AAJ Express
Privacy Policy Background

Data Protection Policy

This policy governs the processing of data by AAJ Express Logistics.
Please read through these terms carefully before using our services.

1. Introduction

AAJ is a leading logistics company providing comprehensive local and international transportation solutions. With a strong commitment to efficiency, security, and reliability, we specialize in seamless freight forwarding, supply chain management, and last-mile delivery. Our operations span across domestic and global markets, ensuring that businesses and individuals receive timely, secure, and cost-effective logistics services. As part of our commitment to protection and risk management, we implement robust safety protocols, compliance measures, and customer-focused policies to safeguard shipments and enhance service.

2. Policy

The Data Protection Policy (the Policy) is a formal acknowledgment that the Company is committed to the protection of rights and privacy of individuals, in accordance with the Nigeria Data Protection Act (NDPA), 2023 (The regulation)

3. Description

The Policy describes how the Company shall collect, handle and store personal data of individuals to meet the data protection standards.

4. Scope

This Data Protection Policy applies to all staff, management, and board members of AAJ, as well as any third parties who have access to personal data in the course of their engagement with the company. This includes, but is not limited to, contractors, suppliers, service providers, and other stakeholders working with or on behalf of AAJ. This Policy covers all personal data held by AAJ, including information related to identifiable individuals, regardless of whether such data technically falls within the scope of the Regulation. The types of personal data covered include, but are not limited to:

  • Full names of individuals
  • Email addresses
  • Contact phone numbers
  • Business and residential addresses
  • Transaction details and logistics records
  • Real-Time Location Data: GPS-based location information collected from riders and delivery personnel through AAJ EXPRESS mobile applications during active delivery operations, including route movement, delivery progress, and location timestamps.
  • Any other information that can be used to identify an individual

AAJ is committed to ensuring the confidentiality, integrity, and lawful processing of all personal data it handles, in compliance with applicable data protection regulations.

5. Definitions

  • Anonymization: The process of removing personally identifiable information from data sets to ensure that individuals cannot be identified.
  • Consent of the Data Subject: A freely given, specific, informed, and unambiguous indication of the data subject’s wishes, expressed through a statement or clear affirmative action, signifying agreement to the processing of their personal data.
  • Data: Any characters, symbols, or binary information on which operations are performed by a computer, stored or transmitted in electronic format, and maintained on any device or system.
  • Database: A structured collection of data that allows for storage, access, retrieval, modification, and processing, including but not limited to relational databases, file systems, and cloud-based storage.
  • Data Administrator: A person or organization responsible for processing data on behalf of a data controller.
  • Data Controller: An individual, company, or statutory body that determines the purpose and means of processing personal data, either alone or in collaboration with others.
  • Data Portability: The ability to transfer personal data securely between IT systems or service providers in a structured, commonly used, and machine-readable format.
  • Data Minimization: A principle that ensures only the necessary amount of personal data is collected and processed for a specific purpose.
  • Data Protection Compliance Organization (DPCO): means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria
  • Data Subject: means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  • Data Protection Compliance Organization (DPCO): A licensed entity authorized by NITDA to provide training, auditing, consulting, and compliance services related to data protection regulations.
  • Data Subject: A natural person who can be identified, directly or indirectly, through an identifier such as a name, identification number, location data, online identifier, or other distinguishing factors.
  • Data Retention Period: The duration for which personal data is stored before being securely deleted or anonymized in compliance with regulatory requirements.
  • Data Audit: A systematic review and assessment of the company’s data processing activities, policies, and security measures to ensure compliance with data protection laws.
  • Data Protection Impact Assessment (DPIA): A risk assessment process conducted before implementing a new system or process that involves the processing of personal data, ensuring that risks are identified and mitigated.
  • Encryption: A security measure that converts data into a coded format to prevent unauthorized access during transmission or storage.
  • Incident Response Plan: A structured approach used by the company to identify, manage, and respond to data breaches, security threats, or unauthorized data access.
  • Legitimate Interest: A legal basis for processing personal data where the company has a justifiable reason that does not override the rights and freedoms of the data subject.
  • Logistics Data: Information related to the planning, execution, and tracking of goods and services, including shipment details, delivery addresses, vehicle tracking data, warehouse records, and customer contact information.
  • Nigeria Information Technology Development Agency – NITDA
  • Pseudonymization: A data protection technique that replaces identifiable information with artificial identifiers (pseudonyms) while maintaining the data’s usability for processing.
  • Party: Includes directors, shareholders, employees, agents, and representatives of a contracting entity.
  • Personal Data: Any information relating to an identified or identifiable individual, including but not limited to names, addresses, photographs, email addresses, financial details, social media identifiers, medical records, and device-specific identifiers such as MAC addresses, IP addresses, IMEI numbers, and SIM card details.
  • Processing: Any operation performed on personal data, whether manually or by automated means, including collection, recording, structuring, storage, modification, retrieval, usage, disclosure, transmission, restriction, erasure, or destruction.
  • Personal Data Breach: A security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
  • Record: Public records, reports, and verifiable information available in credible media sources.
  • Sensitive Personal Data: Personal data that requires enhanced protection due to its nature, including information on race, ethnicity, political views, religious beliefs, health status, genetic or biometric data, sexual orientation, trade union membership, and criminal history.
  • Third-Party: Any individual or entity that is not the data subject, data controller, or data processor but has access to or receives personal data in connection with service delivery or business operations.

