Legal

Privacy Policy

Last updated: May 31, 2026

This Privacy Notice for Gotoaddress ("we", "us", or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you visit our website, use our web dashboard or mobile applications, or access our REST API. Gotoaddress operates a logistics marketplace that connects businesses and individuals that need deliveries ("Shippers") with courier businesses and individual riders ("Providers" or "Partners").

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@gotoaddress.xyz.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us. We collect personal information that you voluntarily provide to us when you register for the Services, express an interest in obtaining information about us or our Services, or otherwise when you contact us. The personal information we collect may include:

  • Account information: your name, email address, phone number, and password (stored in hashed form). Business accounts additionally provide a business name, business address, and any supporting verification documents.
  • Delivery data: every delivery request you create or fulfil includes pickup and drop-off addresses, recipient contact details, package descriptions, and delivery status history.
  • Partner / KYC data: Providers may be required to submit government-issued identification, proof of address, vehicle registration documents, and other information required to verify your identity and eligibility to operate on the platform.
  • Face and biometric data: As part of the KYC process, Providers are required to capture and submit a selfie photograph. This image is used solely to confirm that you are the same person pictured on your submitted government-issued identification document. We may also collect a profile photograph, which is displayed to other platform participants during active deliveries. We do not extract facial recognition templates, biometric vectors, or face embeddings from these photographs. See the Biometric and Face Data section below for full details.
  • Wallet and transaction data: we record wallet top-ups, deductions, payouts, and full transaction history. We do not store raw card numbers — payment processing is handled by our PCI-compliant payment partner.
  • Communications: if you contact us for support or dispute resolution, we may collect the content of your messages and related records.

All personal information that you provide to us must be true, complete, and accurate. You must notify us of any changes to your personal information.

Sensitive information. We do not process sensitive information except where required for identity verification or as required by law. Where we do process sensitive data (such as government-issued ID numbers or face photographs), we do so only with your explicit consent and with appropriate safeguards in place. See the Biometric and Face Data section below for details specific to face photographs.

Information automatically collected.Some information — such as your IP address and/or browser and device characteristics — is collected automatically when you visit our Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your device's IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Location data.Provider accounts share real-time location while online so the platform can match nearby jobs. Location data is used solely for dispatch purposes and is not retained beyond the active session. Shippers can see a Provider's live location during active deliveries only.

1A. BIOMETRIC AND FACE DATA

Because face data is sensitive personal information, we describe our practices in full in this dedicated section.

What face data we collect. We collect two categories of face-related data:

  • KYC selfie photograph — Providers (couriers and riders) are required to capture and submit a selfie photograph during the onboarding process. This photograph is used solely to verify that the account holder is the same person pictured on their submitted government-issued identification document.
  • Profile photograph— Any user may optionally upload a profile photograph. This image is displayed to other platform participants (e.g. Shippers can see a Provider's profile photo during active deliveries). Profile photos are not used for any form of identity or biometric matching.

How we use face data. KYC selfie photographs are used exclusively for identity verification — confirming that the person registering matches the identity document provided. We do not perform facial recognition, create biometric templates or face embeddings, or use face photographs for any advertising, profiling, or machine-learning purpose. Profile photographs are used solely for in-platform display to facilitate trust between Shippers and Providers.

No third-party sharing of face data. Face photographs are processed and stored exclusively on our own servers. We do not transfer, sell, or share face data — in any form — with any third-party vendor, advertiser, service provider, or partner. Identity verification is performed entirely in-house by authorised Gotoaddress personnel; no external KYC or biometric service receives your face photographs. No third party stores your face data. All face photographs are stored in encrypted form using industry-standard encryption at rest, with access restricted solely to authorised staff who require it to perform identity verification or resolve disputes.

Retention. KYC selfie photographs are retained for the lifetime of the Provider account and for up to 12 months following account closure, after which they are permanently and securely deleted. This retention period allows us to meet fraud-prevention, audit, and legal-compliance obligations. Profile photographs are deleted promptly upon account closure or upon your request.

