The short version
Aloe World only collects what we need to ship plants and answer questions. We don't sell your data, ever. We use a small number of trusted services (payments, delivery, email, analytics) and we tell you exactly which ones below.
You can ask to see, correct, export or delete your information at any time by emailing info@aloewrld.com.
No
sale of your data
<5
third-party processors
24h
response on requests
Who we are
The data controller is Aloe World Limited, registered in Lagos, Nigeria, with offices at 2 Abubakar Road, Railway Compound, Ebute Metta. Our data protection contact is info@aloewrld.com.
We are registered with the Nigeria Data Protection Commission (NDPC). This Policy explains how we comply with the Nigeria Data Protection Act 2023 and, where relevant, the EU GDPR.
What we collect
We collect different categories of personal data depending on how you interact with us.
How we use your data
We use your data only for the purposes below, and only for as long as we need it.
- Process and deliver your orders, including handing the address to our delivery partner.
- Reply to support questions and run our 30-day growth guarantee.
- Send order updates (transactional — these are not optional while an order is live).
- Send our newsletter and promotions, but only if you've opted in. Every email has a one-click unsubscribe.
- Improve the Service — which products people view, where they drop off in checkout, what care articles are most read.
- Detect and prevent fraud, abuse and security incidents.
- Comply with our legal and tax obligations.
Our lawful bases
Contract. When you place an order, we process your data because it's necessary to fulfil our agreement with you (deliver the plant).
Consent. For non-essential analytics cookies and marketing emails, we rely on your explicit consent. You can withdraw it at any time.
Legal obligation. For tax, accounting and fraud-prevention records.
Legitimate interest. For security, fraud detection, and basic service-quality analytics — narrow uses that don't override your rights.
How long we keep it
We keep your data only for as long as we need it for the purposes set out in this Policy. The summary table in §3 shows specific retention periods. When the period expires, data is either deleted or fully anonymised.
If you close your account, we delete or anonymise your personal data within 90 days, except where we're legally required to retain it (for example, financial records for 7 years under Nigerian tax law).
How we protect it
- All traffic is encrypted in transit with TLS 1.3.
- Passwords are hashed with Argon2id — we cannot see them, even ourselves.
- Card numbers never touch our servers; Paystack handles them under PCI-DSS.
- Production access is limited to a small set of named engineers, with hardware-key 2FA.
- We run quarterly security reviews and an annual external penetration test.
No system is perfectly secure, but we treat your data as if it were our own — because the team's data is in the same database.
Your rights
Under the Nigeria Data Protection Act and equivalent laws elsewhere, you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — ask us to correct anything that's wrong.
- Erasure — ask us to delete your data, subject to legal retention.
- Restriction — ask us to pause processing while we investigate a concern.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest, including profiling.
- Withdraw consent — for any consent-based processing, at any time.
To exercise any of these, email info@aloewrld.com. We respond within 24 hours and complete most requests within 30 days. You can also lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.
Children
Aloe World is not directed at children under 13, and we don't knowingly collect their personal data. If you believe a child has given us information, write to info@aloewrld.com and we'll delete it.
Changes to this Policy
We'll post the updated Policy here and, if changes are material, email registered customers at least 14 days before they take effect. The "Last updated" date in the sidebar is the canonical timestamp.
Privacy requests
See, correct, export or delete your data.
Email our data protection contact and a real person on our team will pick it up within 24 hours.