Privacy Policy

This policy applies to everyone who interacts with Chidori:

• Customers: people who request or receive deliveries through a merchant that uses Chidori.
• Riders: staff and freelance couriers who fulfil deliveries on the Chidori platform.
• Merchants: companies that use Chidori to dispatch their own orders to their own riders.
• Site visitors: people who browse our marketing pages or read our documentation.

The specific data we hold depends on who you are:

• Customers: name, phone number, delivery and pickup addresses, order details, payment events, ratings, and any notes attached to the delivery.
• Riders: name, phone, bank account details for payouts, government-issued ID where required for verification, vehicle records, employment status, and GPS location while a delivery is in progress.
• Merchants: company name, contact email, billing and bank details, API keys, and the addresses and orders they process through us.
• Everyone: device and log data (IP address, browser, session timestamps), and event records of significant actions taken in the platform.

We do not run deliveries ourselves. The merchant runs the operation and puts the records into the platform. We use those records to make the software work for them. Specifically:

• To run the dashboard, the rider app, and the customer share-links the merchant relies on to coordinate its own deliveries.
• To route payments and payouts through our integrated payment providers when the merchant chooses to collect or settle through the Service.
• To host the audit trail of every action taken in the platform, so the merchant, the rider, and the customer can investigate what happened and when.
• To send platform notifications: account, billing, security, sign-in, and service updates.
• To verify merchants who sign up, and to detect fraud or abuse against the platform.
• To improve the platform, using only aggregated, de-identified data.

We rely on the bases the NDPA recognises:

• Contract: to deliver the service you (or the merchant you ordered from) asked for.
• Legitimate interest: to keep the platform secure, prevent fraud, and run the business.
• Consent: where you have actively given it (for example, marketing emails or optional features).
• Legal obligation: to meet tax, audit, or other statutory requirements.

We share data only where necessary to deliver the service:

• The rider assigned to a delivery (so they can fulfil it).
• The customer (so they know who is delivering).
• The merchant whose order is being delivered.
• Our payment processors, to settle payments and fees.
• Service providers we rely on (hosting, monitoring, email/SMS gateways), under contracts that bind them to confidentiality.
• Authorities, when required by law, court order, or a lawful regulatory request.

We do not sell personal data. We never have, and we do not intend to.

We keep personal data only for as long as we need it to provide the service or honour a legal obligation. Operational data (deliveries, payouts, audit logs) is held while the relevant company account is active and for as long after as tax, audit, or regulatory rules require, typically several years. When data is no longer needed we delete or anonymise it.

• Credentials are stored hashed; we never see your password in plaintext.
• API keys are scoped per company, revocable, and you can rotate them at any time from your dashboard.
• Outbound webhooks are signed so receivers can verify they came from us.
• Staff access to production data is limited to a small group, requires authentication, and is logged.
• Connections to and from the admin dashboard and the company API are encrypted in transit.

As a data subject in Nigeria, you have the right to:

• Access the personal data we hold about you.
• Have it corrected if it is wrong.
• Have it deleted, subject to the retention rules above.
• Object to particular uses of it.
• Withdraw consent you previously gave, where consent was the basis for processing.

To exercise any of these rights, email [email protected] and we will respond within a reasonable time, typically 30 days. If you are unhappy with how we have handled your request, you may also complain to the Nigeria Data Protection Commission (NDPC).

Chidori is built for business users and is not directed at people under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will delete it.

We may update this policy from time to time. If a change is material, we will give notice through the dashboard or by email before it takes effect. The “Last updated” date at the top tells you when the current version was published.

Questions about this policy or about how we handle your data go to [email protected].