Data Protection Policy | Go Send Am Compliance Framework

1. Introduction and Scope

Go Send Am Ltd ("we", "us", or "our") is a technology company that provides a dispatch operations management platform to logistics companies operating rider fleets in Nigeria. This Data Protection Policy sets out our internal framework for protecting personal data, demonstrating compliance with the Nigeria Data Protection Act 2023 ("NDPA") and the Nigeria Data Protection Regulation ("NDPR"), and maintaining accountability as both a Data Controller and a Data Processor.

This Policy applies to:

All personal data processed by Go Send Am Ltd in connection with the operation of the Platform.
All employees, contractors, and agents of Go Send Am Ltd who handle personal data in the course of their work.
All third-party sub-processors engaged by Go Send Am Ltd to process personal data on its behalf.

This Policy is a governance document. It operates alongside and should be read together with our Privacy Policy (www.gosendam.com/privacy) and our Terms and Conditions of Service (www.gosendam.com/terms), both of which contain outward-facing disclosures to users and data subjects.

2. Our Data Protection Roles

Go Send Am Ltd operates in two distinct data protection roles depending on the category of data being processed. Understanding this distinction is fundamental to our compliance framework.

2.1 Data Controller

Go Send Am Ltd acts as Data Controller for personal data it collects and processes for its own purposes, including:

Account contact data of logistics company account holders and their administrative staff.
Business verification outcome records generated during KYB onboarding.
Payment and wallet records of logistics company accounts.
Platform usage and technical data collected for security monitoring and service improvement.

As Data Controller, Go Send Am Ltd determines the purpose and means of processing this data and bears primary compliance obligations under the NDPA.

2.2 Data Processor

Go Send Am Ltd acts as Data Processor in respect of personal data that logistics companies (acting as Data Controllers) input into the Platform, including:

Rider names, phone numbers, and profile information.
Delivery recipient names, addresses, and contact details.
Dispatch and job records, including declared cargo values and proof-of-delivery data.
Rider GPS location data captured during active deliveries.

As Data Processor, Go Send Am Ltd processes this data only on the documented instructions of the logistics company as Data Controller, and in accordance with the data processing obligations set out in our Terms and Conditions of Service and this Policy.

2.3 Logistics Company Obligations

Logistics companies using the Platform are Data Controllers for the personal data of their riders, customers, and recipients. They are independently responsible for:

Ensuring they have a lawful basis to collect and input personal data into the Platform.
Informing riders and other data subjects that their data will be processed through the Platform.
Obtaining any required consents, including consent for GPS tracking of riders.
Complying with data subject rights requests in respect of data they control.
Notifying the NDPC and affected data subjects of any breaches involving data under their control.

Go Send Am Ltd is not responsible for the data protection compliance of logistics companies in their capacity as Data Controllers. Our Terms and Conditions require logistics companies to warrant and maintain their own NDPA compliance.

3. Data Protection Principles

Go Send Am Ltd processes all personal data in accordance with the following principles, which reflect the requirements of the NDPA 2023 and the NDPR:

1

Lawfulness, Fairness and Transparency

We process personal data only where we have a documented lawful basis under the NDPA. We are transparent with data subjects about how their data is used through our published Privacy Policy and in-platform disclosures.

2

Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes and is not processed in any manner incompatible with those purposes. We do not repurpose data without a fresh legal basis.

3

Data Minimisation

We collect only the personal data that is adequate, relevant, and necessary for the stated purpose. We do not collect data speculatively or in excess of operational need.

4

Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Account holders are required to notify us of material changes to their information. Inaccurate data is corrected or deleted without delay.

5

Storage Limitation

Personal data is retained only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention schedule is published in our Privacy Policy and enforced through documented deletion procedures.

6

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, or damage. This includes encryption, access controls, and regular security reviews.

7

Accountability

We maintain records of our processing activities, conduct data protection impact assessments for high-risk processing, and can demonstrate compliance with all applicable data protection obligations at any time.

