Data Protection Policy

Our commitment to the Nigeria Data Protection Act 2023

Last Updated: March 30, 2026

1. Introduction

BlackBoxNG Logistics ("BlackBoxNG", "we", "us", or "our") is committed to maintaining the highest standards of data protection across all our operations. We recognise that the personal data entrusted to us by our customers, Riders, employees, and partners is a responsibility we must discharge with care, integrity, and full legal compliance.

This Data Protection Policy governs how BlackBoxNG fulfils its obligations under the Nigeria Data Protection Act 2023 (NDPA) and its implementing regulations issued by the Nigeria Data Protection Commission (NDPC). It applies to all employees, contractors, Riders, and third-party partners who handle personal data on behalf of BlackBoxNG in the course of our delivery and logistics operations.

This policy should be read alongside our Privacy Policy, which explains how we collect and use personal data in relation to our services, and our Cookie Policy, which covers our use of cookies and tracking technologies.

2. Scope

This policy applies to all personal data processed by BlackBoxNG, regardless of the format in which it is held. It covers personal data collected from customers who use our delivery services, Riders and delivery partners engaged by BlackBoxNG, employees and contractors, and business partners and service providers.

It applies to data processed digitally — including data held in our platform, databases, email systems, and third-party software — as well as data held in physical form, such as printed documents or written records.

3. Legal Framework

BlackBoxNG's data protection practices are grounded in the following legal instruments:

  • Nigeria Data Protection Act 2023 (NDPA) — the primary legislation governing the processing of personal data in Nigeria.
  • Nigeria Data Protection Regulation (NDPR) — the regulatory framework issued prior to the NDPA, provisions of which continue to inform best practice.
  • Directives and guidelines issued by the Nigeria Data Protection Commission (NDPC) — including sector-specific guidance applicable to technology and logistics businesses.
  • Other applicable Nigerian and international data protection instruments — including any cross-border data transfer frameworks relevant to our operations.

4. Key Definitions (NDPA 2023)

The following terms are used throughout this policy in accordance with their definitions under the NDPA 2023:

  • Personal Data — Any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, including by reference to an identifier such as a name, identification number, location data, or online identifier.
  • Data Subject — The individual whose personal data is being collected, held, or otherwise processed.
  • Data Controller — The entity that determines the purposes for which and the means by which personal data is processed. BlackBoxNG Logistics is the Data Controller for all personal data processed in connection with our services.
  • Data Processor — A natural or legal person, or any other body, that processes personal data on behalf of and under the instructions of the Data Controller. Our third-party service providers who handle personal data on our behalf are Data Processors.
  • Processing — Any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, and destruction.
  • Personal Data Breach — A security incident that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data that is transmitted, stored, or otherwise processed.

5. Data Protection Principles

All processing of personal data by BlackBoxNG is guided by the following seven principles, which are embedded in the NDPA 2023 and inform every aspect of our data practices:

  • Lawfulness, fairness, and transparency — Personal data is processed on a valid legal basis, in a manner that is fair to the data subject, and with clear transparency about what processing takes place and why.
  • Purpose limitation — Personal data is collected for specified, explicit, and legitimate purposes and is not processed in ways that are incompatible with those purposes.
  • Data minimisation — We collect only the personal data that is adequate, relevant, and necessary in relation to the purposes for which it is processed. We do not collect more data than we need.
  • Accuracy — Personal data is kept accurate and, where necessary, up to date. We take reasonable steps to ensure that inaccurate data is corrected or erased without delay.
  • Storage limitation — Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. See Section 12 for our retention schedule.
  • Integrity and confidentiality — Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.
  • Accountability — BlackBoxNG, as the Data Controller, takes responsibility for and is able to demonstrate compliance with all of the above principles.

6. Lawful Bases for Processing

BlackBoxNG relies on the following lawful bases when processing personal data, each applied to the contexts described:

  • Contractual necessity — The majority of our processing is necessary to perform the delivery service contract with our customers or to take steps at their request before a contract is formed. This includes creating accounts, processing bookings, dispatching Riders, and completing deliveries.
  • Legal obligation — We process certain personal data in order to comply with Nigerian legal and regulatory requirements, including tax filings, anti-money laundering obligations, and responses to lawful requests from government authorities.
  • Legitimate interests — We process some personal data on the basis of our legitimate business interests, including fraud detection and prevention, service performance monitoring, internal reporting, and security incident investigation. Where we rely on this basis, we conduct a balancing test to confirm that our interests do not override the fundamental rights and interests of the data subjects concerned.
  • Consent — Where we send marketing communications or use certain non-essential cookies, we do so only with your prior consent. Consent is obtained in a clear and specific manner and may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

7. Data Subject Rights & How to Exercise Them

Under the NDPA 2023, individuals whose personal data we process have the following rights:

  • Right of Access — To request a copy of the personal data we hold about you.
  • Right to Rectification — To request correction of inaccurate or incomplete personal data.
  • Right to Erasure — To request deletion of your personal data where there is no lawful reason for us to continue holding it.
  • Right to Restriction — To request that we pause processing of your personal data in certain circumstances.
  • Right to Data Portability — To receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
  • Right to Object — To object to processing based on legitimate interests or carried out for direct marketing purposes.
  • Right to Withdraw Consent — To withdraw consent at any time where processing is consent-based.
  • Right to Account Deletion — To request full deletion of your BlackBoxNG account and associated personal data.

