Privacy Policy — MiAgentDesk

1. Who We Are

MiAgentDesk is a mobile productivity application built for real estate professionals. The application is developed and operated by MiAgentDesk ("we", "us", or "our"). Our Information Officer and registered contact for data-related matters is listed in Section 14 of this policy.

We operate under the following applicable frameworks:

South Africa: Protection of Personal Information Act, 2013 (POPIA)
European Economic Area: General Data Protection Regulation (GDPR)
Other jurisdictions: We apply equivalent protections as a baseline worldwide.

2. What Data We Collect

Data you provide directly

Account credentials: Your email address and password when you create a MiAgentDesk account. Passwords are hashed and never stored in plain text.
Contact information: Names, phone numbers, and notes you add about buyers, sellers, or other clients.
Property information: Property addresses, listing URLs, notes, seller details, and associated viewing records you create.
Calendar events: Viewing appointments, event titles, dates, start and end times, and linked contacts or properties.
Account preferences: Currency setting, country, and your own WhatsApp number used for sending reminders.

Data collected automatically

Push notification tokens: A device token generated by your operating system, used solely to deliver local reminders to your device. This token is stored on your device and not transmitted to our servers.
App usage data: We do not collect analytics, crash reports, or behavioural tracking data at this time.

Data received from third-party services

Google Calendar: If you connect your Google account, we access calendar data only to create and sync viewing appointments you initiate. We do not read, store, or process any Google Calendar data beyond this scope.
WhatsApp Business API: You connect your own WhatsApp Business number to MiAgentDesk via Meta's Embedded Signup process. We store a Meta API access token linked to your account, which is used exclusively to send messages from your own number to your clients. When you send an interactive viewing reminder with Yes/No buttons, Meta delivers a webhook notification to our backend containing the recipient's button reply (confirmed or declined). We store only that confirmation status against the relevant calendar event — we do not receive, read, or store the content of any WhatsApp conversations or message history.
Supabase: We use Supabase as our backend database and authentication provider. All app data you create (contacts, properties, events) and your account credentials are stored on Supabase-hosted servers. See Section 7 for full details.

Android permissions used

Permission	Purpose	Required
`INTERNET`	API communication (Supabase, Google Calendar, WhatsApp Business API)	Yes
`POST_NOTIFICATIONS`	Sending local push reminders for upcoming viewings	Optional
`RECEIVE_BOOT_COMPLETED`	Re-registering background reminder tasks after device restart	Optional

iOS permissions used

On iOS, Apple requires apps to declare a usage description for each permission requested. MiAgentDesk requests the following:

Permission key	Purpose	Required
`NSUserNotificationUsageDescription`	To send you local reminders ahead of scheduled viewings	Optional

Apple App Store — Privacy Nutrition Labels

Apple requires apps to declare their data practices in the App Store listing. The following reflects MiAgentDesk's declarations:

Data type	Collected	Linked to you	Used for tracking
Email address	Yes	Yes — linked to your account	No
Name (of your clients)	Yes	Yes — stored against your account	No
Phone number (of your clients)	Yes	Yes — stored against your account	No
Other user content (notes, addresses, event details)	Yes	Yes — stored against your account	No
Device identifier (notification token)	Yes	No — used locally only	No
Crash data / diagnostics	No	No	No
Location	No	No	No
Camera / microphone	No	No	No
Browsing or search history	No	No	No
Purchases / financial info	No	No	No

Data you enter into MiAgentDesk (contacts, properties, events, and account credentials) is stored on secure cloud servers operated by Supabase and is scoped exclusively to your account. It is not accessible to other users or to MiAgentDesk staff except where required by law. Data shared with Google and Meta is limited strictly to the integrations you opt into (see Sections 5 and 6).

We do not request access to your camera, microphone, location, system contacts list, or any other sensitive device resource beyond those listed above.

