCPA).
Document the breach internally, including the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to mitigate the breach.

27.2 Notification Content

Breach notifications to affected individuals will include:

A description of the nature of the breach.
The likely consequences.
The measures we have taken or propose to take.
Contact details of our DPO.
Recommendations for individuals to protect themselves.

27.3 Jurisdiction-Specific Timelines

Jurisdiction	Notification Deadline (Authority)	Notification Deadline (Individuals)
EEA (GDPR)	72 hours	Without undue delay (high risk)
UK (UK GDPR)	72 hours	Without undue delay (high risk)
South Africa (POPIA)	As soon as reasonably possible	As soon as reasonably possible
Brazil (LGPD)	Reasonable time (per ANPD guidance)	Same
California (CCPA)	N/A	Without unreasonable delay
Canada (PIPEDA)	As soon as feasible	As soon as feasible (real risk of significant harm)
Australia (Privacy Act)	Within 30 days of awareness	As soon as practicable
Zimbabwe	As required by applicable law	As required by applicable law

28. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we do, we will:

Update the "Last Updated" date at the top of this document.
Publish the updated policy in the app and on our website.
For material changes that affect your rights:
- Notify users via in-app notification and/or email at least 30 days before the changes take effect.
- Where required by law, obtain your renewed consent before applying the changes.
For non-material changes (e.g., clarifications, formatting):
- Publish the updated policy with an updated "Last Updated" date.

Continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Platform and may request account deletion.

Previous versions of this Privacy Policy are available upon request by contacting dpo@ibo.co.zw.

29. Contact Us (Privacy)

For any privacy-related queries, requests, or complaints, please contact:

Ibo (Pvt) Ltd — Data Protection Officer
Email: dpo@ibo.co.zw
Subject line: "Privacy Enquiry"

General Legal Contact:
Email: legal@ibo.co.zw
Subject line: "Privacy Enquiry"

We aim to respond to all privacy requests within 30 days (or the shorter period required by your local law).

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (see Sections 14–20 for contact details of supervisory authorities).

PART B — TERMS OF SERVICE

30. Acceptance of Terms

By creating an account, downloading, installing, accessing, or using the Ibo Platform in any manner, you enter into a legally binding agreement with Ibo (Pvt) Ltd ("Ibo," "we," "us," or "our") and agree to be bound by these Terms of Service ("Terms"), our Privacy Policy (Part A of this document), and any additional guidelines, policies, or rules posted on the Platform.

If you are accessing the Platform on behalf of a company or other legal entity (e.g., as a Brokerage), you represent and warrant that you have the authority to bind that entity to these Terms, and references to "you" include that entity.

If you do not agree to these Terms, you must not use the Platform.

These Terms constitute a legally binding contract. In jurisdictions that require specific formalities for electronic contracts to be enforceable (e.g., click-through acceptance), your act of clicking "I Agree," "Register," or any equivalent button, or your continued use of the Platform after being presented with these Terms, constitutes your electronic signature and acceptance.

31. Eligibility

To use the Ibo Platform, you must:

Be at least 18 years of age (or the age of legal majority in your jurisdiction, whichever is higher).
Be a natural person or a duly incorporated legal entity operating lawfully in your jurisdiction.
For Zimbabwe-based individual users: possess a valid Zimbabwe National ID.
For Brokerages: possess a valid Companies Registry number (or equivalent business registration in your jurisdiction).
For users outside Zimbabwe: possess a valid government-issued identification document as required for identity verification.
Not have been previously suspended or permanently banned from the Platform.
Have the legal capacity to enter into binding contracts under the laws of your jurisdiction.
Not be prohibited from using the Platform under any applicable law, regulation, or international sanctions regime.
Not be located in, or a resident of, any country or territory subject to comprehensive sanctions imposed by the United Nations, United States (OFAC), European Union, or United Kingdom (see Section 54).

By registering, you represent and warrant that you meet all of the above eligibility requirements. Ibo reserves the right to verify your identity and eligibility at any time and to suspend or terminate your account if you are found not to meet these requirements.

32. Account Registration & Security

32.1 Registration

To access most features of the Platform, you must create an account. During registration, you must provide accurate, complete, and up-to-date information, including your full name, email address, phone number, gender, and (for Zimbabwe users) National ID. You must maintain the accuracy of this information throughout your use of the Platform.

32.2 Multi-Step Verification

Account registration includes a multi-step verification process:

Email verification — a verification email is dispatched to confirm your email address.
Phone verification — an OTP (One-Time Password) or equivalent verification is sent to your registered phone number via Firebase Authentication.
Registration is considered complete only after both verification steps are successfully finished.

32.3 Role Selection

At registration, you must select your role: Tenant, Landlord, Freelance Agent, or Brokerage. Each role grants access to different features and carries different obligations (see Section 34). Your role cannot be changed after registration without contacting Ibo support.

32.4 Password & Account Security

You are solely responsible for maintaining the confidentiality of your account password and for all activity that occurs under your account. You must:

Choose a strong, unique password (minimum requirements enforced by Firebase Authentication).
Never share your password with any third party.
Notify Ibo immediately at legal@ibo.co.zw if you suspect unauthorised access to your account.

Ibo will not be liable for any loss or damage arising from your failure to protect your account credentials.

32.5 One Account Per Person

Each individual may hold only one account on the Platform. Brokerages may hold one account per registered legal entity. Creating multiple accounts to circumvent suspension, evade restrictions, or gain unfair advantage is strictly prohibited and grounds for immediate termination of all associated accounts.

32.6 "Remember Me" Feature

If you select the "Remember Me" option at login, the Platform will maintain your session and automatically log you in on subsequent visits from the same device. You are responsible for ensuring that your device is secure if you use this feature. On shared or public devices, we strongly recommend not using "Remember Me."

32.7 Account Accuracy

Providing false, misleading, or fraudulent information during registration — including a false National ID, fabricated company registration number, or impersonating another person or entity — is grounds for immediate account termination and may be reported to the relevant law enforcement authorities in your jurisdiction.

33. Identity Verification & Know Your Customer (KYC)

33.1 Purpose

Ibo implements identity verification procedures to:

Prevent fraud and impersonation.
Comply with applicable KYC and AML regulations.
Ensure the integrity of the Platform's marketplace.
Protect users from bad actors.

33.2 What We Verify

Individual users (Zimbabwe): Zimbabwe National ID number, full name, phone number, email address.
Individual users (other jurisdictions): Government-issued identification document (type varies by jurisdiction), full name, phone number, email address.
Brokerages: Company registration number, company name, registered address, company contact details, and the identity of the authorised representative.
Freelance Agents: Agent licence/accreditation number, full name, and contact details.

33.3 Enhanced Due Diligence

In certain circumstances (e.g., high-value transactions, suspicious activity, regulatory requirements), Ibo may request additional documentation or information to verify your identity or the legitimacy of a listing. Failure to provide requested documentation may result in account restrictions or suspension.

33.4 Data Handling

KYC data is processed in accordance with Part A (Privacy Policy) of this document and is subject to the data retention periods specified in Section 11.

