Privacy Policy

FrontDesk is a product of Live Capital Limited (RC 7880441), a company incorporated in Nigeria with its registered office at 32C Cameron Road, Ikoyi, Lagos, Nigeria.

In this policy “FrontDesk,” “we,” and “us” refer to Live Capital Limited acting through the FrontDesk product at https://www.frontdesk.africa, the workspace application at app.frontdesk.africa, the administrative console at admin.frontdesk.africa, and the public storefronts our customers publish on the sme.pro domain and on their own custom domains. Live Capital Limited is the data controller for personal information processed in connection with FrontDesk under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR). Where another data-protection law applies to you, we honour the rights it grants.

FrontDesk is provided to businesses (each, a “Workspace”) to help them run the customer-facing side of their operation. Personal information flows through FrontDesk in two distinct roles:

• For the people who sign up to operate a Workspace (owners, staff, invited members), Live Capital Limited is the data controller and is directly responsible for the information described in this policy.
• For the customers, leads, and contacts of a Workspace (people who message a Workspace on WhatsApp, Instagram, or Messenger, buy from its storefront, fill in its forms, or are added to its contact book), the Workspace is the controller of that information. Live Capital Limited is a data processor acting on the Workspace’s instructions to host, transmit, and operate on that information. If you are such a customer, please contact the Workspace you interacted with for access, correction, or deletion requests; we will support the Workspace in honouring them.

This policy covers personal information collected through our websites, the workspace and admin applications, public storefronts we host for Workspaces, our APIs, support channels, and the in-product identity-verification flows. It does not cover services operated by third parties even if you reach them through us (for example, your bank, a payment provider, an identity-verification partner, or a messaging platform). Their handling of your information is governed by their own policies.

We group the information we hold into the following categories.

• Account information. Name, email address, password (stored only as a one-way hash), phone, country, account-creation timestamp, last-login timestamp.
• Workspace information. Workspace name, handle, logo, the “Pack” (industry preset) selected, billing plan, configured staff and their roles.
• Identity verification (KYC). Government ID details, selfie/liveness data, and verification outcomes returned by our identity-verification partner. FrontDesk performs identity verification through the LiveID service operated by our affiliate TripleLens; the data flows are described in section 9.
• Customer and contact information added by Workspaces. Names, phone numbers, email addresses, addresses, and notes about a Workspace’s customers, leads, suppliers, and other contacts. This information is added by the Workspace, imported from the messaging channels described below, or captured when a customer interacts with the Workspace’s storefront or forms.
• Messaging-channel information. When a Workspace connects a WhatsApp Business, Instagram, or Facebook Messenger account through Meta’s official APIs, we receive: the IDs and tokens needed to send and receive messages on behalf of that Workspace; the content and metadata of messages exchanged between the Workspace and its customers; profile information about a message sender that Meta exposes to the connected app (such as display name and profile picture); webhook events about message status. The Workspace is the controller of these messages; we process them on its instructions to deliver the inbox.
• Storefront, order, and form information. Items, prices, photos, availability, orders placed by customers (delivery address, contact details, order line items, totals), and form submissions configured by the Workspace.
• Payment information. We do not store full card numbers. When a customer pays a Workspace, the payment is processed by our payment partner (currently Paystack); we store the resulting transaction references, amounts, currencies, payer information returned by the partner, and reconciliation records.
• Files and uploads. Images, documents, and other files Workspaces and their customers upload through the product. These are stored on managed cloud object storage operated by our hosting partners.
• Communications. Email, in-product chat, support tickets, internal notifications, AI-assistant transcripts, and audit logs of administrative actions you send or receive via FrontDesk.
• Device and technical information. IP address, user-agent, device and OS identifiers, language, time zone, referrer, and pages visited.
• Cookies and similar storage. See section 8.

• Directly from you, when you sign up, complete identity verification, create or update a Workspace, send messages, configure a storefront, or contact support.
• Automatically, from your device when you use FrontDesk (logs, cookies, device identifiers).
• From the messaging platforms a Workspace connects — currently Meta (WhatsApp, Instagram, Messenger) — for inbound and outbound messages exchanged through that Workspace’s connected accounts.
• From third parties we engage to verify identity (TripleLens LiveID), process payments (Paystack), deliver email and SMS (Amazon SES, Termii), host (Google Cloud, Vercel, Cloudflare, Upstash), monitor for abuse, and provide analytics.
• From a Workspace’s customers directly, when they message, purchase, fill a form, or otherwise interact with a Workspace through FrontDesk.

