AERO CONTRACTORS COMPANY OF NIGERIA LIMITED PRIVACY POLICY

INTRODUCTION

We are Aero Contractors Company of Nigeria Limited (“Aero,” “we,” “our,” “us”). We process your personal data if you use our services or visit our website. We are committed to protecting your personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA), the NDPA General Application and Implementation Directive, 2025 and applicable regulations.

WHAT IS THE PURPOSE OF THIS POLICY?

We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you interact with our services, including flight bookings, customer support, and use of our website.

IDENTITY OF THE DATA CONTROLLER

Aero Contractors Company of Nigeria Limited is the Data Controller responsible for your personal data. Our contact details:

Address: Private Terminal, Murtala Muhammed Airport, PMB 21090, Ikeja, Lagos, Nigeria.

Email: aero@acn.aero / dataprotection@acn.aero

Phone: (+234) 807 200 5691

If you have any questions or complaints about how we collect, use, share or store your personal data, please contact our Data Protection Officer at dataprotection@acn.aero or write to us at Aero Contractors Company of Nigeria Limited, Private Terminal, Murtala Muhammed Airport, PMB 21090, Ikeja, Lagos, Nigeria.

CATEGORIES OF PERSONAL DATA WE PROCESS

To provide our services, we process your personal data. This personal data includes information you provide directly to us and information we collect automatically.

Information You Provide to Aero

We receive and store any personal data you provide to us when you use our services. The information you provide to us are:

• Contact and Identification Data - your full name, salutation, your address, phone number, email address, government-issued identification (e.g. national ID, passport details), date of birth, gender, details of your next of kin.

• Travel and Booking Data – Flight reservations, flight itinerary (routes, dates, times).

• Payment Data –Details of your payment for using our service. Data that you give us to execute the payment. Usually, this means the payment card details. For example, debit card number, cardholder name and expiration date (processed securely via payment processors).

• Communications Data – messages (emails, SMS, WhatsApp, phone calls) that you send to us in the course of using our service.

• Marketing Data - your preferences for receiving our marketing communications and details about your engagement with the marketing communications.

Information We Collect Automatically

We and our service providers may automatically collect and store certain types of information about you, your computer or mobile device, and your interaction with our website such as:

• Log Data - Our servers may collect “log data.” Log data provides aggregate information about the number of visits to different pages on our website.

• Technical Data- This includes online identifiers such as internet protocol (IP) address, browser type and version, login data, location and time zone, operating system, browser plug-in types and versions, device ID and other technologies on the device used to access our platform.

• Usage Data - This involves data detailing your interaction with the website.

Cookies

Some of the data we collect automatically is facilitated by cookies and similar technologies. For more information on how we use cookies, see our Cookies Policy.

Sensitive Data

We do not generally collect sensitive personal data (such as biometric data, health data, or data revealing racial or ethnic origin). However, in limited circumstances, we may process sensitive personal data where necessary to provide our services or ensure passenger safety—for example, information relating to physical disabilities, special assistance requirements, or pregnancy status where relevant to fitness to travel. In such cases, such data will be processed with appropriate safeguards and, where required, your explicit consent.

Children Data

Our services are not directed at individuals under the age of 18. However, we may process personal data relating to minors where necessary for flight bookings.

In such cases, we will obtain consent from a parent or legal guardian of such minor.

HOW WE COLLECT YOUR PERSONAL DATA

We collect personal data from the following sources:

• Directly from you, when you make flight reservations, complete forms, subscribe to newsletters, contact us, or interact with our services;

• Through your use of our website, including via cookies, IP logs, and analytics tools;

• From third parties, including travel agents, business partners, service providers, and vendors who assist us in delivering our services;

• From regulatory or governmental authorities, where required for aviation, security, or compliance purposes;

• Through surveys, promotions, or marketing activities in which you choose to participate.

HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes:

• Customer Identification and Authentication: To verify your identity during booking, check-in, and access to our services.

• Flight Reservations and Service Delivery: To process bookings, issue tickets, manage itineraries, and provide related travel services.

• Payments and Billing: To process payments, maintain financial records, and fulfil billing obligations.

• Customer Support and Communications: To respond to enquiries, manage requests, and provide updates relating to your travel, including delays or cancellations.