Your rights. You may request access to, correction of, or deletion of your face data at any time by emailing privacy@gotoaddress.xyz. Deletion requests for KYC selfies will be honoured subject to any active legal or fraud investigation obligations. Deletion of your KYC selfie may affect your eligibility to operate as a Provider on the platform.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To create and manage your account and business workspace.
  • To process delivery requests — matching Shippers with available nearby Providers and facilitating job dispatch.
  • To process payments and manage wallets — calculating and collecting delivery fees and distributing Partner earnings.
  • To send notifications — including delivery status updates, account alerts, transaction confirmations, and operational communications.
  • To provide customer support and investigate disputes between Shippers and Providers.
  • To comply with legal obligations — including financial record-keeping, tax reporting, and responses to lawful government requests.
  • To detect fraud and enforce our Terms of Service — monitoring for suspicious activity, account abuse, and policy violations.
  • To improve our Services — analysing usage patterns, performance metrics, and user feedback to enhance platform reliability and add new features.
  • To send marketing communications — where you have opted in to receive them. You can opt out at any time.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Between platform participants.When a delivery is dispatched, the assigned Provider receives the Shipper's pickup address and relevant contact details necessary to complete the job. Shippers can see the Provider's name, partner profile, and live location during active deliveries only.

Service providers.We may share your information with third-party vendors, service providers, contractors, or agents ("third parties") who perform services for us or on our behalf and require access to such information to do that work. This includes:

  • Cloud infrastructure and hosting providers
  • Payment processors and financial institutions
  • Push notification and SMS messaging services
  • Analytics and performance monitoring services

We have contracts in place with our third-party service providers to ensure they help us protect your information and are bound by data-processing agreements. They are only allowed to use your data as directed by us.

Legal requirements. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or subpoena. We may also disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or illegal activities.

Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

We do not sell your personal information to third parties for advertising purposes.

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. We use essential cookies and local storage to keep you signed in and remember your session preferences. We do not use third-party advertising or tracking cookies.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some portions of our Services may not function correctly. Most browsers allow you to control cookies through their settings preferences.

5. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

Our Services may offer you the ability to register and log in using your third-party social media account details (like your Google or Facebook logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

We retain account data for as long as your account is active. Delivery records and transaction history are kept for a minimum of seven (7) years to meet financial, tax, and legal obligations. Real-time location data captured during active delivery sessions is not retained beyond the completion of that session. KYC selfie photographs and other face data are retained for the lifetime of the account and for up to 12 months after account closure, then permanently deleted. Profile photographs are deleted upon account closure or earlier upon request. See Section 1A for full details on face data retention.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. These include TLS encryption for all data in transit, encrypted storage for sensitive fields, role-based access controls, multi-factor authentication for administrative access, and regular security reviews and penetration testing.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

Transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

8. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under 18, please contact us at privacy@gotoaddress.xyz.

9. WHAT ARE YOUR PRIVACY RIGHTS?

Depending on your location, you may have the following rights regarding your personal information:

  • Right to access — request a copy of the personal data we hold about you.
  • Right to rectification — request that we correct inaccurate or incomplete data.
  • Right to erasure — request deletion of your account and associated personal data, subject to our legal retention obligations.
  • Right to restrict processing — request that we limit how we use your data in certain circumstances.
  • Right to data portability — request a copy of your data in a structured, machine-readable format.
  • Right to object — object to processing of your personal data for direct marketing or where we rely on legitimate interests.
  • Right to withdraw consent — where we rely on your consent to process your information, you have the right to withdraw consent at any time.

To exercise any of these rights, please submit a request by emailing privacy@gotoaddress.xyz. We will consider and act upon any request in accordance with applicable data protection laws and will respond within 30 days.

Account information. If you would at any time like to review or change the information in your account, you can log in to your account settings and update your user account. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, and comply with our legal obligations.

10. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

11. DO WE MAKE UPDATES TO THIS NOTICE?

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

Continued use of the platform after the effective date of any changes constitutes your acceptance of the revised Privacy Notice.

12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may contact our Data Privacy team by email or by post:

Gotoaddress — Data Privacy Team

Nigeria

Email: privacy@gotoaddress.xyz

13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. To request to review, update, or delete your personal information, please email privacy@gotoaddress.xyz. We will process your request in accordance with applicable data protection laws.