34. User Roles & Permissions

The Platform recognises the following user roles, each with distinct capabilities:

34.1 Tenant

Can browse all approved property listings.
Can filter listings by city, suburb, property type, classification, price range, number of bedrooms/bathrooms, amenities, and other criteria.
Can view property details including photos (multi-image galleries), amenities, location map thumbnail, availability, pricing, and tenant requirements.
Can pay the Unlock fee to access a Provider's contact details and full map directions.
Can initiate reservation, acquisition, full rent/deposit, and short-stay booking payment flows.
Can view their payment history and a list of all unlocked properties.
Can submit reviews and ratings for properties.
Can report policy-violating content or users.
Can block other users.
Can receive in-app and push notifications.
Cannot create, edit, or delete property listings.
Cannot access contact details of any property without paying the Unlock fee (or completing a qualifying full payment).

34.2 Landlord

Can create, edit, and delete their own property listings (including multi-image galleries and unit configurations).
Can upload property images.
Can set a property's location using the interactive map picker (GPS-assisted).
Can view their own property listings and their statuses (pending, approved, rejected, flagged).
Can view which of their properties have been unlocked.
Can view their earnings ledger and request payouts.
Can edit their profile information.
Can report policy-violating content or users.
Can block other users.
Cannot approve their own listings (only Admin can approve listings).
Cannot access the Brokerage float system.

34.3 Freelance Agent

Has all the capabilities of a Landlord.
Listings display the Agent's name and contact number, plus the landlord's name as provided by the Agent.
Must hold a valid agent licence/accreditation number, which must be provided at registration.
Has access to an agent-specific earnings ledger with separate fee split configuration.

34.4 Brokerage

Has all the capabilities of a Landlord.
Must maintain an active insurance float balance above the minimum safety threshold (see Section 40).
Listings display the individual broker's name and contact, plus full brokerage company details.
Has access to the Brokerage Account screen showing float balance, float health, subscription status, and full ledger history.
Can initiate float top-up payments via PesePay.
Is subject to automatic commission deductions on every Unlock of their listings.
May have their listings frozen (unable to be unlocked by Tenants) if the float balance falls below the minimum threshold.

34.5 Admin

Admin accounts are operated exclusively by Ibo staff.
Admins can approve, reject, or flag any property listing.
Admins can suspend or reinstate any user account.
Admins can view all users, transactions, unlocks, notifications, reviews, content reports, provider payout requests, and brokerage subscriptions.
Admins can manage revenue splits and financial configuration.
Admins can delete listings, transactions, or user accounts.
Admin accounts cannot be self-registered; they are created directly by Ibo.
Admin actions are logged for audit purposes.

35. Provider Obligations

All Providers (Landlords, Freelance Agents, and Brokerages) agree to the following obligations:

35.1 Accuracy of Listings

You represent and warrant that all information in your property listings is true, accurate, current, and complete, including:

The property's location, address, suburb, city, country, and geographic coordinates.
The rental price and security deposit amount.
The number of bedrooms, bathrooms, kitchens, and other structural details.
The amenities, bills inclusion/exclusion, and proximity facilities.
The availability date and period-of-stay terms (for short-stay listings).
The contact number provided for Tenants to reach you.

Deliberately misrepresenting a property is a serious violation of these Terms and may result in immediate account suspension, listing removal, and potential legal liability under consumer protection laws in your jurisdiction.

35.2 Legal Authority to List

You warrant that you have the legal right to list the property — either as the owner, or as an authorised agent acting on behalf of the owner with their express written consent. You must not list properties you do not own or are not authorised to list. Listing properties without proper authorisation may constitute fraud under applicable law.

35.3 Compliance with Local Laws

You are solely responsible for ensuring that your property listing complies with all applicable local, regional, and national laws and regulations, including but not limited to:

Zoning and land-use regulations.
Rental licensing requirements.
Building safety and habitability standards.
Short-term rental regulations (where applicable).
Anti-discrimination laws.
Tax obligations arising from rental income.

Ibo does not verify compliance with local regulations and is not responsible for any Provider's non-compliance.

35.4 Listing Submission & Moderation

All new listings are submitted in a "pending" status and must be reviewed and approved by an Ibo Admin before they become visible to Tenants. Ibo reserves the right to approve, reject, or flag any listing at its sole discretion, with or without providing a reason.

35.5 Keeping Listings Current

You are responsible for keeping your listings up to date. If a property is no longer available (e.g., it has been rented), you must update or remove the listing promptly. Maintaining listings for unavailable properties is prohibited and may result in account sanctions.

35.6 Contact Details

The contact number you provide in your listing must be a valid, active number that can be reached by prospective Tenants after they pay the Unlock fee. Providing a false or inactive contact number is a violation of these Terms.

35.7 Image Quality & Authenticity

Images uploaded with listings must be genuine photographs of the actual property. Use of stock photos, images of different properties, AI-generated images misrepresenting the property, or digitally manipulated images that materially misrepresent the property is prohibited.

35.8 Tenant Requirements

Providers may specify tenant preferences (e.g., preferred gender, employment status, or family composition). However, these must comply with applicable anti-discrimination laws in your jurisdiction. Preferences that constitute unlawful discrimination are prohibited.

35.9 Communication with Tenants

Once a Tenant has unlocked a listing, you are expected to respond to their enquiries in a timely, professional, and honest manner. Ibo is not responsible for the outcome of any rental negotiations between Providers and Tenants.

35.10 Tax Obligations

You are solely responsible for determining and fulfilling any tax obligations arising from your use of the Platform, including income tax, VAT, and any other applicable taxes on rental income or Provider earnings. Ibo does not provide tax advice and may issue tax-related documentation where required by law.

36. Tenant Obligations

All Tenants agree to the following obligations:

36.1 Genuine Intent

By paying the Unlock fee for a property, you represent that you have a genuine interest in renting that property and are not purchasing contact details for spam, harassment, commercial data harvesting, or any other improper purpose.

36.2 Respectful Communication

You must communicate with Providers in a respectful, professional, and honest manner. Harassment, threats, or abusive communication directed at any Provider is strictly prohibited and may result in account suspension and legal action.

36.3 No Resale of Contact Details

You must not resell, share, distribute, publish, or otherwise disclose the contact details of any Provider obtained through the Unlock system. Contact details are provided for your personal use only in connection with your rental search.

36.4 Accurate Information

All information you provide on the Platform (including your profile details and identity information) must be accurate and truthful.

36.5 No Circumvention of the Unlock System

You must not attempt to obtain Provider contact details through any means other than the Unlock payment system or qualifying full payment flows — including but not limited to screen scraping, reverse engineering, API manipulation, social engineering of other users, or exploitation of any vulnerability.

36.6 Property Viewing Safety

When visiting properties identified through the Platform, you do so at your own risk. Ibo recommends that you take reasonable safety precautions, including informing someone of your plans and visiting during daylight hours. Ibo is not responsible for your physical safety during property viewings.

37. The Property Listing Process

37.1 Submission

Providers submit listings through the "Add Property" screen on the Platform. All required fields must be completed accurately before submission. Incomplete or inaccurate submissions may be rejected. Listings may include multi-image galleries, unit configurations, period-of-stay settings, and geographic coordinates set via the interactive map picker.