• Compliance with Aviation and Legal Obligations: To comply with applicable laws and regulations, including aviation safety, security, immigration, and regulatory requirements.

• Fraud Prevention and Security: To detect, prevent, and investigate fraud, unauthorised transactions, and security threats.

• Service Improvement and Analytics: To analyse usage trends, improve our services, and enhance website and operational performance.

• Customer Preferences and Personalisation: To understand customer preferences and provide a more tailored travel experience, where appropriate.

• Marketing and Promotional Communications: To send updates, offers, and promotional materials, where you have consented or where permitted by law.

LEGAL BASIS FOR THE PROCESSING OF YOUR DATA

We collect your personal data in order to facilitate and manage our relationship with you. Specifically, we collect your personal data for at least one of the following legal bases:

1. Performance of a Contract

We process your personal data where it is necessary to perform a contract with you or to take steps at your request prior to entering into a contract.

This includes processing your Identification Data, Contact Data, Travel and Booking Data, Payment Data, and Communications Data for the purposes of:

• Creating and managing flight reservations and bookings;

• Issuing tickets and facilitating check-in and boarding;

• Processing payments and managing billing;

• Providing customer support and responding to enquiries;

• Delivering ancillary services (e.g. baggage, special assistance);

• Managing your travel experience with Aero.

2. Compliance with Legal Obligations

We process your personal data where necessary to comply with applicable laws and regulatory requirements.

This includes processing Identification Data, Travel Data, and Communications Data for the purposes of:

• Compliance with aviation regulations, including the Nigeria Civil Aviation Regulations;

• Meeting immigration, border control, and security requirements (including submission of passenger data to relevant authorities, where required);

• Notifying you of important service updates and changes;

• Responding to lawful requests from regulators, law enforcement, and government authorities;

• Compliance with tax, accounting, and reporting obligations.

3. Legitimate Interests

We process your personal data where it is necessary for our legitimate interests, provided such interests do not override your fundamental rights and freedoms.

This includes processing Identification Data, Contact Data, Booking Data, Payment Data, Technical Data, and Communications Data for the purposes of:

• Preventing fraud, ensuring aviation safety and website security, and detecting unauthorised activities;

• Verifying passenger identity and ensuring safe travel operations;

• Improving our services, website functionality, and operational efficiency;

• Analysing usage trends and customer preferences to enhance service delivery;

• Managing disruptions (e.g. delays, cancellations, lost baggage);

• Notifying you of important service updates and changes.

4. Consent

We rely on your consent for specific processing activities where required by law.

This includes processing your personal data for the purposes of:

• Sending marketing and promotional communications;

• Using cookies or similar tracking technologies (other than strictly necessary cookies);

• Processing data provided for personalisation or enhanced services.

You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

5. Processing of Sensitive Personal Data

In limited circumstances, we may process sensitive personal data (including health-related information such as physical disability, special assistance needs, or pregnancy status for fit to fly) where necessary to provide our services or ensure passenger safety.

Such processing will be carried out:

• With your explicit consent; or

• Where necessary for reasons of substantial public interest, including aviation safety and security obligations; or

• Where necessary to protect your vital interests or those of another person.

Appropriate safeguards will be implemented to protect such data.

WHO WE SHARE YOUR PERSONAL DATA WITH

We prioritize the security and confidentiality of your data and will never sell your personal data. We only disclose it to the necessary third parties listed below to operate, secure, and improve our services. We may share your data with the following third parties:

1. Aviation Service Providers

We share your personal data with parties involved in delivering your travel, including airports and ground handling agents (for check-in, boarding, baggage handling, and special assistance). This is necessary to facilitate your journey and deliver the services you have requested.

2. Government and Regulatory Authorities

We may disclose your personal data to government authorities where required by law, including:

• Immigration and border control authorities;

• Aviation regulators, including the Nigeria Civil Aviation Authority;

• Security and law enforcement agencies;

• Other competent authorities where legally required.

For example, we may be required to share passenger information (including passport and travel data) to comply with immigration, security, and aviation regulations and to ensure the safety and security of our users and the public.

3. Service Providers

We engage trusted third-party service providers to support our operations, including:

• IT infrastructure and hosting providers;

• Payment processors and financial institutions;

• Security and fraud prevention service providers, and similar vendors.