3. Lawful Basis for Processing

We process personal data only where we have a valid legal basis to do so. The following table summarises our basis for each type of processing:

Processing activity	Lawful basis (GDPR)	POPIA basis
Creating and authenticating your account (email, hashed password)	Contract performance — necessary to provide account-based access to the app	Contractual necessity
Storing contacts, properties, and events on our servers (Supabase)	Contract performance — necessary to provide the app's core features and sync across sessions	Contractual necessity
Sending push notification reminders	Consent — you grant notification permission on your device	Consent
Sending WhatsApp reminders to your contacts	Legitimate interests — you initiate the message to your own clients	Legitimate interest of the responsible party
Syncing events to Google Calendar	Consent — you explicitly connect your Google account	Consent
Storing your app preferences	Contract performance — necessary for consistent app behaviour	Contractual necessity

4. How We Use Your Data

We use the data we collect only for the following purposes:

To create and authenticate your account, and to maintain your session securely across devices.
To operate the core features of the app — managing contacts, properties, viewings, and calendar events — and to store that data securely on our servers so it persists and is available to you when you sign in.
To deliver push notification reminders to your device ahead of scheduled viewings.
To send WhatsApp messages (reminders and confirmations) to contacts whose numbers you have stored, on your behalf and at your direction.
To sync calendar events to your connected Google Calendar account.
To store your preferences so the app behaves consistently across sessions.

We do not use your data for advertising, profiling, marketing, or any purpose other than operating the features you actively use.

5. Google API Services — Limited Use Disclosure

MiAgentDesk's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for any purpose other than providing the in-app Google Calendar sync feature. We do not transfer Google user data to third parties, use it for advertising, allow humans to read it (unless required by law or with your explicit consent), or use it to develop, improve, or train generalised AI or ML models.

Specifically:

We request only the https://www.googleapis.com/auth/calendar.events scope.
We access only events created by MiAgentDesk — we do not read pre-existing calendar events.
Google Calendar data is never stored on our servers. All sync operations occur directly between the app on your device and Google's API.
You can disconnect your Google account at any time via the app's Settings screen, immediately revoking our access.
You can also revoke access directly at myaccount.google.com/permissions.

6. WhatsApp Business API — Meta Platform Policy

MiAgentDesk integrates with the WhatsApp Business API (provided by Meta Platforms, Inc.) to allow you to send automated reminders and confirmations to your clients directly from your own WhatsApp Business number.

Connecting your WhatsApp Business number

To use this feature, you connect your own WhatsApp Business account via Meta's Embedded Signup flow. This is a Meta-managed OAuth process that authorises MiAgentDesk to send messages on your behalf. The resulting access token is stored securely in your account on our servers (Supabase) and is used solely to send messages from your number. You can disconnect your WhatsApp Business account at any time in the app's Settings, which revokes the stored token.

Interactive viewing reminders

When you send an interactive viewing reminder, your client receives a WhatsApp message with Yes/No confirmation buttons. When the recipient taps a button, Meta sends a webhook notification to our backend containing their reply (confirmed or declined). We store this confirmation status against the relevant calendar event in your account — no message content or conversation history is received or stored.

Your responsibilities

By enabling this feature, you confirm that:

You have obtained appropriate consent from your contacts to receive WhatsApp messages from you in your capacity as their estate agent.
You will use this feature only for legitimate business communications related to property viewings and not for spam, bulk marketing, or any messages that violate Meta's WhatsApp Business Policy.

Opting out of WhatsApp messages

Your contacts may opt out of receiving WhatsApp messages at any time by:

Replying "STOP" to any message sent via the app — you should honour this request immediately by removing or not messaging that contact through the app.
Contacting you directly to request no further messages.
Blocking the sender's number on WhatsApp.

We transmit only the recipient's phone number and a pre-approved message template to Meta's API. For interactive reminders, we also receive and store button reply confirmation status (yes/no) delivered by Meta's webhook. We do not receive, store, or process any WhatsApp message content or conversation history beyond this. Meta's Privacy Policy governs how Meta processes data on their platform.

7. Data Storage & Security

Cloud storage via Supabase

All account, contact, property, and event data you create — including your WhatsApp Business API access token and any viewing confirmation status received via Meta webhooks — is stored on servers operated by Supabase, Inc., our backend database and authentication provider. Supabase hosts its infrastructure on Amazon Web Services (AWS) in the United States. Your data is scoped exclusively to your account and is not accessible to any other user.

Supabase provides the following security measures:

All data is encrypted in transit using TLS/HTTPS.
All data is encrypted at rest using AES-256.
Row-level security (RLS) ensures your data can only be read or modified by authenticated requests from your own account.
Passwords are hashed using industry-standard algorithms and are never stored in plain text.

Supabase's privacy practices and sub-processor list are documented at supabase.com/privacy.