37.2 Review Queue

Upon submission, listings enter a pending review queue. Ibo Admins review listings for compliance with these Terms, including:

Accuracy and completeness of information.
Authenticity of property images.
Compliance with prohibited content rules.
Absence of duplicate or spam listings.

37.3 Approval, Rejection & Flagging

Approved: The listing is made visible to Tenants.
Rejected: The listing is not made visible. The Provider receives a notification with the rejection reason and may resubmit after addressing the issue.
Flagged: The listing is temporarily hidden pending further review. The Provider is notified.

37.4 Editing Approved Listings

Providers may edit their approved listings at any time, including updating images through the Edit Property Images screen. Certain edits (such as changes to property type, classification, or contact details) may trigger a re-review. Edits do not automatically re-open the listing to Tenants who have already unlocked it — those Tenants retain their access and receive a notification of any significant updates.

37.5 Deletion

Providers may delete their listings at any time. Deleted listings are no longer visible to Tenants. Tenants who have previously unlocked a deleted listing will receive a notification that the listing has been removed.

37.6 Lifecycle States and Relisting

Listings may transition through lifecycle states such as active, inactive, and relisted, depending on payment outcomes, provider actions, and platform moderation logic. Ibo may preserve inactive/relisted records for audit, analytics, and dispute resolution purposes.

37.7 No Guarantee of Visibility

Ibo does not guarantee any particular level of visibility, placement, or ranking for any listing. Listing order and display are determined by the Platform's algorithms and user search parameters.

38. The Unlock System & Payment Terms

38.1 The Unlock Fee

To access the contact details of a property listing, Tenants must pay a non-refundable fee of USD $10.00 (ten United States Dollars) per property. This fee may be updated by Ibo from time to time with reasonable notice (minimum 14 days).

38.2 Payment Processing

Payments are processed through PesePay, a third-party payment gateway. By initiating a payment, you agree to PesePay's terms of service and privacy policy. Ibo does not store your full payment card details or mobile money credentials.

38.3 Payment Modes

The Platform may operate in:

Live payment mode (real money processed via PesePay).
Sandbox payment mode (PesePay sandbox infrastructure for testing).
Demo mode (simulated flow for controlled testing).

The active mode is determined by backend configuration and operational controls.

38.4 Supported Payment Flows

Depending on product context, Ibo supports multiple payment categories, including:

Unlock payments — contact access.
Reservation payments — time-limited hold on a property.
Acquisition payments — completion of a reservation.
Full rent/deposit payments — direct full payment of rent and/or deposit.
Short-stay booking payments — period-based short-stay bookings.
Brokerage top-up payments — float replenishment for Brokerages.

38.5 Payment Verification and Settlement

Upon successful gateway confirmation, backend services (Cloud Functions) automatically:

Record and settle the transaction with appropriate status.
Create or update Unlock, Reservation, Acquisition, or Short-Stay records as applicable.
Emit user and provider notifications.
Apply provider/platform/brokerage split logic where applicable.
Record earnings ledger entries for the relevant provider.

38.6 Access Rules and Reservation Boundary

Unlock access rules are strict:

Unlock (or equivalent full entitlement conditions) controls release of protected provider contact details.
Reservation payment alone does not automatically grant protected contact access.

38.7 Failed, Pending, or Delayed Outcomes

If payment fails or is not confirmed, entitlement is not granted. Some flows may remain in pending/redirect states while verification and reconciliation complete. You may retry payment where permitted by the Platform.

38.8 Non-Refundability

Unlock payments are non-refundable unless required by mandatory consumer protection law in your jurisdiction. Once payment is successfully processed and an Unlock record is created, no refunds will be issued — including in cases where:

The Provider does not respond to your contact attempts.
The property is no longer available.
The listing is subsequently removed or rejected.
You change your mind about the property.

We strongly encourage Tenants to review all available information about a listing before proceeding with payment.

Consumer Protection Notice (EU/UK/Australia): If you are a consumer in the EEA, UK, or Australia, you may have statutory cooling-off or withdrawal rights under consumer protection legislation. However, by initiating an Unlock payment, you acknowledge that the digital service (access to contact details) is performed immediately upon payment confirmation, and you expressly consent to the service being provided before the end of any applicable cooling-off period. To the extent permitted by applicable law, you waive any right of withdrawal once the Unlock record is created and contact details are revealed.

38.9 Permanent Access (Unlock Scope)

Once you have unlocked a property, your access to the Provider's contact details is permanent and remains in your "Unlocked Properties" / "My Paid Properties" list unless your account is deleted or suspended.

38.10 Currency

All prices on the Platform are denominated in United States Dollars (USD) unless otherwise indicated. Ibo accepts payments in USD and such other currencies as may be supported by PesePay from time to time. Currency conversion rates, if applicable, are determined by PesePay and the relevant financial institutions, not by Ibo.

38.11 Provider Settlement and Fee Splits

Ibo applies platform/provider split calculations, brokerage float deductions, and earnings-ledger recording based on configured financial settings and payment category. These calculations are performed server-side by Cloud Functions and are not modifiable by users. See Section 41 for details.

38.12 Gateway Fees

Payment gateway fees (estimated rates for mobile money, ZimSwitch, Visa/Mastercard) may apply and are charged by PesePay. These fees are passed through to the Tenant where applicable and are not retained by Ibo.

39. Reservation, Acquisition & Short-Stay Booking

39.1 Reservation Payments

Tenants may pay a reservation fee to place a time-limited hold on a property. The reservation fee is calculated as 5% of the rental price (not including deposit). Reservation fees are non-refundable.

39.2 Reservation Split

Landlord listings: 70% Ibo / 30% Landlord of the reservation fee.
Agent/Brokerage listings: 50% Ibo / 50% Provider of the reservation fee.

39.3 Acquisition Payments

After a reservation, the Tenant may complete the transaction through an acquisition payment covering the full rent and/or deposit amount. The reservation fee is not deducted from the acquisition amount — the Tenant pays the full rent/deposit separately.

39.4 Short-Stay Bookings

For properties configured as short-stay listings, Tenants may book for a specific period (days, weeks, or months). Short-stay booking payments follow the same verification and settlement process as other payment flows.

39.5 Reservation Expiry

Reservations have a defined expiry period. If the acquisition payment is not completed before the reservation expires, the reservation lapses and the property becomes available again. Expired reservations are recorded for audit purposes.

40. Brokerage Float & Insurance System

40.1 Purpose of the Float

To participate in the Unlock system, Brokerages must maintain an insurance float — a pre-funded balance held on the Platform. This float serves as:

A security deposit demonstrating the Brokerage's financial commitment to the Platform.
A source from which commissions are automatically deducted on each Unlock.

40.2 Float Parameters

The following parameters apply to the Brokerage float system (subject to change by Ibo with reasonable notice):

Parameter	Default Value
Subscription / Initial Float Fee	USD $100.00
Default Buffer / Safety Threshold	USD $10.00
Commission Rate per Unlock	15% of the Unlock fee
Commission per standard Unlock (USD $10)	USD $1.50
Subscription split (default)	USD $90 platform share + USD $10 float seed

40.3 Automatic Commission Deductions

Each time a Tenant unlocks a Brokerage listing, the applicable commission is automatically deducted from the Brokerage's float balance by Cloud Functions. The Brokerage receives a ledger entry recording the deduction, including the balance before and after.