4. Lawful Bases for Processing

Go Send Am Ltd processes personal data only where one of the following lawful bases under the NDPA applies. The applicable basis for each category of data is documented in our Privacy Policy and our internal Records of Processing Activities.

Contract (NDPA Art. 25(1)(b)): Processing necessary to deliver the Platform to account holders and to operate the dispatch functions they have contracted for.
Legal Obligation (NDPA Art. 25(1)(c)): Processing required for KYB compliance, financial record-keeping under FIRS requirements, and regulatory disclosures.
Legitimate Interests (NDPA Art. 25(1)(f)): Processing for platform security, fraud detection, service improvement, and fleet management functions, where those interests are not overridden by the rights of the data subject.
Consent (NDPA Art. 25(1)(a)): Processing of rider GPS location data (collected only during active deliveries) and non-essential analytics cookies, where the data subject has given informed, specific, and freely withdrawable consent.

Where consent is our lawful basis, we maintain records of consent obtained and provide a clear and accessible mechanism to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Sensitive and High-Risk Data

Go Send Am Ltd does not knowingly collect or process special category personal data (as defined under the NDPA) in the ordinary course of operating the Platform. This includes but is not limited to health data, biometric data, religious or political beliefs, and ethnic origin.

The following categories of data processed on the Platform are treated with heightened protection given their sensitivity:

5.1 NIN (National Identification Number)

NINs submitted during KYB onboarding are transmitted directly to the NIMC verification system over an encrypted connection and are never written to our database. They are discarded immediately upon return of the verification result. No Go Send Am employee or system can access a submitted NIN after the verification session ends.

5.2 CAC Registration Number

CAC numbers are handled with the same protocol as NINs — transmitted to the CAC verification system, immediately discarded after the verification outcome is returned, and never stored on our servers.

5.3 Rider GPS Location Data

Real-time GPS location data is personal data and is treated accordingly. It is collected only while a rider has an active delivery job assigned through the Platform and only with the rider's prior informed consent obtained during app onboarding. It is retained for 90 days after delivery completion for dispute resolution purposes, then permanently deleted. GPS data is never used for profiling, sold, or shared with any party other than the logistics company that assigned the job.

6. Third-Party Sub-Processors

Go Send Am Ltd engages third-party sub-processors to support the operation of the Platform. All sub-processors are bound by written data processing agreements requiring them to process personal data only on our instructions and in compliance with the NDPA. We conduct due diligence on sub-processors before engagement and review their arrangements periodically.

The following table sets out our current material sub-processors:

Sub-Processor	Purpose	Contact	Policy
Prembly Limited	Identity verification and KYB compliance. Processes CAC and NIN data submitted at onboarding for government verification purposes. Also supports fraud detection.	[email protected]	prembly.com/privacy
Payment Processor(s)	Processing wallet funding transactions and payment confirmations.	Per processor's policy	Per processor's policy
Cloud Infrastructure Provider(s)	Hosting, database storage, and platform infrastructure.	Per provider's policy	Per provider's policy

We will update this table as sub-processor arrangements change. Where we onboard a new sub-processor or make a material change to an existing arrangement, we will update this Policy accordingly.

7. Data Subject Rights

Go Send Am Ltd respects and upholds the rights of data subjects under the NDPA. The following rights apply to all individuals whose personal data we process as Data Controller. Where we act as Data Processor, we will direct requests to the relevant logistics company as Data Controller where appropriate, and will assist that company in fulfilling the request as required by the NDPA.

Right of Access: Request a copy of the personal data we hold about you and information on how we use it.
Right to Rectification: Request correction of any inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data where we no longer have a lawful basis to retain it, subject to our legal retention obligations.
Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
Right to Data Portability: Request your data in a structured, commonly used, and machine-readable format.
Right to Object: Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Right to Lodge a Complaint: Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng at any time.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will acknowledge all verified requests within five (5) business days and respond fully within thirty (30) days. Complex requests may be extended by a further thirty (30) days with notice to the data subject.