Local device storage

Your Google OAuth tokens and a local cache of app state are stored on your device using secure local storage. These are not transmitted to MiAgentDesk's servers.

Push notification tokens are generated by your operating system and used only to deliver local reminders on your device. They are not transmitted to or stored on our servers.

General security

We use HTTPS for all API communications. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security against all threats. If you become aware of any security concern relating to your account, contact us immediately at info@miagentdesk.com.

8. Cross-Border Data Transfers

Your data is processed and stored by sub-processors operating servers in the United States. Specifically:

Supabase, Inc. (AWS US-East): All account and app data (contacts, properties, events, credentials) is stored on Supabase-hosted infrastructure in the United States.
Google LLC: When you connect your Google account, limited calendar event data is transmitted to Google's servers in the United States.
Meta Platforms, Inc.: When you trigger a WhatsApp reminder, the recipient's phone number and an approved message template are transmitted to Meta's servers in the United States.

These transfers are made in accordance with applicable data protection law:

POPIA (South Africa): Supabase, Google, and Meta each maintain adequate data protection measures including Standard Contractual Clauses and participation in recognised international frameworks.
GDPR (EEA): Transfers are covered by Standard Contractual Clauses as provided by Supabase, Google, and Meta in their respective data processing agreements.

9. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. Data is shared only with the following sub-processors and only in these limited circumstances:

Supabase, Inc.: All account and app data is stored on Supabase servers as our primary backend and authentication provider. Supabase acts as a data processor on our behalf and is bound by their Data Processing Agreement.
Google LLC: Calendar event data is sent to Google's Calendar API only when you have connected your Google account and triggered a sync.
Meta Platforms, Inc.: You connect your own WhatsApp Business number via Meta Embedded Signup; we store the resulting API access token in Supabase to send messages from your number. Recipient phone numbers and approved message templates are sent to Meta's API when you trigger a reminder. For interactive reminders, Meta delivers button reply confirmation data (yes/no) to our backend via webhook. Meta acts as an independent data controller for data processed on their platform under their own Privacy Policy.
Legal obligations: We may disclose data if required by law, court order, or a competent governmental authority.

No other third parties receive your data.

10. Your Rights

Depending on your location, you may have the following rights:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data (see below).
Objection: Object to certain types of processing.
Portability: Request your data in a structured, machine-readable format.
Withdraw consent: Withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.
Lodge a complaint: South African users may contact the Information Regulator at inforegulator.org.za. EEA users may contact their local supervisory authority.

To exercise any of these rights, email us at info@miagentdesk.com. We will respond within 30 days.

Deleting your data

Because your app data is stored on our servers, deleting the app from your device does not delete your server-side data. To fully delete your data:

Request account deletion: Email info@miagentdesk.com with the subject line "Data Deletion Request". We will permanently delete your account and all associated data (contacts, properties, events) from our servers within 30 days.
Remove the app: Uninstalling the app removes all locally cached data from your device.

To revoke Google Calendar access, visit myaccount.google.com/permissions and remove MiAgentDesk.

11. Children's Privacy

MiAgentDesk is intended for use by real estate professionals aged 18 and over. We do not knowingly collect personal information from children under 18. If you believe a child has submitted personal information through the app, contact us at info@miagentdesk.com and we will delete it promptly.

12. Data Retention

Your account and app data (contacts, properties, events, preferences, and WhatsApp Business API access token) is retained on our servers for as long as your account remains active. Viewing confirmation status received via Meta webhooks is retained as part of your event records for the same period. If you request account deletion, we will permanently remove all your data within 30 days.

A local cache of your data is also stored on your device and is retained until you uninstall the app or clear its data. Uninstalling does not affect server-side data — a deletion request is required for that (see Section 10).

Data passed to third-party APIs (Google, Meta) during active requests is subject to their respective retention policies — we do not control or retain copies of this data ourselves.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes, we will provide notice within the application. Continued use of the app after an update constitutes your acceptance of the revised policy.

14. Contact & Information Officer

For any questions, concerns, data requests, or complaints regarding this Privacy Policy or your personal data, please contact our Information Officer (as required under POPIA):

MiAgentDesk — Information Officer

South Africa

Email: info@miagentdesk.com

For data deletion requests, email with the subject line "Data Deletion Request". We will confirm within 30 days.
For WhatsApp opt-out concerns, use the subject line "WhatsApp Opt-Out".