40.4 Float Freeze Mechanism

If a Brokerage's float balance falls below the configured safety buffer (USD $10.00 by default), the following occurs automatically:

The Brokerage's account is frozen — no further Unlocks are permitted on their listings.
All of the Brokerage's listings are updated to indicate that Unlocks are temporarily unavailable (brokerageUnlockEnabled = false).
Tenants attempting to unlock a frozen Brokerage's listing will be shown an appropriate message.
The Brokerage receives a notification.

The freeze is automatically lifted once the Brokerage tops up their float above the configured buffer.

40.5 Top-Up Process

Brokerages can top up their float balance through the Brokerage Account screen via PesePay. Top-ups are recorded as credit entries in the Brokerage ledger and credited to the float balance upon payment confirmation.

40.6 Float is Non-Transferable and Non-Withdrawable

The Brokerage float balance is not transferable between accounts and is not withdrawable by the Brokerage. It exists solely to fund commissions on the Platform.

40.7 Ledger & Audit Trail

Ibo maintains a complete, immutable ledger of all float transactions (subscriptions, top-ups, deductions, and adjustments) for each Brokerage. This ledger is accessible to the Brokerage through the app and to Ibo Admins through the admin panel. Ledger entries include type, direction, amount, currency, balance before/after, timestamps, related transaction IDs, and descriptions.

41. Provider Earnings, Payouts & Fee Structure

41.1 Earnings Recording

Provider earnings are recorded in dedicated ledger collections (agent earnings ledger, landlord earnings ledger) for each qualifying transaction. Each ledger entry includes gross amount, platform fee amount, platform fee rate, net amount, payout rate, currency, and related property/transaction details.

41.2 Platform Fee

Ibo charges a platform fee on applicable transactions. The fee rate varies by provider type and payment category:

Unlock fee (Landlord): Platform retains a configured percentage; remainder credited to landlord.
Unlock fee (Agent): Platform retains a configured percentage; remainder credited to agent.
Reservation fee: Split as described in Section 39.2.
Full rent/deposit: Landlord receives 100% of the base rent/deposit amount. Ibo's platform fee (1.5% by default) is charged on top to the Tenant.

41.3 Payout Requests

Providers can submit payout requests through the Platform. Payouts are processed through the admin panel and follow the lifecycle: requested → approved → paid (or rejected). Payout processing times depend on the payment method and jurisdiction.

41.4 Tax Responsibility

All platform fees, provider earnings, and payout amounts are stated exclusive of any applicable taxes unless otherwise indicated. Providers are solely responsible for their own tax obligations (see Section 42).

42. Currency, Taxes & Financial Compliance

42.1 Platform Currency

The Platform's base currency is United States Dollars (USD). All prices, fees, and financial amounts displayed on the Platform are in USD unless otherwise indicated.

42.2 Tax Responsibility

Each User is solely responsible for determining and fulfilling their tax obligations arising from their use of the Platform, including but not limited to:

Income tax on rental income or provider earnings.
Value Added Tax (VAT) or Goods and Services Tax (GST) where applicable.
Capital gains tax (if applicable).
Withholding tax obligations.
Any other taxes imposed by the User's jurisdiction.

Ibo does not provide tax advice and does not determine your tax obligations. Ibo may issue tax documentation (e.g., transaction summaries, earnings statements) where required by applicable law.

42.3 VAT / GST

Ibo may be required to collect and remit VAT, GST, or equivalent consumption taxes in certain jurisdictions. Where applicable, such taxes will be added to the displayed price at checkout and clearly itemised.

42.4 Financial Compliance

Ibo cooperates with financial regulatory authorities and complies with applicable financial services regulations in all jurisdictions where it operates. This includes compliance with payment services regulations, e-money regulations (where applicable), and consumer credit regulations (where applicable).

43. Prohibited Conduct

You must not use the Platform to:

Post false listings — listing a property that does not exist, that you are not authorised to list, or with materially false information.
Impersonate others — pretending to be another person, company, or authority.
Spam or flood — submitting multiple duplicate or near-duplicate listings of the same property.
Harvest contact details — using the Unlock system for the purpose of building a database of Provider contact details for commercial or spamming purposes.
Circumvent payments — attempting to access contact details without paying the Unlock fee through any technical or social means.
Conduct fraud — using stolen payment credentials, fraudulent mobile money transactions, or any other form of payment fraud.
Launder money — using the Platform to launder proceeds of crime or to facilitate terrorism financing.
Harass users — sending threatening, abusive, discriminatory, or harassing messages to any Provider or other user through any channel facilitated by the Platform.
Engage in hate speech — posting content that promotes violence, hatred, or discrimination based on race, ethnicity, gender, religion, sexual orientation, disability, or any other protected characteristic.
Manipulate the moderation system — attempting to get legitimate listings removed by filing false reports, or colluding to manipulate reviews or ratings.
Reverse engineer the Platform — decompiling, disassembling, or attempting to extract the source code of the app, APIs, or any Platform component.
Interfere with Platform operations — uploading malware, conducting denial-of-service attacks, exploiting vulnerabilities, or otherwise interfering with the Platform's functionality, security, or integrity.
Violate laws — using the Platform for any purpose that is illegal under the laws of your jurisdiction, the laws of Zimbabwe, or international law, including money laundering, tax evasion, sanctions evasion, or facilitating illegal rental arrangements.
Discriminate unlawfully — posting listings that include tenant requirements that constitute unlawful discrimination under the laws of your jurisdiction.
Create multiple accounts — creating more than one account per individual (or more than one per legal entity for Brokerages) to circumvent bans, manipulate the Platform, or gain unfair advantages.
Misuse Admin features — if you are an Admin, using your elevated access for personal gain, harassment, or any purpose outside your official Ibo duties.
Scrape or mine data — using automated tools, bots, scrapers, or spiders to extract data from the Platform.
Resell access — selling, sublicensing, or commercially exploiting your account or access to the Platform.
Upload prohibited content — uploading content that is pornographic, obscene, defamatory, or otherwise illegal or harmful.
Evade sanctions — using the Platform to conduct transactions involving sanctioned countries, entities, or individuals.

Violations of these prohibitions may result in immediate account suspension, permanent banning from the Platform, forfeiture of any outstanding balances or deposits, reporting to law enforcement in applicable jurisdictions, and civil or criminal legal action.

44. Content Moderation & Reporting

44.1 Reporting Policy-Violating Content

Users can report policy-violating content or users through the Platform's built-in reporting feature. Reports include:

The reporter's identity (for accountability).
The type of content being reported (property or user).
The reason code and details.
The target content/user identifier.

44.2 Admin Review

All content reports are reviewed by Ibo Admins. Admin actions may include:

Removing or hiding the reported content.
Issuing a warning to the offending user.
Suspending or terminating the offending user's account.
Taking no action (if the report is unfounded).