8. Data Security Measures

Go Send Am Ltd implements technical and organisational measures appropriate to the risk presented by each category of personal data we process. Our security measures include:

8.1 Technical Measures

SSL/TLS encryption for all data transmitted to and from the Platform.
Encryption at rest for all sensitive data stored on our servers.
NIN and CAC numbers transmitted to government verification systems over encrypted connections and never written to our database.
Role-based access controls ensuring platform data is accessible only to personnel with a documented operational need.
Secure, redundant cloud infrastructure with regular backup and disaster recovery procedures.
Network security including firewalls, intrusion detection systems, and regular monitoring of system access and activity logs.

8.2 Organisational Measures

All personnel with access to personal data are required to complete data protection awareness training before handling data.
Access to personal data is granted on a need-to-know basis and reviewed periodically.
Sub-processors are subject to written data processing agreements and periodic security assessments before engagement and at renewal.
Data protection by design and by default is applied to the development and update of all Platform features.
Internal data handling procedures are reviewed at least annually and updated following any significant change to the Platform or applicable law.

9. Data Protection Impact Assessments

Go Send Am Ltd conducts Data Protection Impact Assessments ("DPIAs") for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. DPIAs are mandatory before we introduce any new high-risk processing activity and are reviewed when the nature or scale of processing changes materially.

Processing activities that require a DPIA include:

Introduction of any new form of real-time location tracking of riders or personnel.
Any automated decision-making or profiling that produces legal or similarly significant effects on individuals.
Large-scale processing of sensitive categories of personal data.
Systematic monitoring of riders, users, or recipients in a way not already disclosed in our Privacy Policy.
Onboarding of a new sub-processor that processes personal data at scale.

DPIA records are maintained by the Data Protection Officer and are available for review by the NDPC upon request.

10. Data Breach Notification and Response

Go Send Am Ltd maintains documented incident response procedures to detect, assess, contain, and report personal data breaches in accordance with the NDPA.

10.1 Detection and Containment

All personnel are trained to recognise and immediately report suspected data breaches to the Data Protection Officer. Upon receiving a breach report, the DPO will:

Convene an internal response team within two (2) hours of becoming aware.
Assess the nature, scope, and likely impact of the breach.
Take immediate steps to contain the breach and prevent further unauthorised access or loss.
Preserve evidence and document all actions taken.

10.2 Regulatory Notification

Where a personal data breach is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Nigeria Data Protection Commission (NDPC) within seventy-two (72) hours of becoming aware of the breach, in accordance with the NDPA. Our notification will include:

A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
The name and contact details of the Data Protection Officer.
A description of the likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its effects.

10.3 Data Subject Notification

Where the breach is likely to result in a high risk to the rights and freedoms of affected data subjects, we will notify those individuals without undue delay in clear and plain language.

Where Go Send Am Ltd is acting as Data Processor for a logistics company, we will notify that company as Data Controller within seventy-two (72) hours of becoming aware of any breach affecting their data. The logistics company, as Data Controller, is responsible for notifying the NDPC and affected data subjects in respect of data under their control.

10.4 Post-Breach Review

Following resolution of any breach, we will conduct a root cause analysis, update our security measures as required, and document all findings and remedial actions taken. The DPO will report the outcome to senior management and update internal procedures accordingly.

11. Cross-Border Data Transfers

Go Send Am Ltd may transfer or permit the transfer of personal data to countries outside Nigeria where our cloud infrastructure or sub-processors operate internationally. All cross-border transfers are conducted in compliance with the NDPA's transfer requirements. Before any transfer, we ensure that one of the following conditions is met:

The receiving country has been assessed to provide an adequate level of data protection.
Appropriate contractual safeguards are in place, such as standard data protection clauses approved by the NDPC.
The transfer is necessary for the performance of a contract with or for the benefit of the data subject.
The data subject has given explicit informed consent to the transfer after being informed of the risks.

