Toviri Logo

Privacy & Data Protection

Toviri Privacy Policy

This Privacy Policy explains how Toviri ("we", "us", "our") collects, uses, shares and protects your personal data when you use the Toviri services, mobile applications and website (the "Services").

Company:REY360 Technologies Ltd (trading as "Toviri")Company number:16654863

This Privacy Policy explains how Toviri ("we", "us", "our") collects, uses, shares and protects your personal data when you use the Toviri services, mobile applications and website (the "Services"). It describes the types of data we process, the purposes and legal bases for processing, your rights, and how to contact us.

We take privacy seriously. Please read this policy carefully. By using the Services you consent to the practices described in this Policy. If you do not agree, do not use our Services.

1. Scope

This Privacy Policy applies to:

  • Toviri mobile applications (iOS / Android);
  • Toviri web properties and landing pages (www.toviri.com and region-specific pages);
  • Any in-app, email, phone or offline interactions with Toviri regarding our Services.

It covers personal data collected from individuals in the UK, Nigeria and other jurisdictions where we operate. Where relevant, we refer to the UK GDPR and the Data Protection Act 2018 (UK), and the Nigeria Data Protection Regulation (NDPR).

2. Personal data we collect

We collect personal data you provide to us and data collected automatically when you use our Services. Categories include:

A. Identity & account data

  • Full name, username, date of birth (where provided), gender (optional)
  • Email address
  • Phone number (including for USSD and SMS)
  • Postal address (if provided)
  • Profile photo, avatar
  • Account credentials (hashed passwords)

B. Contact & transactional data

  • Payment and billing information (payment card tokenised by our payment processors; bank account details if needed for transfers)
  • Transaction history and receipts

D. Location & travel data

  • GPS / geolocation while using the app (real-time location for live sharing and I-Safe features)
  • Trip itineraries, route choices, planned travel times, transport preferences
  • Transport API query logs (routes/timetables used)

E. Device & usage data

  • Device type, operating system, app version, unique device identifiers
  • Crash logs, performance data
  • Analytics (pages visited, features used, time spent)

F. Communications & content

  • Messages and chat content (in-app chat between users and between users and guides)
  • Customer support transcripts, feedback, survey responses
  • Images and media you upload (e.g., profile picture)

G. Third-party data

  • Data from integrated third parties (TransportAPI, Uber deep-link data, payment processors, mapping providers, analytics providers)
  • Publicly-available information you choose to associate with your profile (social handles, public reviews)

3. How we use your data – purposes and legal bases

We process your personal data for the following purposes:

3.1 To provide and operate the Services

Purpose: Create and manage your account, build itineraries, show transport options, execute in-app features (I-Safe, wallet, iSave), and provide customer support.

Legal basis (UK/EU): Contract performance / legitimate interests.

3.2 Emergency & safety functions

Purpose: If you trigger I-Safe or an offline USSD emergency code, we transmit your live location and health profile to your emergency contacts and any partnered emergency responders or verified local guides as per your settings.

3.3 Payments, wallet and financial services

Purpose: Process payments

Legal basis: Contract; compliance with financial regulations. Payment information is processed by third-party PCI-compliant payment processors; we store only tokens.

3.4 Personalisation & AI itinerary generation

Purpose: Use your preferences, past journeys, budget and health profile to generate personalised itineraries.

Legal basis: Legitimate interests and consent where profiling is significant. You may opt out of personalised recommendations.

3.5 Improving services and analytics

Purpose: Analytics, product improvement, testing and debugging.

Legal basis: Legitimate interests (improving our Services).

3.6 Marketing and communications

Purpose: Newsletters, promotional messages, product updates and offers.

Legal basis: Consent for marketing communications (where required) or legitimate interests for non-marketing service messages. You can unsubscribe at any time.

3.7 Compliance, legal obligations and fraud prevention

Purpose: Comply with laws, respond to lawful requests (e.g., courts, regulators), prevent fraud and abuse.

Legal basis: Legal obligation / legitimate interests.

3.8 Research & aggregated insights

Purpose: Aggregated, pseudonymised research about travel patterns, safety, and product usage. (Not personally identifiable.)

Legal basis: Legitimate interests.

4. Sharing your data

We do not sell your personal data. We share data only as necessary:

4.1 Service providers & processors

We share data with third parties that help us operate the Services:

  • Payment processors (Stripe, Paystack, or similar) for payments (card tokens only)
  • Cloud hosting providers (AWS, Azure, Google Cloud)
  • Transport data providers (TransportAPI, local partners)
  • Mapping and routing providers (Google Maps, Mapbox or alternative)
  • Analytics providers (Google Analytics, Mixpanel, or alternatives)
  • CRM and email providers (e.g., Sendgrid, Mailchimp)
  • Push notification providers

4.2 Emergency responders and contacts

When you trigger I-Safe or USSD emergency, we share location and permitted health data with:

  • Your nominated emergency contacts
  • Local emergency services (where relevant and permitted)
  • Verified local guides or responders if you choose that option

4.3 Business transfers

If REY360 merges, is acquired, or sells all/part of assets, user data may be transferred; we will notify users and apply safeguards.