44.3 False Reports

Submitting false or malicious content reports is itself a violation of these Terms and may result in sanctions against the reporter.

44.4 EU Digital Services Act (DSA) Compliance

For users in the European Union, Ibo complies with the requirements of the Digital Services Act (Regulation (EU) 2022/2065) regarding content moderation, transparency reporting, notice-and-action procedures, and complaint handling mechanisms, to the extent applicable to Ibo's activities and user base.

45. Intellectual Property

45.1 Ibo's Intellectual Property

All content, features, and functionality on the Platform — including but not limited to the Ibo name, logo, brand identity, app design, source code, user interface elements, text, graphics, icons, animations, and compilation of listings — are owned by or licensed to Ibo (Pvt) Ltd and are protected by Zimbabwean and international intellectual property laws, including copyright, trademark, patent, and trade secret law.

You are granted a limited, non-exclusive, non-transferable, revocable licence to use the Platform solely for its intended purpose (finding or listing rental properties) in accordance with these Terms. No other rights are granted, whether by implication, estoppel, or otherwise.

45.2 Restrictions

You must not:

Copy, reproduce, distribute, publicly display, or create derivative works of any Platform content.
Use the Ibo name, logo, or brand without our express written consent.
Use any data mining, scraping, or automated extraction tools on the Platform.
Frame or mirror the Platform on any other website or application.
Remove, alter, or obscure any copyright, trademark, or other proprietary notices.

45.3 Trademarks

"Ibo" and the Ibo logo are trademarks or registered trademarks of Ibo (Pvt) Ltd. All other trademarks, service marks, and trade names mentioned on the Platform are the property of their respective owners.

45.4 Feedback

If you provide feedback, suggestions, or ideas about the Platform, you grant Ibo a perpetual, irrevocable, worldwide, royalty-free, fully sublicensable licence to use, implement, modify, and exploit that feedback in any manner without obligation, attribution, or compensation to you.

45.5 DMCA / Copyright Notices

If you believe that content on the Platform infringes your copyright, please contact us at legal@ibo.co.zw with the following information:

A description of the copyrighted work you claim has been infringed.
A description of the allegedly infringing content and its location on the Platform.
Your contact information (name, address, phone number, email).
A statement that you have a good-faith belief that the use is not authorised.
A statement, under penalty of perjury, that the information is accurate and you are authorised to act on behalf of the copyright owner.
Your physical or electronic signature.

We will investigate and respond in accordance with applicable copyright law (including the U.S. Digital Millennium Copyright Act, if applicable).

46. User-Generated Content

46.1 Your Content

"User Content" means any content you submit to the Platform, including property listing information, property images, profile photographs, company logos, reviews, comments, and content reports.

46.2 Licence to Ibo

By submitting User Content, you grant Ibo a non-exclusive, worldwide, royalty-free, sublicensable, transferable licence to use, host, store, reproduce, modify, display, and distribute your User Content solely for the purpose of operating, improving, and promoting the Platform. This licence lasts until you delete your content or your account, except for content that has been shared with other users (e.g., reviews that remain visible to other users) or that must be retained under legal obligations.

46.3 Your Representations

By submitting User Content, you represent and warrant that:

You own or have the necessary rights and permissions to submit the content.
The content does not infringe the intellectual property rights, privacy rights, publicity rights, or any other rights of any third party.
The content is accurate and not misleading.
The content does not violate any applicable law or regulation.
The content does not contain malware, viruses, or harmful code.

46.4 Content Removal

Ibo reserves the right to remove any User Content at any time and for any reason, including content that violates these Terms, is inaccurate, infringes third-party rights, or is otherwise objectionable, without prior notice.

46.5 No Obligation to Monitor

While we moderate listings and review content reports, Ibo is not obligated to pre-screen, monitor, or review all User Content before it is published (except for property listings, which undergo Admin review before approval).

47. Disclaimers & Limitation of Liability

47.1 Platform Role

Ibo is a marketplace platform only. We connect Providers and Tenants but are not a party to any rental agreement entered into between them. Ibo does not own, manage, inspect, certify, or control any property listed on the Platform. Ibo is not a real estate broker, agent, or property manager.

47.2 No Warranty on Listings

Ibo does not verify the accuracy, legality, or quality of all listing details provided by Providers. While we moderate listings for obvious violations, we make no warranty or representation that any listing is accurate, complete, legally compliant, safe, habitable, or that the property is as described.

47.3 No Warranty on Platform

The Platform is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, title, or uninterrupted availability. We do not warrant that the Platform will be error-free, virus-free, secure, or continuously available.

47.4 Limitation of Liability

To the maximum extent permitted by applicable law, Ibo and its officers, directors, employees, agents, affiliates, successors, and assigns shall not be liable for:

Any indirect, incidental, special, consequential, exemplary, or punitive damages.
Loss of profits, revenue, data, goodwill, business opportunities, or anticipated savings.
Any loss or damage arising from your reliance on any listing, Provider contact, or information on the Platform.
Any loss arising from a failed or disputed rental transaction between a Provider and a Tenant.
Any loss arising from unauthorised access to your account due to your failure to maintain password security.
Any loss arising from service interruptions, technical failures, maintenance, or force majeure events.
Any loss arising from the acts or omissions of third-party service providers (including PesePay, Google, or any other provider).
Any physical harm, injury, or death occurring during property viewings or arising from rental arrangements.

In any event, Ibo's total aggregate liability to you for any and all claims arising from or related to your use of the Platform shall not exceed the greater of (a) the total amount you have paid to Ibo in the 12 months immediately preceding the event giving rise to the claim, or (b) USD $100.

47.5 Consumer Protection Laws

Nothing in this Section 47 excludes or limits liability that cannot be excluded or limited under mandatory consumer protection laws in your jurisdiction, including but not limited to:

Liability for death or personal injury caused by negligence (UK, EU, Australia).
Liability for fraud or fraudulent misrepresentation.
Liability under the Consumer Rights Act 2015 (UK).
Liability under the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010).
Liability under the Consumer Protection Act (South Africa).
Any other liability that cannot be limited by contract under mandatory applicable law.

47.6 Rental Disputes

Any dispute arising from a rental arrangement between a Tenant and a Provider — including disputes about property condition, deposit refunds, eviction, rental terms, safety, or habitability — is solely between the Tenant and the Provider. Ibo is not a party to such disputes and has no obligation to mediate, arbitrate, or resolve them.

47.7 External Links

Ibo is not responsible for the content, accuracy, availability, or practices of any third-party websites or services linked from the Platform.

48. Indemnification

You agree to indemnify, defend, and hold harmless Ibo (Pvt) Ltd and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees and costs) arising from or related to:

Your use of or inability to use the Platform.
Your breach of these Terms, the Privacy Policy, or any applicable law or regulation.
Your User Content (including any claims that it infringes third-party rights).
Any rental transaction, viewing, or dispute between you and another user.
Your violation of any third party's rights (including intellectual property, privacy, publicity, or contractual rights).
Any misrepresentation made by you in connection with the Platform.
Your failure to comply with KYC, AML, tax, or other regulatory requirements.