These providers process personal data on our behalf and are bound by contractual and confidentiality obligations.

4. Travel Partners and Ancillary Service Providers

Where you request additional services, we may share your data with third parties such as:

• Insurance providers;

• Car rental and transport providers;

• Hotel or accommodation providers;

• Airport lounge and other travel service providers.

Such third parties act as independent data controllers and will process your data in accordance with their own privacy policies.

5. Travel Agents and Intermediaries

Where your booking is made through a travel agent or intermediary, we may share relevant booking and travel information with them to facilitate your travel and manage your reservation.

6. Legal and Compliance Disclosures

We may disclose your personal data where necessary to:

• Comply with applicable laws and regulatory requirements;

• Enforce our legal rights and terms of service;

• Prevent, detect, or investigate fraud, security incidents, or unlawful activity;

• Protect the rights, safety, or property of Aero, our passengers, or third parties.

7. Marketing and Ad Partners: We may share your personal data with advertising partners to provide you with personalised, relevant advertisements only where you have provided your consent.

INTERNATIONAL TRANSFERS

We primarily process personal data within Nigeria. However, due to the nature of air transport services, your personal data may be transferred outside Nigeria.

Where personal data is transferred outside Nigeria, Aero ensures that such transfers are carried out in accordance with the Nigeria Data Protection Act 2023 and that appropriate safeguards are implemented, including:

• Transfers to countries recognised by the Nigeria Data Protection Commission (NDPC) as providing an adequate level of data protection;

• Use of Standard Contractual Clauses (SCCs) or other legally recognised Cross-Border Transfer Instruments;

• Transfers necessary for the performance of a contract with you;

• Transfers required for compliance with legal obligations, including aviation, immigration, and security laws.

Where your personal data is transferred to a country that may not provide the same level of data protection as Nigeria, we will take reasonable steps to ensure that appropriate safeguards are in place to protect your personal data in accordance with the Nigeria Data Protection Act.

DATA RETENTION

Aero will only retain your personal data for as long as reasonably necessary to fulfil the purposes the data was collected, including the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

To determine the appropriate retention period for personal data, Aero will consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the data is to be processed and whether the purposes can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

When we no longer require the personal data we have collected about you, we may either delete it or de-identify, aggregate or anonymise it. If we de-identify, aggregate or anonymise your personal data (so that it can no longer be associated with you), we may use the anonymised data indefinitely without further notice to you.

YOUR RIGHTS

Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have the following rights under data protection laws:

1. Right of access: You have the right to ask us for copies of your personal data.

2. Right to rectification: You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

3. Right to erasure: You have the right to ask us to erase your personal data in certain circumstances.

4. Right to restriction of processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances.

5. Right to object to processing: You have the right to object to the processing of your personal data in certain circumstances.

6. Right to data portability: You have the right to ask that we transfer the personal data you provided us to another organisation.

7. Right to withdraw consent at any time: Where we are relying on consent to process your personal data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Exercising These Rights

You may submit these requests by email to dataprotection@acn.aero. We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfil any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Your Right to Lodge a Complaint with the Nigeria Data Protection Commission

In addition to your rights outlined above, if you are not satisfied with our response to a request you made, or how we process your personal data, you can make a complaint to the Nigeria Data Protection Commission by email to info@ndpc.gov.ng or a letter addressed to No.12 Dr. Clement Isong Street, Abuja.

HOW DO WE SECURE YOUR PERSONAL DATA?

We are committed to protecting the personal data we hold about you by taking appropriate technical and organisational measures against unauthorised, unlawful, or accidental access, loss, destruction or damage to your personal data. Our security systems are designed to prevent the loss, unauthorised destruction, damage, and/or access to your personal data from unauthorised third parties. Some of our security measures include encryption (SSL/TLS in transit, AES-256 at rest); access control – limited to authorised staff; firewalls and network segmentation, security by design in ICT systems.

UPDATES TO THIS PRIVACY POLICY

We understand that things change, so we will continue to review the effectiveness of this policy and make sure it is achieving its goals. We might update the policy from time to time and will post the most recent version on this page. If we make a change to this policy that we consider material, we will notify you.