6. Purpose

The purpose of this policy is to:

  • Safeguard AAJ from the risks associated with data breaches and unauthorized access
  • Ensure transparency in how AAJ collects, stores, and processes personal data.
  • Protect the rights of employees, customers, partners, and other stakeholders.
  • Ensure compliance with applicable data protection regulations and align with international best practices

7. Nigeria Data Protection Act (NDPA)

The Nigeria Data Protection Act (NDPA), 2023, which came into effect on June 12, 2023, governs the collection, storage, and processing of personal data, regardless of whether the data is stored electronically, on paper, or in any other form. The Act establishes the Nigeria Data Protection Commission (NDPC) as the regulatory authority responsible for ensuring compliance with data protection standards in Nigeria. The NDPA applies to all individuals residing in Nigeria, as well as persons outside Nigeria who process the personal data of individuals within the country. It strengthens data subject rights, aligns with global best practices, and provides a legal framework for lawful data processing, including the use of personal data based on legitimate interest, consent, or other legal grounds.

8. Applicability

AAJ will be the data controller under the terms of the Regulation – this means it is ultimately responsible for controlling the use and processing of personal data. AAJ shall appoint a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy statements and data protection directives of the Company.

9. Governing Principles of Data Protection

The Regulation mandates every data controller to process any personal data in accordance with the governing principles of data protection. In order to comply with the obligations, AAJ undertakes to adhere to the following principles.

9.1. Data Processing

AAJ shall ensure full compliance with the Nigeria Data Protection Act (NDPA), 2023, and other applicable data protection regulations by adhering to the following principles when processing personal data:

  • Lawful and Purpose-Specific Processing: Personal data shall be collected and processed only for specific, legitimate, and lawful purposes, with the explicit consent of the data subject.
  • Accuracy and Integrity: Reasonable steps shall be taken to ensure that all personal data collected is accurate, complete, and up to date.
  • Data Minimization: Personal data shall be stored only to the extent necessary for the intended purpose and shall not be excessive in relation to its use.
  • Retention Period: Personal data shall be retained only for the duration necessary to fulfil its intended purpose and in compliance with legal or regulatory requirements.
  • Security Measures: AAJ shall implement appropriate technical and organizational measures to protect personal data against unauthorized access, theft, cyberattacks, data breaches, manipulation, and damage caused by natural elements (e.g., fire, rain, or other environmental hazards).
  • Duty of Care: AAJ shall exercise a high standard of care in handling and managing personal data to prevent misuse, loss, or unauthorized disclosure.
  • Accountability and Compliance: AAJ shall be fully accountable for its actions and omissions regarding data processing and shall ensure compliance with the relevant data protection laws and regulations.

9.2. Location Data Processing for Delivery Operations

AAJ collects real-time GPS location data from riders and delivery personnel through its mobile application strictly for operational logistics purposes. Location data is collected only when a rider is logged into the application and actively engaged in delivery-related activities.