Consumer Protection Notice: This indemnification clause does not apply to the extent prohibited by mandatory consumer protection laws in your jurisdiction.

49. Account Suspension & Termination

49.1 Suspension by Ibo

Ibo may suspend or restrict your account at any time, with or without prior notice, for reasons including but not limited to:

Breach of these Terms.
Fraudulent, deceptive, or illegal activity.
Submission of false or misleading information.
Harassment of other users.
Repeated submission of listings that violate our policies.
Non-compliance with KYC, AML, or other regulatory requirements.
At the direction of a court, law enforcement agency, or regulatory authority in any applicable jurisdiction.
Where required to comply with applicable sanctions regulations.

Suspended users are notified via in-app notification and/or email. Suspended accounts cannot access any Platform features until reinstated or, in the case of permanent bans, the ban is appealed successfully.

49.2 Suspended Account Screen

Users whose accounts are suspended will see a dedicated "Suspended Account" screen upon login, informing them of their status and providing instructions for appealing the suspension.

49.3 Appeal Process

You may appeal a suspension by contacting legal@ibo.co.zw with the subject line "Account Suspension Appeal." We will review your appeal and respond within 30 days. Ibo's decision on appeals is final.

49.4 Effect of Suspension

During suspension:

You cannot access any Platform features.
Your listings (if any) are hidden from Tenants.
Any pending payout requests are paused.
Your obligations under these Terms continue to apply.

50. Account Deletion & Data Erasure

50.1 Self-Service Deletion

You may request account deletion through available in-app controls (Settings > Delete Account) and/or by contacting legal@ibo.co.zw.

50.2 Pre-Deletion Safeguards

Deletion is subject to operational safeguards:

Active reservations must expire or be settled before deletion.
Pending payment states must settle before closure is finalized.
Outstanding payout requests must be processed or cancelled.

50.3 What Happens Upon Deletion

Upon deletion:

Authentication access is immediately revoked.
Profile data is transitioned to account_deleted state.
Your listings are deactivated and hidden from Tenants.
Profile photos and uploaded images are queued for deletion (processed within 30 days).
You will no longer receive notifications or communications.

50.4 What Is Retained After Deletion

The following records are retained in accordance with legal obligations and the retention periods specified in Section 11:

Transaction records (7 years for tax/audit compliance).
Unlock records (7 years).
Reservation and booking records (7 years).
Earnings ledger entries (7 years).
Float ledger entries (7 years for Brokerages).
Any records required for ongoing legal proceedings or disputes.

Retained records are anonymised or pseudonymised to the maximum extent possible while maintaining their audit integrity.

50.5 Confirmation

You will receive a confirmation notification upon successful account deletion.

51. Dispute Resolution & Governing Law

51.1 Governing Law

These Terms and your use of the Platform are governed by and construed in accordance with the laws of the Republic of Zimbabwe, without regard to its conflict of law principles, except where mandatory local law requires the application of your jurisdiction's laws.

51.2 Informal Resolution

Before initiating any formal legal proceedings, both parties agree to attempt to resolve any dispute informally by contacting Ibo at legal@ibo.co.zw with a written description of the dispute. We will attempt to resolve the dispute within 30 days.

51.3 Mediation

If informal resolution is unsuccessful within 30 days, either party may initiate mediation under the rules of a mutually agreed mediator. The mediation shall be conducted in English. Costs shall be shared equally unless otherwise agreed.

51.4 Arbitration (Non-Consumer Users)

For disputes involving non-consumer users (including Brokerages and commercial entities), if mediation is unsuccessful, the dispute shall be submitted to binding arbitration administered by the Arbitration Centre of Zimbabwe (or, for international disputes, the International Chamber of Commerce (ICC) under its Rules of Arbitration). The arbitration shall:

Be conducted in English.
Take place in Harare, Zimbabwe (or remotely by agreement).
Be decided by a single arbitrator.
Result in a final and binding award.

Class Action Waiver: To the maximum extent permitted by applicable law, you agree that any arbitration or legal proceeding shall be conducted on an individual basis only and not as a class action, consolidated action, or representative action.

51.5 Formal Dispute Resolution (Consumer Users)

If you are a consumer and informal resolution/mediation is unsuccessful, disputes shall be submitted to the jurisdiction of the competent courts as follows:

Your Location	Court Jurisdiction
Zimbabwe	Courts of competent jurisdiction in Harare, Zimbabwe
European Union / EEA	Courts of your habitual residence OR courts in Harare, Zimbabwe (your choice)
United Kingdom	Courts of England and Wales (or your home jurisdiction if in Scotland/NI) OR courts in Harare, Zimbabwe (your choice)
United States (California)	Courts of competent jurisdiction in California OR courts in Harare, Zimbabwe (your choice)
All other jurisdictions	Courts of competent jurisdiction in your habitual residence OR courts in Harare, Zimbabwe (your choice)

51.6 Consumer Rights Preservation

Nothing in these Terms limits or excludes any rights you may have under mandatory consumer protection legislation in your jurisdiction that cannot be excluded or limited by contract, including:

The Consumer Contracts Regulations (UK).
The Consumer Rights Directive (EU) 2011/83/EU.
The Australian Consumer Law.
The Consumer Protection Act (South Africa).
The Consumer Defence Code (Brazil — CDC).
Any other applicable consumer protection legislation.

51.7 EU Online Dispute Resolution

For users in the European Union, the European Commission provides an Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr. We are not obligated to participate in ODR proceedings but will consider requests on a case-by-case basis.

51.8 Limitation Period

To the maximum extent permitted by applicable law, any claim or cause of action arising from or related to your use of the Platform must be filed within one (1) year after the cause of action accrues. This limitation does not apply where prohibited by mandatory applicable law.

52. Accessibility

Ibo is committed to making the Platform accessible to all users, including persons with disabilities. We strive to comply with applicable accessibility standards, including:

Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA.
Android Accessibility Guidelines (TalkBack support, content descriptions).
iOS Accessibility Guidelines (VoiceOver support).

If you encounter any accessibility barriers on the Platform, please contact us at legal@ibo.co.zw with the subject line "Accessibility" so we can work to address the issue.

53. Anti-Money Laundering (AML) Compliance

53.1 Commitment

Ibo is committed to preventing the use of the Platform for money laundering, terrorism financing, or other financial crimes. We comply with applicable AML legislation in all jurisdictions where we operate, including the Zimbabwean Money Laundering and Proceeds of Crime Act, and we cooperate with Financial Intelligence Units and law enforcement agencies worldwide.

53.2 Monitoring

We may monitor transactions and user activity for suspicious patterns. If we detect activity that may constitute money laundering or terrorism financing, we may:

Freeze or restrict your account.
Report the activity to the relevant Financial Intelligence Unit or law enforcement authority.
Decline to process transactions.

53.3 User Obligations

You represent and warrant that:

The funds you use on the Platform are lawfully obtained.
You are not using the Platform to launder money or finance terrorism.
You will cooperate with any AML investigations conducted by Ibo or any regulatory authority.

