Errands® by Caldera — Privacy Policy
Version 1.0 — Effective 15 March 2026
1. Who We Are
Errands® by Caldera ("Errands", "we", "us") is a service marketplace operated by Caldera Technologies Limited, connecting customers with vetted service providers in Lagos, Nigeria. This policy explains how we collect, use, store, and protect your personal data in compliance with the Nigeria Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) where applicable.
Data Controller: Caldera Technologies Limited Contact: privacy@errandone.com
2. What Data We Collect
2.1 Data You Provide
- Identity data: First name, last name, email address, phone number
- Address data: Service delivery address, residential address (house number, street, area, city, LGA, state, coordinates)
- Payment data: Billing address, payment method details (processed by our payment partners — we do not store card numbers)
- Emergency contact: Name and phone number (required for premises-entry services)
- Identity documents: BVN or NIN number (required for premises-entry services, encrypted at rest)
- Security credentials: Password hash, passkey/WebAuthn credentials (public key only — biometric data never leaves your device)
2.2 Data We Collect Automatically
- Device information: IP address, browser type, user agent
- Usage data: Pages visited, actions taken, timestamps
- Location data: Service address coordinates (for provider matching and dispatch)
2.3 Data From Third Parties
- Phone identity verification: We use Termii Insights API to verify that your phone number matches your provided name. This helps protect against fraud. The verification returns a match score — we do not receive additional personal data beyond what you provide.
3. How We Use Your Data
| Purpose | Lawful Basis | Data Used |
|---|---|---|
| Create and manage your account | Contract performance | Name, phone, email |
| Match you with service providers | Contract performance | Address, service category |
| Verify your identity for safety | Legitimate interest / Legal obligation | Phone, name, BVN/NIN |
| Process payments | Contract performance | Billing address, email |
| Communicate about your service | Contract performance | Phone, email, WhatsApp |
| Improve our services | Legitimate interest | Usage data, anonymised analytics |
| Marketing communications | Consent | Email, phone (opt-in only) |
| Prevent fraud | Legitimate interest | Phone, IP, identity verification |
| Comply with legal requirements | Legal obligation | As required by law |
4. Third-Party Processors
We share your data with the following processors, strictly for the purposes described:
| Processor | Purpose | Data Shared |
|---|---|---|
| Termii | Phone OTP delivery, identity verification | Phone number, name |
| Prembly (IdentityPass) | BVN/NIN identity verification | Document number (encrypted in transit) |
| Stripe | International payment processing | Billing details, email |
| Flutterwave | Nigerian payment processing (NGN) | Billing details, email |
| Meta (WhatsApp Business API) | Provider communication | Phone number, service details |
| Neon (PostgreSQL) | Database hosting | All stored data (encrypted at rest) |
| Vercel | Application hosting | Request logs, IP addresses |
| Sentry | Error monitoring | Technical error context (no PII by default) |
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account profile | Until deletion requested | Account maintenance |
| Service request records | 7 years | Legal/tax compliance |
| Payment records | 7 years | Legal/tax compliance |
| Identity verification results | 3 years | Regulatory compliance |
| BVN/NIN document numbers | Deleted after verification | Data minimisation — only verification status retained |
| Consent records | 7 years | Compliance audit trail |
| Analytics data | 2 years | Service improvement |
| Marketing preferences | Until withdrawal | Consent management |
6. Your Rights
Under NDPR and GDPR (where applicable), you have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Restrict processing: Limit how we use your data
- Data portability: Receive your data in a machine-readable format
- Withdraw consent: Withdraw previously given consent at any time
- Object: Object to processing based on legitimate interest
To exercise any of these rights, contact us at privacy@errandone.com or use the data management page in your account settings.
7. Security
We protect your data using:
- AES-256-GCM encryption for sensitive identity documents (BVN/NIN)
- TLS 1.3 for all data in transit
- Encrypted database storage (Neon PostgreSQL with encryption at rest)
- SHA-256 hashed API keys and passwords (bcrypt for passwords)
- Role-based access control for internal systems
- Automated session timeouts (3 hours for customers)
8. Biometric Data
Your biometric data (fingerprint, face recognition) is used solely for device-level authentication and never transmitted to our servers. When you register a passkey or enable biometric login:
- Your device creates a cryptographic key pair
- Only the public key is sent to our server
- The private key and biometric data remain on your device
- We cannot access, reconstruct, or view your biometric data
9. International Transfers
Your data is stored on servers in the United States (Neon PostgreSQL, Vercel) and processed by third parties in various jurisdictions. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) where required
- Processor agreements with all third parties
- Compliance with NDPR cross-border transfer requirements
10. Cookies
We use essential cookies for site functionality and optional analytics cookies with your consent. See our cookie banner for detailed preferences. You can change your cookie settings at any time.
11. Changes to This Policy
We may update this policy from time to time. When we do, we will update the version number and effective date. If changes are material, we will notify you and request renewed consent where required.
12. Contact
For questions about this privacy policy or to exercise your data rights:
Email: privacy@errandone.com Address: Caldera Technologies Limited, Lagos, Nigeria