Location data may be processed for the following legitimate business purposes:

  • Assigning delivery requests to nearby riders
  • Providing real-time shipment tracking and estimated arrival updates to customers
  • Enabling navigation, mapping, and route optimisation during deliveries
  • Monitoring delivery progress for operational oversight and rider safety
  • Verifying delivery completion, investigating incidents, and preventing fraud
Location tracking may continue while the mobile application is running in the foreground or background during active delivery sessions. AAJ does not use rider location data for unrelated advertising, profiling, or non-operational monitoring. Location services may operate in the background where riders select “Always Allow” location permissions on their device to ensure uninterrupted delivery tracking. Background location access is used exclusively during active delivery tasks and is not used to monitor riders outside operational periods.

9.3. Lawful Processing

AAJ shall process personal data only when at least one of the following lawful bases applies:

  • Consent: The data subject has provided explicit consent for the processing of their personal data for one or more specific purposes.
  • Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party or to take pre-contractual steps at the request of the data subject.
  • Legal Obligation: Processing is required for compliance with a legal obligation to which AAJ is subject.
  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
  • Public Interest or Official Authority: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official mandate legally vested in AAJ.

9.4. Procuring Consent

To comply with the Nigeria Data Protection Act (NDPA), 2023, and other relevant regulations, AAJ shall process personal data in strict accordance with the rights of data subjects and the following principles:

  • Transparency and Purpose Specification: AAJ shall not collect personal data unless the specific purpose for its collection has been clearly communicated to the data subject.
  • Freely Given Consent: The Company shall ensure that consent is obtained without fraud, coercion, or undue influence and that data subjects provide consent voluntarily.
  • Assessment of Freely Given Consent: When determining whether consent is freely given, AAJ shall carefully assess whether the provision of a service or the performance of a contract is unnecessarily conditioned on consent to process personal data that is excessive or not essential to the contract’s fulfilment.
  • Consent for Data Transfers: AAJ shall seek explicit consent from the data subject before transferring personal data to any third party, except where such transfer is required by law or covered under a lawful processing basis.
  • Legal Capacity to Consent: Where processing is based on consent, AAJ shall verify that the data subject has the legal capacity to give consent to the processing of their personal data.
  • Clear and Accessible Consent Requests: AAJ shall ensure that requests for consent are clearly distinguishable from other information, presented in an intelligible and easily accessible form, and written in clear and plain language, especially where consent is obtained in a written declaration.
  • Right to Withdraw Consent: AAJ shall inform data subjects of their right to withdraw consent at any time and ensure that the withdrawal process is simple, accessible, and does not affect the lawfulness of prior processing.

9.5. Privacy Policy

AAJ is committed to protecting the privacy and personal data of its customers, employees, and partners. To ensure transparency and compliance with the Nigeria Data Protection Act (NDPA), 2023, AAJ shall display a clear, concise, and easily accessible privacy policy that is understandable to all data subjects, regardless of the medium through which their data is collected or processed.

AAJ’s Privacy Policy shall include the following:

  • Consent Framework: A clear explanation of how data subjects provide consent for the collection, processing, and storage of their personal data.
  • Description of Collectable Data: A detailed outline of the types of personal information collected, including but not limited to names, contact details, addresses, and payment information.
  • Purpose of Data Collection: A specification of the legitimate business purposes for which personal data is collected, such as order fulfilment, customer support, logistics tracking, and regulatory compliance.
  • Technical Methods of Data Collection & Storage: An overview of how personal data is collected and stored, including the use of cookies, web tokens, tracking technologies, and secure databases.
  • Third-Party Access & Purpose: Disclosure of any third-party involvement in data processing, including logistics partners, regulatory bodies, and service providers, along with the purpose of such access.
  • Principles Governing Data Processing: A summary of AAJ’s commitment to lawful, fair, transparent, and secure data processing practices.
  • Remedies for Privacy Violations: A description of available recourse for data subjects in the event of a breach of the privacy policy, including steps for lodging complaints.
  • Time Frame for Remedies: The expected timeline for addressing and resolving privacy-related complaints or violations.
  • Limitation Clause: Any limitations on AAJ’s liability, provided that such limitations do not absolve AAJ of its responsibilities under data protection laws.
  • Location Transparency Notice for Mobile Applications: Where AAJ EXPRESS mobile applications require access to device location services, users will be notified through in-app permission prompts explaining how location data supports delivery operations. Location access is requested solely to facilitate logistics activities such as delivery assignment, navigation, and real-time tracking. Users retain control over location permissions through their device settings; however, disabling location services may limit core delivery functionality.
AAJ shall continuously review and update its Privacy Policy to align with evolving data protection regulations and industry best practices.