54. Sanctions & Embargoed Jurisdictions

54.1 Compliance

Ibo complies with applicable economic sanctions laws and regulations, including those imposed by the United Nations, the United States (OFAC), the European Union, and the United Kingdom. You may not use the Platform if you are:

Located in, a resident of, or a national of any country or territory subject to comprehensive sanctions (currently including, but not limited to: North Korea, Iran, Syria, Cuba, and the Crimea, Donetsk, and Luhansk regions of Ukraine).
Listed on any sanctions list (including the OFAC SDN List, EU Consolidated List, or UK Sanctions List).
Acting on behalf of any sanctioned person, entity, or government.

54.2 Consequences

Violations of sanctions compliance obligations may result in immediate account termination, forfeiture of balances, and referral to relevant authorities.

By creating an account, you consent to receive electronic communications from Ibo, including:

In-app notifications.
Push notifications (where you have granted device-level permission).
Emails regarding your account, transactions, and Platform updates.
Legal notices delivered electronically.

55.2 Electronic Signatures

You agree that your electronic acceptance of these Terms (by clicking "I Agree," "Register," or equivalent) constitutes a legally binding electronic signature under applicable electronic signature and electronic transactions laws, including the Electronic Transactions Act (Zimbabwe), the Electronic Signatures in Global and National Commerce Act (ESIGN) (U.S.), the eIDAS Regulation (EU), and the Electronic Communications and Transactions Act (South Africa).

55.3 Opting Out of Marketing

You may opt out of marketing communications at any time by:

Adjusting your notification preferences in the app.
Clicking the "unsubscribe" link in marketing emails.
Contacting us at legal@ibo.co.zw.

Opting out of marketing does not affect transactional or service-related communications.

56. Open-Source Software Attributions

The Ibo Platform incorporates open-source software components. A list of open-source libraries used, along with their licences, is available within the app (Settings > Open Source Licences) and upon request by contacting legal@ibo.co.zw.

57. Modifications to the Terms

Ibo reserves the right to modify these Terms at any time. When we make changes:

Material changes: We will update the "Last Updated" date, publish the updated Terms, and notify users via in-app notification or email at least 30 days before the changes take effect. Where required by applicable law, we will obtain your renewed consent.
Non-material changes: We will update the "Last Updated" date and publish the updated Terms.

Your continued use of the Platform after the effective date of any modification constitutes your acceptance of the modified Terms. If you do not agree with the modifications, you must stop using the Platform and may request account deletion.

Previous versions of these Terms are available upon request by contacting legal@ibo.co.zw.

58. Miscellaneous

58.1 Entire Agreement

This document (including Part A — Privacy Policy, Part B — Terms of Service, and all Appendices) constitutes the entire agreement between you and Ibo with respect to your use of the Platform and supersedes all prior agreements, representations, understandings, and negotiations, whether written or oral.

58.2 Severability

If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, or if modification is not possible, severed from these Terms, and the remaining provisions shall continue in full force and effect.

58.3 Waiver

Failure by Ibo to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision. A waiver of any breach shall not be deemed a waiver of any subsequent breach. Any waiver must be in writing and signed by Ibo.

58.4 Assignment

You may not assign or transfer your rights or obligations under these Terms without Ibo's prior written consent. Ibo may assign its rights and obligations under these Terms at any time without notice to you, including in connection with a merger, acquisition, or sale of assets.

58.5 Force Majeure

Ibo shall not be liable for any failure or delay in performance resulting from causes beyond its reasonable control, including but not limited to acts of God, natural disasters, epidemics, pandemics, government actions or orders, war, terrorism, civil unrest, power failures, internet outages, telecommunications failures, fires, floods, earthquakes, or strikes.

58.6 No Partnership or Agency

Nothing in these Terms creates a partnership, joint venture, employment relationship, franchise, or agency between you and Ibo. You and Ibo are independent parties. Neither party has the authority to bind the other.

58.7 Language

These Terms are written in the English language. In the event of any inconsistency between the English version and any translated version, the English version shall prevail.

58.8 Headings

Section headings are for convenience only and do not affect the interpretation of these Terms.

58.9 Third-Party Rights

Except as expressly stated, nothing in these Terms confers any rights on any third party under the Contracts (Rights of Third Parties) Act 1999 (UK) or equivalent legislation in any jurisdiction.

58.10 Notices

All legal notices to Ibo should be sent to legal@ibo.co.zw. All legal notices to you will be sent to the email address associated with your account.

58.11 Survival

Sections of these Terms that by their nature should survive termination or expiration shall survive, including but not limited to: Sections 42, 45, 46, 47, 48, 50.4, 51, 53, 54, and 58.

59. Contact Us (Legal)

For any questions, concerns, or notices relating to these Terms of Service, please contact:

Ibo (Pvt) Ltd — Legal
Email: legal@ibo.co.zw
Subject line: "Terms of Service Enquiry"

Data Protection Officer:
Email: dpo@ibo.co.zw
Subject line: "Privacy Enquiry"

For urgent legal matters or to report a serious violation, please mark your email as "URGENT."

Appendix A — Summary of Key User Rights & Obligations {#appendix-a}

Topic	Tenant	Provider (Landlord/Agent/Brokerage)
Browse listings	✅ Free	✅ Can view own listings
View contact details	💰 Requires $10 Unlock payment	✅ Own contact info
Create listings	Not permitted	✅ Subject to Admin approval
Edit listings	Not permitted	✅ Own listings only
Delete listings	Not permitted	✅ Own listings only
Multi-image galleries	✅ Can view	✅ Can upload and manage
Payment history	✅ Unlock, reservation, acquisition, full, short-stay	✅ Float, earnings, and settlement records (role-dependent)
Earnings & payouts	Not applicable	✅ View earnings ledger, request payouts
Reviews	✅ Can submit and view	✅ Can view reviews on their properties
Content reporting	✅ Can report	✅ Can report
User blocking	✅ Can block	✅ Can block
Data access	Own profile & transactions	Own profile, listings & transactions
Account deletion	✅ On request	✅ On request
Refund policy	Unlock fees non-refundable (except where required by mandatory consumer law)	Role/payment-type dependent; governed by platform policy and law
Notification types	Unlock/payment/reservation/acquisition/booking/status updates	Listing/payment/account/operations/earnings/float updates
Data portability	✅ On request	✅ On request
Privacy rights	✅ Full rights per jurisdiction	✅ Full rights per jurisdiction

Appendix B — Sub-Processor List {#appendix-b}

The following third-party sub-processors process Personal Data on behalf of Ibo:

Sub-Processor	Services Provided	Data Processed	Location
Google LLC (Firebase)	Authentication, Cloud Firestore (database), Firebase Storage (files/images), Firebase Cloud Functions (serverless compute), Firebase Cloud Messaging (push notifications), Firebase Hosting (web app), Firebase Crashlytics (error reporting)	All Personal Data stored on the Platform	United States (primary), with global replication
PesePay (Pvt) Ltd	Payment processing (mobile money, card, ZimSwitch)	Transaction data, payment references, payment method metadata	Zimbabwe
Google LLC (Maps Platform)	Map display, geocoding, directions	Geographic coordinates, route queries	United States (with global CDN)
OSRM (Open Source Routing Machine)	Route calculation	Origin/destination coordinates	Open-source; routing server location varies

This list is updated periodically. The current version is always available in this document and upon request by contacting dpo@ibo.co.zw. We will notify users of any material changes to our sub-processor list where required by applicable law.