To exercise any of these rights, please submit your request to info@blackboxng.com. We will acknowledge and respond within 30 days. Identity verification may be required before we action sensitive requests. For account deletion requests, please use the subject line "Account Deletion Request".

8. BlackBoxNG's Responsibilities as Data Controller

As the Data Controller, BlackBoxNG is responsible for and must be able to demonstrate compliance with all applicable data protection obligations. Our specific responsibilities include:

  • Maintaining accurate and up-to-date records of all processing activities carried out under our control.
  • Conducting Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals.
  • Ensuring that all staff and contractors who handle personal data receive appropriate training on their data protection obligations.
  • Appointing a Data Protection Officer (DPO) where required by the NDPA or NDPC directives, and ensuring that person has the authority and resources to fulfil the role effectively.
  • Ensuring that all contracts with third-party Data Processors include appropriate data processing clauses that bind those processors to process personal data only on our instructions and in accordance with applicable law.

9. Sub-processors & Third-Party Processors

BlackBoxNG engages a limited number of trusted third-party Data Processors to support specific operational functions, including payment processing, cloud hosting, identity verification, analytics, and customer support. These parties process personal data on our behalf and under our instructions.

Before engaging any sub-processor, we conduct due diligence to assess their data protection practices and ensure they are capable of meeting the standards required under the NDPA. All sub-processors are bound by data processing agreements that restrict their use of personal data to the purposes we specify and require them to implement equivalent security safeguards.

Sub-processors may not engage further processors without our prior written authorisation. A list of our active sub-processors is available on request by emailing info@blackboxng.com.

10. Security Measures

BlackBoxNG implements a layered set of technical and organisational security measures to protect personal data against unauthorised access, loss, alteration, or disclosure:

Technical measures:

  • Encryption of all personal data in transit and at rest using industry-standard protocols.
  • Firewalls and intrusion detection systems protecting our network infrastructure.
  • Multi-factor authentication required for all internal systems that hold personal data.
  • Regular vulnerability assessments and penetration testing to identify and remediate security weaknesses.

Organisational measures:

  • Access to personal data is granted on a strict need-to-know basis and reviewed regularly.
  • All staff and contractors with access to personal data are bound by confidentiality agreements.
  • Mandatory data protection training for all employees who handle personal data as part of their role.
  • A clear desk and clear screen policy for any work involving sensitive personal data in physical form.

11. Data Breach Management

BlackBoxNG has established a clear procedure for detecting, reporting, and responding to personal data breaches:

  • Detection and internal reporting — Any employee, contractor, or Rider who suspects or becomes aware of a personal data breach must report it to management immediately, without waiting to investigate fully.
  • Escalation — All suspected breaches are escalated to the Data Protection Officer (or designated management lead) within four (4) hours of the initial report.
  • Regulatory notification — Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, as required by the NDPA.
  • Individual notification — Where a breach is likely to result in a high risk to the rights and freedoms of affected data subjects, we will notify those individuals without undue delay, providing clear information about the nature of the breach and the steps we are taking.
  • Post-incident review — Following the resolution of any breach, we will conduct a thorough review of the circumstances and implement any corrective measures necessary to prevent recurrence.

12. Data Retention & Deletion

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. Our retention schedule is as follows:

  • Customer data: Retained for the duration of the account relationship plus three (3) years following account closure.
  • Transaction and delivery records: Retained for a minimum of six (6) years for tax compliance, accounting, and dispute resolution purposes.
  • Employee and contractor records: Retained for seven (7) years following the end of the employment or engagement relationship.
  • Security and fraud investigation data: Retained for the duration of the relevant investigation and any associated resolution or legal proceedings.

When a retention period expires, personal data is securely deleted or anonymised so that it can no longer be attributed to an identifiable individual. Account deletion requests submitted to info@blackboxng.com are actioned within five (5) business days of identity verification, except where retention is required by law.

13. Complaints & Escalation

If you have a concern or complaint about how BlackBoxNG has handled your personal data, we encourage you to contact us directly in the first instance so that we have the opportunity to address the matter:

  • Internal complaint: Email info@blackboxng.com with details of your concern. We will acknowledge receipt and respond within 30 days.

If you are not satisfied with our response, or if you believe that your rights under the NDPA have been violated, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng. The NDPC is the independent supervisory authority responsible for overseeing compliance with the NDPA in Nigeria.

14. Contact Us

For any questions about this Data Protection Policy or to exercise your data rights, please contact us:

  • Email: info@blackboxng.com
  • Phone: +2347049117938
  • Address: 15 Oluwasanmi Cl, Mafoluku Oshodi, Lagos 102214, Lagos, Nigeria
  • Support hours: Monday – Saturday, 9 AM – 5 PM (WAT)