9.6. Location Data Safeguard

AAJ EXPRESS implements strict safeguards to protect location data from misuse or unauthorized access. Access to rider location information is restricted to authorized operational systems and personnel strictly for logistics service delivery. Location data is retained only for the duration necessary to fulfil operational and regulatory requirements and is securely deleted or anonymized thereafter.

9.7. Data Security

AAJ recognizes the critical importance of safeguarding personal data from unauthorized access, breaches, and corruption. To ensure the highest level of data protection, AAJ shall:

  • Implement robust cybersecurity measures, including but not limited to protection against hacking attempts and malicious attacks.
  • Establish and maintain firewalls and secure email systems to prevent unauthorized access.
  • Store personal data in secure, access-controlled environments, ensuring that only authorized personnel can access sensitive information.
  • Utilize data encryption technologies to protect personal data during transmission and storage.
  • Develop and enforce internal policies and protocols for handling personal, sensitive, and confidential data.
  • Provide continuous data security training and capacity-building programs for all staff members.

9.8. Third-Party Data Processing Contracts

As a data controller, AAJ shall ensure that any third-party processing personal data on its behalf adheres to strict compliance standards. To achieve this, AAJ shall:

  • Require all third-party data processors to enter into a formal written contract outlining their data protection obligations.
  • Ensure that third parties fully comply with applicable data protection laws and regulations, including the Nigeria Data Protection Act (NDPA), 2023.
  • Monitor and audit third-party compliance with AAJ’s data protection policies and applicable laws.

9.9. Data Subject Objections

AAJ acknowledges the right of data subjects to object to the processing of their personal data and shall ensure that personal data is processed only in accordance with their rights. As such, AAJ shall:

  • Provide data subjects with the right to object to the processing of their personal data for direct marketing or any other purpose.
  • Offer a clear, accessible, and cost-free mechanism for individuals to opt out of data processing activities.
  • Ensure that any objection raised by a data subject is promptly addressed in compliance with applicable regulations.

9.10. Rights of Data Subjects

To ensure compliance with Nigeria’s Data Protection Act (NDPA), 2023, AAJ shall uphold the rights of data subjects by implementing the following measures:

a. Transparency and Accessibility

  • Provide clear, concise, and accessible information regarding data processing in plain and understandable language, especially for children.
  • Deliver such information in writing, electronically, or orally when requested, provided the identity of the data subject is verified.
  • Notify data subjects within one (1) month if a request regarding their data cannot be fulfilled, stating the reasons and informing them of their right to lodge a complaint with the appropriate supervisory authority.
  • Offer all data-related communication free of charge, except in cases where requests are excessive or repetitive, in which case a reasonable administrative fee may be charged.
  • Issue a formal refusal letter for excessive requests, copying the National Information Technology Development Agency (NITDA).

b. Information to be Provided Before Collecting Data

Before collecting personal data, AAJ shall inform data subjects of the following:

  • Identity and contact details of AAJ.
  • Contact details of the Data Protection Officer (DPO).
  • Purpose and legal basis for data processing.
  • Legitimate interests pursued by AAJ or third parties.
  • Recipients of personal data, including any transfers to third countries or international organizations.
  • Storage duration of personal data or the criteria used to determine it.
  • Rights of the data subject, including access, rectification, erasure, restriction, and objection to processing.
  • Right to withdraw consent at any time without affecting prior lawful processing.
  • Right to lodge complaints with the appropriate data protection authority.
  • Obligation to provide personal data and possible consequences of refusal.
  • Existence of automated decision-making, including profiling, and its significance.
  • Intended further processing beyond the original purpose, with prior notification.
  • Data protection safeguards for transfers to foreign entities.

c. Data Subject Rights

i. Right to Rectification
  • Data subjects have the right to correct inaccurate data without delay.
  • Incomplete data shall be completed, including through supplementary statements.
ii. Right to Erasure (‘Right to Be Forgotten’)

AAJ shall delete personal data where:

  • The data is no longer necessary for its original purpose.
  • The data subject withdraws consent and no other legal basis exists.
  • The data subject objects to processing, and there are no overriding legitimate grounds.
  • The data was unlawfully processed.
  • Deletion is necessary for compliance with legal obligations.

