This Privacy Policy explains how ShipKith Logistics Network Inc. ("ShipKith", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our mobile application, website, and related services (collectively, the "Service"). By using the Service you agree to the practices described here.
Effective date: May 26, 2026
01
Who We Are
ShipKith Logistics Network Inc. is incorporated in Ontario, Canada, and runs a peer-to-peer logistics platform that connects diaspora senders in the USA and Canada with community carriers travelling home to Cameroon and other African destinations.
For the purposes of data protection law (including PIPEDA, Quebec Law 25, GDPR, UK GDPR, and the CCPA/CPRA), ShipKith is the data controller of the personal information you provide through the Service. You can reach us at support@shipkith.com.
02
Information We Collect
We only collect information that is necessary to operate a trusted logistics network. The categories below describe what we collect and why.
Account details — full name, email address, phone number, preferred language, country, and password (hashed). If you sign in with Google or Apple, we receive your name, email, and a unique provider identifier; we never receive your social account password.
Identity verification (KYC) — government-issued ID images, a selfie for liveness/biometric check, date of birth, and document metadata (issue/expiry). We use this data solely to verify you as a real person before you can carry packages.
Profile content — avatar, community group affiliations (e.g., alumni, church, cultural association), ratings, and reviews you post or receive.
Logistics data — drops you create, trips you post, routes, origin/destination addresses, item descriptions, photos, weight, category, price, and status updates.
Location — device location while posting trips or actively delivering, with your explicit permission. You can disable location access at any time in your OS settings; some features will then be limited.
Payments — we use Stripe to process card payments and manage escrow. Card numbers never touch our servers; we only store the last 4 digits, brand, and a Stripe reference to reconcile transactions.
Messages — chat messages and attachments you send to other users or to our support team, used to operate the conversation feature and resolve disputes.
Notifications — push notification tokens (Apple APNs, Google FCM) and your notification preferences.
Device & technical data — IP address, device model, operating system version, app version, crash logs, and diagnostic data used to keep the Service secure and reliable.
Cookies (web only) — strictly necessary cookies for language preference and preview access gating. We do not use advertising cookies on our marketing site.
03
How We Use Your Information
We use your personal information only for the purposes listed below and only for as long as necessary for each purpose:
Operating the Service — creating your account, matching senders and carriers, enabling chat, managing escrow, and releasing payments on QR-confirmed delivery.
Identity and fraud checks — verifying KYC documents, detecting fraudulent accounts, preventing money laundering, and protecting the trust of the community.
Payments and payouts — charging senders, holding funds in escrow, paying out carriers, issuing refunds, and meeting tax and accounting obligations.
Safety and dispute resolution — investigating reports, reviewing chat history when a dispute is raised, and enforcing our Terms of Service.
Communications — sending transactional emails and push notifications about your account, bridges, and legal notices. You can opt out of non-essential notifications in the app.
Product improvement — understanding how the Service is used, in aggregated or de-identified form wherever possible, to improve reliability and user experience.
Legal compliance — responding to lawful requests from courts, tax authorities, or regulators, and defending our legal rights.
04
Legal Bases for Processing (EEA / UK)
If you are in the European Economic Area or the United Kingdom, we process your personal data under one or more of the following legal bases:
Performance of a contract — to provide the Service you have signed up for.
Legal obligation — to meet our obligations under KYC, anti-money-laundering, tax, and consumer protection laws.
Legitimate interests — to keep the platform safe, prevent fraud, and develop new features, where those interests are not overridden by your rights.
Consent — for optional processing such as location access, marketing communications, and certain analytics. You can withdraw consent at any time.
05
How We Share Information
We do not sell your personal information. We share it only in the limited circumstances below. Each sub-processor acts on our behalf under a written data-processing agreement and may not use your data for its own purposes.
With other users — when a booking is confirmed, we share the information needed to complete the delivery (the carrier's verified first name, rating, and pickup contact go to the sender; the sender's contact and item details go to the carrier).
Stripe Inc. — payment processing, Stripe Connect Custom payouts to carriers, and fraud screening. See stripe.com/privacy.
Supabase Inc. — authentication, Postgres database, and encrypted storage for KYC documents and chat attachments. See supabase.com/privacy.
Google LLC (Firebase Cloud Messaging) — Android push notification delivery. See firebase.google.com/support/privacy.
