1. Who we are
This Privacy Policy describes how MCI Logistics Ltd ("we", "us", "My Car Importer") collects, uses, shares, and protects personal data when you use our website and customer portal. We are the data controller for personal data described here under the Nigerian Data Protection Act, 2023.
2. What we collect
2.1 You give us directly
- Account details — first and last name, email address, phone number, country, password (stored as a one-way hash; we never see it in plain text).
- Order details — vehicle year/make/model/VIN, pickup ZIP and auction source (Copart, IAAI, Manheim, dealer, private), drop-off port, shipping method, operability.
- Wallet activity — deposit amounts, reference codes, optional proof-of-payment images, optional bank session reference numbers.
- Support correspondence — emails, chat messages, attachments you send us.
2.2 We collect automatically
- Technical data — IP address, browser type, device, pages visited, session timestamps. Used for security and performance monitoring.
- Cookies and similar — strictly-necessary session tokens to keep you logged in; we do not currently use third-party analytics or advertising cookies.
2.3 We receive from third parties
- Central Dispatch — predicted trucking rates for the lanes you request (no personal data sent in either direction beyond ZIP + vehicle).
- Resend — delivery status of transactional emails we send you.
- Carriers, customs agents, and shipping lines — vehicle tracking events, dispatch documents, bills of lading.
3. How we use it
- To provide the Service — match your order to a carrier, deliver invoices, track shipments, calculate quotes
- To verify your identity and protect against fraud — including 6-digit verification codes during signup
- To communicate with you — service updates, quote notifications, wallet receipts, support replies
- To comply with Nigerian customs and tax law — providing manifest information to regulators when required
- To improve the Service — aggregated, non-identifying analytics on which features people use
4. How we share it
- Carriers and shipping partners — we share vehicle details and pickup/drop-off information necessary to perform the transport you've authorized.
- Banking partners — for wallet top-ups, we receive credit alerts on our bank accounts; we do not share your data with our banks beyond what's required for the transfer itself.
- Service providers — Supabase (database hosting + auth), Resend (email delivery), Vercel (web hosting). Each is bound by its own data processing terms.
- Legal or regulatory — when required by Nigerian law, court order, or to protect rights, property, or safety.
We do not sell your personal data to advertisers or data brokers.
5. Where we store it
Customer data is hosted on Supabase's EU-West-1 region for performance. Some derived data (e.g., emails sent via Resend) may briefly transit US infrastructure for delivery. We rely on standard contractual safeguards for any cross-border transfers.
6. Retention
We keep your account and order data for as long as your account is active plus 7 years thereafter, to comply with Nigerian tax and customs record-keeping obligations. Wallet top-up rows and immutable journal entries are retained for the same period for audit integrity. Verification codes (the 6-digit OTPs we email you) auto-expire 15 minutes after issue and are deleted from our database within a week.
7. Your rights
- Access — request a copy of the personal data we hold about you
- Correction — update inaccurate or incomplete data (most of this is also available from your profile page)
- Deletion — request closure of your account; we'll honour the request subject to the 7-year retention requirements above
- Objection or restriction — for processing based on our legitimate interest
- Portability — receive your data in a machine-readable format
To exercise any of these, email privacy@mycarimporter.com from the address on your account.
8. Security
We protect your data using industry-standard practices including: Row-Level Security policies on every database table (you cannot see another customer's data even if a bug tried to surface it), TLS in transit, encryption at rest via Supabase's managed Postgres, hashed passwords and OTP codes, time-bounded session tokens, and least-privilege Edge Function service-role access. No system is completely secure; in the event of a breach affecting your data we will notify you within 72 hours of becoming aware.
9. Children
The Service is not intended for anyone under 18 years old. If we learn that we've collected personal data from someone under 18, we'll delete it.
10. Changes to this policy
We may update this Policy from time to time. Material changes will be announced via email and on the portal at least 7 days before they take effect.
11. Contact
Privacy questions or requests? privacy@mycarimporter.com. General support: hello@mycarimporter.com.