If personal data has been publicly disclosed, AAJ shall take reasonable steps to inform third parties to erase copies or links to the data.

iii. Right to Restriction of Processing

Data subjects may request restricted processing in the following cases:

  • Disputed data accuracy (restriction lasts until verification is complete).
  • Unlawful processing, but the data subject prefers restriction over deletion.
  • AAJ no longer requires the data, but the subject needs it for legal claims.
  • Objection to processing is pending verification of AAJ’s legitimate interests.

Where processing is restricted, data may only be processed with consent, for legal claims, or for public interest reasons.

iv. Right to Data Portability
  • Data subjects can request their personal data in a structured, commonly used, and machine-readable format.
  • They may transmit their data to another company without interference from AAJ, if processing is based on consent, a contract, or automated processing.
  • AAJ shall execute direct data transfers between companies where technically feasible.
v. Right to Object to Processing
  • Data subjects can object to the processing of their personal data for direct marketing purposes.
  • AAJ shall provide a clear and free mechanism to opt out of data processing.
vi. Obligation to Inform Third Parties

If a data subject requests rectification, erasure, or restriction, AAJ shall inform all relevant third parties unless it is impossible or involves disproportionate effort.

10. Roles and Responsibilities

To ensure compliance with the Nigeria Data Protection Act (NDPA), 2023, AAJ has identified key stakeholders and their respective responsibilities in implementing and maintaining data protection standards within the company.

10.1. Chief Executive Officer (CEO)

  • Approves data protection statements included in corporate communications (e.g., emails, letters).
  • Authorizes responses to media inquiries related to data protection matters.
  • Ensures that AAJ’s marketing strategies align with data protection principles.

10.2. C-suite Executive

  • Data protection objectives in alignment with AAJ’s strategic goals.
  • Ensures that adequate resources are allocated for data protection measures.
  • Reinforces the importance of data protection compliance across the company.
  • Supports and empowers other management roles to fulfil their data security responsibilities.

10.3. Head of Information Technology (IT)

  • Ensures that all IT systems, software, and data storage facilities comply with industry security standards.
  • Assesses third-party IT service providers before engaging them for data processing or storage.
  • Implements cybersecurity measures to safeguard personal data from unauthorized access, breaches, and cyberattacks.
  • Conducts regular security audits and vulnerability assessments on AAJ’s IT infrastructure.
  • Implements firewalls, intrusion detection systems, and endpoint security to prevent unauthorized data access.
  • Ensures that hardware and software used for processing personal data meet acceptable security standards.

11. Consequences

The consequence of not adhering to the Policy will be handled in line with the Company’s Disciplinary Policy.

12. References

Nigeria Data Protection Regulation (NDPR), 2019

Nigeria Data Protection Act (NDPA), 2023

National Information Technology Development Agency (NITDA) Guidelines

General Data Protection Regulation (GDPR), where applicable.

13. Compliance and Review

AAJ Express Logistics will regularly review and update this policy to ensure compliance with relevant data protection laws and industry standards.

Company

ABOUT AAJ
SERVICES
SUPPORT

Legal

PRIVACY POLICY
COOKIE POLICY
REFUND POLICY
TERMS AND CONDITIONS

Reach out to us

icon13B, Oguntona Crescent, Gbagada Phase 1, Lagos
icon25, Lakeside Road, London SE18 1PP, UK
icon1700 & 1722 Belmont Ave, Unit 1026, Baltimore, MD 21244, USA
icon+234 908 8991 086
iconsupport@aajexpress.org

© 2026 AAJ Express. All rights reserved

social iconsocial iconsocial iconsocial iconsocial icon