Back

Privacy Policy

CEMARAX LIMITED

CEMARAX LIMITED (“Cemarax,” “we,” “our,” or “us”) is committed to safeguarding the privacy and security of personal information entrusted to us. This Privacy Policy describes how we collect, use, store, disclose, and protect information in compliance with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) where applicable, and recognized information security frameworks including SOC 2.

By using our services, you consent to the practices described in this Privacy Policy.

1. Information We Collect

We collect personal and business information necessary for the provision of logistics, transportation, and technology services. Categories of information may include:

Personal Identifiable Information (PII): Name, email, phone number, billing and shipping addresses, identity verification details, payment information.

Logistics and Operational Data: Shipment details, cargo manifests, delivery addresses, customs documentation, and tracking data.

Technical and Usage Data: IP addresses, browser type, device identifiers, login records, geolocation data, and interactions with our digital platforms (web, app, portals).

Sensitive Data (HIPAA relevance): Where Cemarax provides logistics for healthcare shipments (e.g., medical devices, pharmaceuticals, biological materials), we may handle information subject to HIPAA. Such data is processed in strict compliance with HIPAA standards.

Employee and Contractor Data: Information necessary for employment, background verification, and regulatory compliance.

2. Legal Basis for Processing (GDPR Compliance)

We process personal data under the following lawful bases:

  • Contractual necessity: to fulfill logistics, transportation, and service agreements.
  • Legitimate interests: to improve our services, ensure security, prevent fraud, and protect company assets.
  • Legal obligations: to comply with customs, taxation, financial, and regulatory requirements.
  • Consent: for marketing communications, optional services, or sensitive data where required.

3. How We Use Information

We use collected data for the following purposes:

  • Providing and managing logistics, warehousing, shipping, and international transportation services.
  • Processing payments, invoicing, and financial settlements.
  • Tracking and delivering shipments.
  • Ensuring compliance with customs and cross-border trade regulations.
  • Conducting analytics and business intelligence to improve services.
  • Communicating updates, confirmations, and service-related notices.
  • Providing customer support and dispute resolution.
  • Securing our IT systems, detecting fraud, and preventing unauthorized access.
  • Meeting audit, compliance, and certification requirements (GDPR, HIPAA, SOC 2).

4. Information Sharing

We do not sell personal data. Information may only be shared under the following conditions:

  • Service Providers and Partners: Carriers, freight agents, payment processors, IT service providers, and warehousing partners bound by confidentiality and data processing agreements.
  • Regulatory Authorities: Customs, tax authorities, law enforcement, and regulators, when required by law.
  • Corporate Transactions: In the event of a merger, acquisition, or sale of assets, data may be transferred to the new entity under the same protections.
  • Healthcare Logistics (HIPAA): Business Associate Agreements (BAAs) are executed where HIPAA data is processed, ensuring compliance with all privacy and security rules.

5. International Data Transfers

Where data is transferred outside of Nigeria or the European Economic Area (EEA), we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) under GDPR.
  • Data Protection Impact Assessments (DPIAs).
  • SOC 2-certified hosting providers.
  • HIPAA-compliant data handling where applicable.

6. Data Security and SOC 2 Alignment

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, or destruction. These controls align with SOC 2 principles of security, availability, processing integrity, confidentiality, and privacy. Measures include:

  • Encryption of data at rest and in transit (TLS 1.2+).
  • Multi-factor authentication for system access.
  • Role-based access control.
  • Continuous monitoring and intrusion detection.
  • Regular third-party security audits and penetration testing.
  • Employee training on data protection and security obligations.

7. Data Retention

We retain information only as long as necessary for business operations, legal, regulatory, or contractual requirements. Retention schedules are documented and audited. Sensitive data subject to HIPAA or GDPR is anonymized or securely deleted when no longer required.

8. Data Subject Rights (GDPR and Applicable Laws)

You have the following rights regarding your personal data:

  • Right of access – request details of data we hold about you.
  • Right to rectification – request corrections or updates.
  • Right to erasure (“right to be forgotten”) – request deletion of personal data.
  • Right to restrict processing – limit how your data is used.
  • Right to data portability – request transfer of your data to another provider.
  • Right to object – opt-out of marketing and certain processing.
  • Right to withdraw consent – revoke consent at any time.

Requests should be sent to: privacy[at]cemarax.com

9. Cookies and Tracking Technologies

Cemarax uses cookies, analytics, and similar technologies to improve website performance and enhance user experience. Cookies may include session cookies, analytics cookies, and advertising cookies. Users may disable cookies in their browser, though this may impact service functionality.

10. HIPAA Compliance (Healthcare Shipments)

Where shipments include healthcare or patient-related data, Cemarax acts as a Business Associate under HIPAA. We implement administrative, physical, and technical safeguards to protect Protected Health Information (PHI), including:

  • Encryption of PHI in transit and at rest.
  • Access controls ensuring only authorized staff handle PHI.
  • HIPAA-compliant Business Associate Agreements with all relevant partners.
  • Breach notification procedures in accordance with HIPAA.

11. Children’s Privacy

Our services are not directed to individuals under 18 years of age, and we do not knowingly collect personal data from minors.

12. Policy Updates

We may update this Privacy Policy to reflect changes in law, technology, or business operations. Updates will be posted on our website with the “Effective Date” clearly indicated.

13. Contact Information

If you have any questions, concerns, or requests relating to this Privacy Policy or your data rights, please contact us at:

CEMARAX LIMITED
Email: privacy[at]cemarax.com
Website: www.cemarax.com