Apple Inc. (APNs) — iOS push notification delivery. See apple.com/legal/privacy.
Resend Inc. — transactional email delivery (verification, receipts, dispute notices). See resend.com/legal/privacy-policy.
Sentry (Functional Software, Inc.) — error and crash reporting (planned rollout). See sentry.io/privacy.
Google Cloud Platform — backend hosting for our microservices in us-central1. See cloud.google.com/terms/cloud-privacy-notice.
Frankfurter (api.frankfurter.app) — public foreign-exchange reference rates. No personal data is sent.
For legal reasons — when we reasonably believe disclosure is required by law, court order, or to protect the rights, safety, or property of users, the public, or ShipKith.
In a corporate transaction — if ShipKith is involved in a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to this Privacy Policy.
06
International Data Transfers
ShipKith operates across the USA, Canada, and Cameroon, and our sub-processors host data in the United States and the European Union. Where data is transferred outside your country of residence, we rely on appropriate safeguards — Standard Contractual Clauses with our vendors, the EU–US Data Privacy Framework where applicable, and provider-level data-processing agreements — to ensure your data remains protected at a level comparable to your local law.
07
Data Retention
We keep your personal information only for as long as we need it:
Account and profile data — for as long as your account is active, and up to 24 months after deletion to handle disputes and meet legal obligations.
KYC documents — for the retention period required by applicable anti-money-laundering regulations (typically 5 years after your last transaction).
Transaction and payment records — for the retention period required by tax and accounting laws (typically 7 years).
Chat messages — until you delete them or your account is closed, whichever is earlier, plus a short technical grace period for backups.
Security logs — up to 12 months, then permanently deleted or anonymized.
08
Your Rights
Depending on where you live, you may have the following rights over your personal information:
Access — request a copy of the personal data we hold about you.
Correction — ask us to fix information that is inaccurate or incomplete.
Deletion — request that we delete your account and associated data, subject to legal retention obligations.
Portability — request a machine-readable export of your data.
Restriction and objection — ask us to pause or stop certain processing activities.
Withdraw consent — for any processing based on consent (e.g., marketing, location), without affecting past lawful processing.
Non-discrimination — we will not deny you the Service for exercising any of the rights above.
Lodge a complaint — with your local data protection authority if you believe we have not handled your data appropriately.
09
How to Exercise Your Rights
You can manage most of your information directly in the ShipKith app — update your profile, change notification preferences, or delete your account from Settings → Privacy → Delete account. For any request we cannot resolve in-app, email support@shipkith.com. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by applicable law (generally within 30 days).
10
Security
We protect your data with industry-standard measures: TLS for data in transit, Postgres row-level security so users can only read data they are authorised to see, session tokens stored in the device secure enclave (iOS Keychain or Android Keystore), signed JWTs for authentication, and least-privilege access for our team. KYC documents are kept in private Supabase storage buckets gated by service-role access. We restrict internal access on a need-to-know basis and review our security posture regularly. No system is 100% secure — if you believe your account has been compromised, contact support@shipkith.com immediately.
11
Children's Privacy
ShipKith is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12
Region-Specific Disclosures
California (CCPA/CPRA) — California residents have the right to know, delete, correct, and opt out of the sale or sharing of personal information. ShipKith does not sell personal information and does not share it for cross-context behavioural advertising.
Canada (PIPEDA / Quebec Law 25) — our person responsible for the protection of personal information can be reached at support@shipkith.com. Quebec residents may request an inventory of how their data is processed.
European Economic Area and United Kingdom (GDPR / UK GDPR) — our legal bases are performance of contract, legal obligation, legitimate interests in fraud prevention and product improvement, and consent for optional processing such as location and marketing.
Cameroon and other African jurisdictions — where local privacy laws provide additional rights, we will honour those rights upon verified request.
13
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or the law. When we make material changes we will notify you in the app, by email, or by a prominent notice on this page before the change takes effect. The date at the top of this page indicates when it was last revised.
14
Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or your personal information, contact us at support@shipkith.com. Postal mail can be sent to ShipKith Logistics Network Inc., Ontario, Canada (full mailing address available on request).
Questions?
We take your privacy seriously.
Questions about this policy? Contact us at support@shipkith.com. We aim to respond to every verified request within 30 days.