Legal

Privacy Policy

The plain-English version of how we handle your data. We collect what's needed to ship plants and reply to questions — nothing more, nothing sold.

01

The short version

Aloe World only collects what we need to ship plants and answer questions. We don't sell your data, ever. We use a small number of trusted services (payments, delivery, email, analytics) and we tell you exactly which ones below.

You can ask to see, correct, export or delete your information at any time by emailing info@aloewrld.com.

No

sale of your data

<5

third-party processors

24h

response on requests

02

Who we are

The data controller is Aloe World Limited, registered in Lagos, Nigeria, with offices at 2 Abubakar Road, Railway Compound, Ebute Metta. Our data protection contact is info@aloewrld.com.

We are registered with the Nigeria Data Protection Commission (NDPC). This Policy explains how we comply with the Nigeria Data Protection Act 2023 and, where relevant, the EU GDPR.

03

What we collect

We collect different categories of personal data depending on how you interact with us.

Category
What it includes
Why we keep it
Account
Name, email, phone, password (hashed), preferences
Lifetime of account
Order
Delivery address, items, totals, payment status (we never see your full card number)
7 years (tax)
Support
Messages you send us, photos of plants, attached files
3 years
Device
IP address, browser, screen size, pages visited, anonymised analytics events
13 months
Marketing
Newsletter subscription status, click + open events on our emails
Until you unsubscribe
04

How we use your data

We use your data only for the purposes below, and only for as long as we need it.

  • Process and deliver your orders, including handing the address to our delivery partner.
  • Reply to support questions and run our 30-day growth guarantee.
  • Send order updates (transactional — these are not optional while an order is live).
  • Send our newsletter and promotions, but only if you've opted in. Every email has a one-click unsubscribe.
  • Improve the Service — which products people view, where they drop off in checkout, what care articles are most read.
  • Detect and prevent fraud, abuse and security incidents.
  • Comply with our legal and tax obligations.
05

Our lawful bases

Contract. When you place an order, we process your data because it's necessary to fulfil our agreement with you (deliver the plant).

Consent. For non-essential analytics cookies and marketing emails, we rely on your explicit consent. You can withdraw it at any time.

Legal obligation. For tax, accounting and fraud-prevention records.

Legitimate interest. For security, fraud detection, and basic service-quality analytics — narrow uses that don't override your rights.

06

Who we share with

We share data only with the small set of processors we need to actually run the shop. Each one is contractually bound to use your data only for the purpose we engaged them for.

Category
What it includes
Why we keep it
Paystack
Card payments and bank transfers
Payment processor
GIG / Kwik
Out-of-state delivery — name, address, phone
Delivery partner
Postmark
Transactional emails (order, delivery, support)
Email infrastructure
Plausible
Privacy-friendly analytics — no cookies, no IP storage
Analytics
Cloudflare
CDN, DDoS protection, edge security
Infrastructure

We do not sell your personal data to advertisers or data brokers. See our Do Not Sell My Info page for the formal statement.

07

Cookies & similar tech

We use a deliberately small number of cookies, in three buckets:

  • Strictly necessary. Keep you logged in, hold your cart between pages, remember language. These can't be turned off; without them the site won't work.
  • Functional. Remember your preferences (e.g. light/dark mode, recently viewed plants). Optional.
  • Analytics. Plausible, which is cookieless and anonymous. We use it to count page views and understand which articles are useful. Optional.

You can change your preferences any time via the Cookie settings link in the footer.

08

How long we keep it

We keep your data only for as long as we need it for the purposes set out in this Policy. The summary table in §3 shows specific retention periods. When the period expires, data is either deleted or fully anonymised.

If you close your account, we delete or anonymise your personal data within 90 days, except where we're legally required to retain it (for example, financial records for 7 years under Nigerian tax law).

09

How we protect it

  • All traffic is encrypted in transit with TLS 1.3.
  • Passwords are hashed with Argon2id — we cannot see them, even ourselves.
  • Card numbers never touch our servers; Paystack handles them under PCI-DSS.
  • Production access is limited to a small set of named engineers, with hardware-key 2FA.
  • We run quarterly security reviews and an annual external penetration test.

No system is perfectly secure, but we treat your data as if it were our own — because the team's data is in the same database.

10

Your rights

Under the Nigeria Data Protection Act and equivalent laws elsewhere, you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything that's wrong.
  • Erasure — ask us to delete your data, subject to legal retention.
  • Restriction — ask us to pause processing while we investigate a concern.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest, including profiling.
  • Withdraw consent — for any consent-based processing, at any time.

To exercise any of these, email info@aloewrld.com. We respond within 24 hours and complete most requests within 30 days. You can also lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.

11

Children

Aloe World is not directed at children under 13, and we don't knowingly collect their personal data. If you believe a child has given us information, write to info@aloewrld.com and we'll delete it.

12

Changes to this Policy

We'll post the updated Policy here and, if changes are material, email registered customers at least 14 days before they take effect. The "Last updated" date in the sidebar is the canonical timestamp.

Privacy requests

See, correct, export or delete your data.

Email our data protection contact and a real person on our team will pick it up within 24 hours.