Appendix C — Jurisdiction-Specific Addenda {#appendix-c}

C.1 European Economic Area (EEA) & United Kingdom Addendum

For users located in the EEA or UK:

Data Controller: Ibo (Pvt) Ltd, Harare, Zimbabwe.
EEA/UK Representative (Art. 27 GDPR): [To be appointed].
DPO Contact: dpo@ibo.co.zw.
Legal Bases: As specified in Section 6.1.
International Transfers: Protected by SCCs (see Section 12.2).
Supervisory Authority: See Section 14.8 for your local authority.
Consumer Rights: Sections 38.8 (cooling-off), 47.5, and 51.5–51.6 apply.
DSA Compliance: Section 44.4 applies.

C.2 California (United States) Addendum

For California residents:

CCPA/CPRA Disclosures: See Section 15.
"Do Not Sell or Share" Status: Ibo does not sell or share Personal Information.
Sensitive Personal Information: Used only for providing requested services.
Financial Incentive Programs: None.
Authorised Agent Requests: See Section 15.8.

C.3 South Africa Addendum

For South African users:

Responsible Party: Ibo (Pvt) Ltd.
POPIA Compliance: See Section 16.
Information Regulator: See Section 16.5.
Cross-Border Transfers: Section 72 POPIA compliance (see Section 12.2).

C.4 Brazil Addendum

For Brazilian users:

Controlador: Ibo (Pvt) Ltd.
LGPD Compliance: See Section 17.
ANPD Contact: See Section 17.2.
Response Time: 15 calendar days (see Section 17.3).
DPO (Encarregado): dpo@ibo.co.zw.

C.5 Canada Addendum

For Canadian users:

PIPEDA Compliance: See Section 18.
Consent Framework: Meaningful consent obtained per PIPEDA Principle 3.
OPC Contact: See Section 18.5.
Quebec Users: Subject to additional requirements under Quebec Law 25.

C.6 Australia Addendum

For Australian users:

Privacy Act 1988 Compliance: See Section 19.
APPs Compliance: All 13 Australian Privacy Principles are observed.
OAIC Contact: See Section 19.5.
Consumer Law: Australian Consumer Law protections apply; see Section 47.5.

C.7 Zimbabwe Addendum

For Zimbabwean users:

Governing Law: Laws of the Republic of Zimbabwe.
Data Protection: Cyber and Data Protection Act (Chapter 12:07).
National ID Requirement: Valid Zimbabwe National ID required for KYC.
Tax Compliance: Zimbabwe Revenue Authority (ZIMRA) compliance.
Regulatory Authority: POTRAZ for data protection complaints.
Dispute Resolution: Courts of competent jurisdiction in Harare.

C.8 SADC Member States Addendum

For users in SADC member states (excluding Zimbabwe and South Africa, which have dedicated addenda):

Ibo complies with applicable national data protection legislation in each SADC member state.
Where a SADC member state has enacted data protection legislation substantially equivalent to the GDPR or POPIA, the corresponding rights and obligations apply.
Users may contact dpo@ibo.co.zw for jurisdiction-specific information.

C.9 India Addendum

For Indian users:

DPDPA Compliance: Ibo complies with the Digital Personal Data Protection Act, 2023.
Data Fiduciary: Ibo (Pvt) Ltd.
Consent Manager: [To be appointed if required].
Data Protection Board of India: For complaints and grievances.

C.10 Singapore Addendum

For Singaporean users:

PDPA Compliance: Ibo complies with the Personal Data Protection Act 2012.
DPO Contact: dpo@ibo.co.zw.
PDPC Contact: See Section 20.2.
Consent and Purpose Limitation: All processing is limited to the purposes described in this document.

This document was prepared for Ibo (Pvt) Ltd and reflects the Platform's features, data practices, and legal framework as of the effective date stated above. This document is intended to comply with applicable data protection, consumer protection, and commercial laws in all jurisdictions where Ibo operates. This document does not constitute legal advice. Ibo recommends that all users, particularly Brokerages and users in regulated jurisdictions, seek independent legal counsel regarding their obligations under applicable law.

Privacy Policy & Terms of Service

Ibo — Privacy Policy & Terms of Service

TABLE OF CONTENTS

PART A — PRIVACY POLICY

PART B — TERMS OF SERVICE

APPENDICES

PART A — PRIVACY POLICY

1. Who We Are

Data Protection Officer

EEA/UK Representative

Registered Office

2. Definitions

3. Scope & Applicability

3.1 Who This Document Applies To

3.2 Territorial Scope

3.3 What This Document Does NOT Cover

4. Information We Collect

4.1 Information Collected from All Users

4.2 Additional Information Collected from Providers (Landlords & Agents)

4.3 Additional Information Collected from Brokerages

4.4 Property Listing Data

4.5 Transaction & Payment Data

4.6 Reservation and Booking Data

4.7 Unlock Records

4.8 Review Data

4.9 Notification Data

4.10 Content Reporting Data

4.11 User Blocking Data

4.12 Technical & Usage Data

4.13 Information We Do NOT Collect

5. How We Collect Information

5.1 Directly From You

5.2 Automatically

5.3 Through Payment Processing

5.4 Through Firebase Cloud Functions

5.5 Through Recovery and Verification Flows

5.6 Through Routing/Map Services

5.7 From Your Device

6. Legal Bases for Processing

6.1 Under GDPR / UK GDPR (EEA, UK, Swiss Users)

6.2 Under CCPA / CPRA (California Residents)

6.3 Under POPIA (South African Users)

6.4 Under LGPD (Brazilian Users)

6.5 Under Other Applicable Laws

7. How We Use Your Information

7.1 Account Management

7.2 Platform Operations

7.3 Payment Processing

7.4 Safety, Security & Compliance

7.5 Communications

7.6 Platform Improvement

7.7 Legal Proceedings

8. Information Sharing & Disclosure

8.1 Between Users — Controlled Disclosure via the Unlock System

8.2 With Firebase / Google (Data Processor)

8.3 With PesePay (Data Processor)

8.4 With Our Admin Team

8.5 Legal & Regulatory Compliance

8.6 Business Transfers

8.7 Professional Advisors

8.8 With Your Consent

8.9 Categories of Personal Data Disclosed (CCPA Disclosure)

9. Contact Information Gating — The Unlock System

10. Data Storage, Security & Infrastructure

10.1 Where Data Is Stored

10.2 Security Measures

10.3 PCI-DSS Compliance

10.4 Limitations

11. Data Retention

11.1 Retention Exceptions

11.2 Data Minimisation

12. International Data Transfers

12.1 Where Your Data Goes

12.2 Safeguards for International Transfers

For EEA/UK/Swiss Users:

For South African Users (POPIA):

For Brazilian Users (LGPD):

For Canadian Users (PIPEDA):

For All Users:

12.3 Your Consent to Transfer