• Performance of a contract. To deliver FrontDesk to Workspaces and their members, including account creation, workspace management, messaging, storefront publication, orders, and payments.
• Compliance with a legal obligation. To meet anti-money laundering, counter-terrorist-financing, sanctions, tax, and audit requirements. This is the principal basis for identity verification and for retention of transaction records.
• Legitimate interests. To keep FrontDesk secure, prevent fraud and abuse, investigate misuse, improve the product, and develop new features, where these interests are not overridden by your rights and freedoms.
• Consent. For analytics and marketing cookies, marketing emails, and any other processing where consent is the applicable basis. You can withdraw consent at any time without affecting the lawfulness of earlier processing.

• To create, secure, and operate your account and Workspace.
• To verify identity, and to keep verification current where we or a Workspace are required to.
• To deliver the omnichannel inbox: receiving messages from the channels a Workspace has connected, displaying them in the Workspace’s inbox, and sending replies back through the same channels.
• To operate Workspaces’ public storefronts, accept orders, generate invoices, and process payments through our payment partner.
• To respond to your questions and provide support.
• To detect, investigate, and prevent fraud, abuse, spam, money laundering, sanctions evasion, and other misuse, and to enforce the rules our messaging-platform partners impose on us.
• To meet legal, regulatory, accounting, and reporting obligations.
• To understand how FrontDesk is used and to improve it. Where this involves cookies or third-party analytics, we ask for your consent first.
• To send you service notifications and, with your consent, marketing updates.

We group cookies into three categories.

• Necessary. Required for core site functions, security, and fraud prevention. Always active.
• Analytics. Helps us understand which pages are useful and where people get stuck. Off until you opt in.
• Marketing. Used to share relevant updates about FrontDesk and measure the performance of those communications. Off until you opt in.

When a Workspace connects a WhatsApp Business, Instagram, or Facebook Messenger account, it authorises FrontDesk to act on its behalf through Meta’s official Business Messaging APIs. This grant is recorded in Meta’s systems and can be revoked by the Workspace at any time from Meta Business Settings.

We use the access strictly to:

• receive inbound messages and webhook events from the connected accounts;
• display those messages in the Workspace’s inbox, optionally summarise or categorise them with the Workspace’s configured AI assistants, and store them for the retention period in section 11;
• send outbound replies, template messages, and media that the Workspace originates;
• map message senders to the Workspace’s contact records so the Workspace can keep a continuous view of each conversation across channels.

We do not use messaging-channel data to train models that benefit other Workspaces, to advertise to message senders, or to sell information to third parties. AI features that process messages do so only inside the originating Workspace and only when that Workspace has enabled them.

Your use of Meta’s platforms is also subject to WhatsApp’s Business Policy, Meta’s Platform Policies, and the privacy notices of those platforms.

We do not sell your personal information. We share it only where we need to.

• Service providers and processors acting on our behalf for hosting (Google Cloud, Vercel, Cloudflare, Upstash), email and SMS delivery (Amazon SES, Termii), identity verification (TripleLens LiveID), payments (Paystack), durable workflows (Temporal Cloud), AI-assistant features (Anthropic, OpenAI), fraud prevention, and customer support. They are bound by written data-processing terms and may use the information only to provide the service to us.
• Messaging platforms a Workspace has connected (currently Meta), for the limited purpose of sending and receiving messages through those platforms.
• The Workspace you are interacting with, if you are a customer or contact of that Workspace. By design, your messages, orders, form submissions, and contact details are visible to the Workspace and its authorised members.
• Regulators, law enforcement, and other authorities, where we are required to disclose information or where disclosure is necessary to protect rights, safety, or property.
• Professional advisers (lawyers, auditors, insurers) under duties of confidence.
• A successor entity, in connection with a merger, acquisition, financing, reorganisation, or sale of substantially all our assets, subject to the successor honouring this policy.