We maintain records of all cross-border transfer arrangements and review them periodically to ensure continued adequacy of the safeguards in place.

12. Data Retention and Deletion

Personal data is retained only for as long as necessary for the purpose for which it was collected, or for such longer period as is required by applicable law. Our full retention schedule is set out in our Privacy Policy. Key principles governing retention are:

Retention periods are assigned to each category of data at the point of collection and are enforced through documented deletion procedures.
NIN and CAC numbers submitted during KYB are never retained — they are discarded immediately after verification is confirmed.
Rider GPS data is deleted ninety (90) days after delivery completion.
Dispatch and transaction records are retained for seven (7) years in compliance with FIRS financial record-keeping requirements.
When a logistics company account is closed, personal data processed on their behalf is retained only for the period required by law, after which it is securely deleted or irreversibly anonymised.

Deletion is carried out using secure methods that render the data irrecoverable. Where anonymisation is used in place of deletion, we verify that the anonymisation is irreversible before treating the data as outside the scope of the NDPA.

13. Staff Training and Awareness

Go Send Am Ltd recognises that data protection compliance depends on the conduct of its personnel. All staff and contractors with access to personal data are required to:

Complete data protection induction training before being granted access to personal data.
Complete refresher training at least annually, or following any material change to applicable law or internal procedures.
Read and comply with this Data Protection Policy, the Privacy Policy, and all related internal data handling procedures.
Report any suspected data breach, security incident, or data protection concern to the Data Protection Officer immediately upon becoming aware.

Training records are maintained by the Data Protection Officer. Non-compliance with data protection obligations by any member of staff may result in disciplinary action.

14. Governance and Accountability

14.1 Data Protection Officer

Go Send Am Ltd has designated a Data Protection Officer (DPO) responsible for overseeing the implementation of this Policy and our broader data protection compliance framework. The DPO's responsibilities include:

Advising the organisation on data protection obligations under the NDPA and NDPR.
Monitoring compliance with this Policy and applicable law.
Maintaining the Records of Processing Activities.
Overseeing and coordinating the response to data subject rights requests and data breaches.
Serving as the primary point of contact with the NDPC.
Conducting or commissioning DPIAs for high-risk processing activities.

The DPO is contactable at [email protected].

14.2 Records of Processing Activities

Go Send Am Ltd maintains a Register of Processing Activities (RoPA) documenting all personal data processing activities carried out as both Data Controller and Data Processor. The RoPA includes, for each processing activity: the purpose of processing, the categories of data and data subjects involved, the legal basis, retention periods, and details of any sub-processors or cross-border transfers. The RoPA is reviewed at least annually and is available to the NDPC on request.

14.3 Data Protection by Design and Default

Data protection considerations are integrated into the design of all new Platform features, system changes, and business processes from the outset. By default, we apply the most privacy-protective settings and collect the minimum data necessary for any given function. We do not make privacy-invasive settings the default and require explicit user action to enable any optional data collection.

14.4 Policy Review

This Data Protection Policy is reviewed at least annually by the Data Protection Officer and updated as necessary to reflect changes in our processing activities, applicable law, or regulatory guidance. Material changes are communicated to staff before they take effect. The version number and effective date at the top of this document are updated with each revision.

15. Changes to This Policy

We may update this Data Protection Policy from time to time. When we do, we will update the version number and "Last Updated" date at the top of this document. Material changes will be communicated to staff via internal notice before they take effect, and the updated Policy will be published on our website. Users and data subjects are encouraged to check our website periodically for the current version.

16. Contact and Complaints

For any questions about this Data Protection Policy, to exercise your data subject rights, or to report a data protection concern, contact us at:

Data Protection Officer

[email protected]

Address

100, Olokonla Road, Off Lekki-Epe Expressway, Lekki, Lagos

Website

www.gosendam.com

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at any time, regardless of whether you have first raised the matter with us. The NDPC can be reached at www.ndpc.gov.ng.