4.4 Legal obligations

We will disclose data to comply with legal obligations, protect rights or safety, investigate fraud, or respond to lawful requests.

5. Data retention

We retain personal data as long as necessary to provide Services and for legitimate business purposes, including legal, tax and accounting obligations.

Typical retention periods:

  • Account data: until account deletion + 7 years for accounting/legal records where transactions occurred.
  • Health data: stored only with consent and retained no longer than necessary for service provision and emergency support; retention length: [specify e.g., 5 years after account inactive — adapt to company policy].
  • Transaction records: 7 years (financial/regulatory).
  • Analytics: aggregated/pseudonymised; raw logs: 12–24 months.
  • Support & correspondence: 2–7 years depending on content.

You may request deletion or restriction — see "Your rights" below.

6. Your rights

Depending on your jurisdiction (UK, Nigeria, EU, etc.), you may have the following rights:

  • Access: Request a copy of personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of personal data (subject to legal/contractual limits).
  • Restriction: Request restriction of processing.
  • Portability: Request your personal data in a machine-readable format.
  • Object: Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: Where processing is based on consent (e.g., health data, marketing), you can withdraw consent at any time.
  • Complain: Lodge a complaint with your local data protection authority (e.g., Information Commissioner’s Office (ICO) in the UK; National Data Protection Commission in Nigeria).

To exercise rights, contact: info@toviri.com or use the in-app privacy settings. We will respond within statutory timelines (usually 30 days; may extend when legally permitted).

7. Security

We implement appropriate technical and organisational measures to secure personal data, including:

  • Encryption (in transit via TLS/HTTPS; at rest where appropriate)
  • Pseudonymisation where feasible
  • Access controls and role-based permissions
  • Regular security testing and vulnerability assessments
  • Encrypted backups and secure key management
  • Data minimisation and secure deletion on lifecycle end

If a security breach affects your data and requires notification, we will inform you and the relevant authorities where required.

8. Children

Our Services are not directed at children under 16 (or local age of consent). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it.

9. In-app social features and Solo Match

  • Solo Match connects solo travellers for companionship. We provide safety mechanisms (reported profiles, verification badges, a review/rating system).
  • You control what profile information is visible publicly.
  • Do not share sensitive personal information publicly.
  • We are not liable for interactions between users; however, we provide reporting, blocking and escalation features and may suspend accounts that breach terms.

11. Wallet, payments & money transfers

  • We work with PCI-compliant payment processors. Card details are not stored on our servers (only tokens).
  • Wallet balances, iSave and transfers are recorded.
  • We may require identity verification for regulatory compliance (KYC) for some wallet operations.

12. International transfers

Your data may be transferred to, stored and processed in countries other than where you live (e.g., cloud providers in the UK, EU, US). When we transfer data internationally, we apply legal safeguards (standard contractual clauses, adequacy decisions, or explicit consent) to ensure protection.

14. Third-party integrations and links

  • Our Services may contain links to third-party websites and services. We are not responsible for third-party privacy practices. Please review their privacy policies.
  • Integrated third-party services (TransportAPI, mapping providers, Uber, payment processors) will process data under their own policies. We will share only the data necessary for the integration.

15. Cookies & tracking

We use cookies and similar technologies on our website for functionality, analytics and marketing. You can manage cookie preferences via the cookie consent tool on our site. Typical cookies used:

  • Strictly necessary cookies (session, auth)
  • Performance/analytics cookies (usage data)
  • Functional cookies (preferences)
  • Advertising cookies (third-party retargeting, where consent obtained)

16. Marketing preferences

You can opt-in/opt-out of promotional communications at any time via the links in emails or the app settings. Transactional messages (booking confirmations, security alerts) cannot be opted out of as they are necessary for service delivery.

17. How to delete or close your account

You may request account deletion through in-app settings or by contacting info@toviri.com. On deletion we will:

  • Erase personal data no longer required to be retained by law
  • De-identify or aggregate data used for analytics
  • Retain transactional and legal records for statutory retention periods (e.g., 7 years for financial records)

We may retain anonymised or aggregated data indefinitely.

18. Complaints & supervisory authorities

If you are unsatisfied with our response, you may complain to a supervisory authority:

  • UK: Information Commissioner’s Office (ICO)
  • Nigeria: National Information Technology Development Agency (NITDA) / National Data Protection Regulation (NDPR) body

19. Changes to this Policy

We may update this Privacy Policy from time to time. We will post a prominent notice on our website and notify account holders of material changes via email where required. The "Effective date" at the top will be updated.

20. Contact us

For privacy enquiries, data access requests or to exercise rights, contact:

REY360 Technologies Ltd (Toviri)

Email: info@toviri.com

!Legal & operational notes for internal use (not part of the public policy)

  • Ensure contracts with all processors include a Data Processing Agreement (DPA) and UK/EU standard contractual clauses for international transfers where necessary.
  • Implement DPO & incident-response procedures, with a breach notification workflow.
  • Maintain logs for access to emergency triggers for auditing.
  • Keep consent records for sensitive data collection (e.g., location during emergencies).
  • Ensure privacy-by-design principles across APIs and wearable integrations.