We keep personal information for as long as we need it for the purposes set out in this policy, and then we delete or anonymise it. Specific minimum periods include:

• Account and Workspace records: while the Workspace is active, plus up to seven (7) years after closure to meet our anti-money laundering record-keeping obligations.
• Identity-verification records: at least seven (7) years from the end of the business relationship, in line with applicable Nigerian AML requirements.
• Messages received from connected messaging channels: while the Workspace is active, with the Workspace able to delete individual conversations or disconnect a channel at any time; we honour deletion requests received from the originating platform.
• Order, invoice, and payment records: at least seven (7) years from the transaction date.
• Marketing-consent records: while consent is active, plus up to two (2) years after withdrawal to evidence the withdrawal.
• Cookie-consent records: up to twelve (12) months.
• Support correspondence: typically up to three (3) years after the interaction.

We may keep information longer where required by law, regulation, court order, or where it is reasonably necessary to defend against a legal claim.

Some of our service providers operate outside Nigeria. Where personal information is transferred outside Nigeria, we rely on either the recipient country’s adequacy status under the NDPA, contractual data-protection terms with the recipient, or your explicit consent, depending on the circumstances. The protections applied in this policy travel with your information regardless of where it is processed.

We apply layered technical and organisational measures, including:

• encryption in transit (TLS) on all public endpoints;
• encryption at rest for databases, file storage, and backups managed by our cloud providers;
• password hashing with industry-standard algorithms and never storing plaintext credentials;
• role-based access control on internal systems, with the principle of least privilege;
• multi-factor authentication for staff access to production systems;
• audit logging of administrative actions, with logs reviewed periodically and on incident;
• regular dependency, library, and infrastructure updates;
• screening of staff with access to personal information, and a written confidentiality obligation in their contracts.

No system is impenetrable. You can help protect yourself by using a strong unique password, enabling any account-protection features we offer, and notifying us immediately at hello@frontdesk.africa if you suspect unauthorised access.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within the timelines set by the NDPA, and we will notify affected individuals without undue delay where the risk is high. The notification will describe the nature of the breach, the categories and approximate numbers of records concerned, the likely consequences, and the measures we have taken or propose to take.

Under the NDPA, NDPR, and similar laws that may apply to you, you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Delete information we hold about you, subject to retention obligations we cannot lawfully shorten.
• Restrict or object to processing in defined circumstances.
• Withdraw consent at any time for processing based on consent.
• Portability: receive a copy of the information you provided in a structured, commonly used, machine-readable format.
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you, without human review.

If you are a customer of a Workspace, please first contact that Workspace, since it controls the information. To exercise rights against Live Capital Limited directly, or if a Workspace does not respond, email hello@frontdesk.africa. We may need to verify your identity before acting on a request. We aim to respond within thirty (30) days, and we will explain any delay or refusal.

You can request deletion of personal information we hold about you by emailing hello@frontdesk.africa with the subject “Data deletion request.” Please include enough detail for us to identify the relevant account, Workspace, contact, or message thread.

Workspaces can also delete contacts, conversations, files, and other records directly from the product. Where we are required to retain certain records (for example, for AML, tax, or audit), we will explain this in our response and delete the rest. Once a retention period ends, the corresponding records are deleted or anonymised.

Parts of our identity verification, fraud-prevention, and sanctions-screening processes are automated. They include comparing the documents and biometric data you submit with the data held or referenced by our verification partner, and screening identifiers against published sanctions and politically-exposed-persons lists. Where an automated result is negative and that has a meaningful effect on you (for example, blocking an account), a human reviewer is available to re-examine the decision on request. Email hello@frontdesk.africa to request human review.

FrontDesk is intended for individuals who are at least 18 years old and for organisations acting through authorised representatives. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, please contact us and we will delete it.

FrontDesk may link to external sites or display content from external sources. We are not responsible for the privacy practices of those third parties. Review their policies before sharing personal information with them.

We may update this page from time to time. If we make a material change to how we process personal information or to cookie categories, we will give reasonable notice (for example, by email or by re-surfacing the consent banner) before the change takes effect.

We hope to resolve any concern directly. If you are not satisfied, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC). You may also be able to raise a complaint with the data-protection authority in your country of residence.

For privacy questions or to exercise any right, email hello@frontdesk.africa or write to us at:

Live Capital Limited (RC 7880441)
32C Cameron Road, Ikoyi, Lagos, Nigeria
+234 (0) 901 392 2180