Version 1.0.0
Khemiva Privacy Policy
Version: 1.0.0
Document status: Draft for legal review — qualified counsel must approve before production reliance.
Effective date: 2026-06-01 (or the date published on the Platform, whichever is later)
Change log: 1.0.0 — Comprehensive policy for Ghana–Nigeria pilot: controller details, data categories (freight, consolidation, payments, PoD, channels), legal bases, sharing matrix, retention schedule, security, cookies, rights, automated decisions, breach notification, legal acceptance audit, regional addenda, and subprocessor annex.
This Privacy Policy explains how Khemiva Inc. and its affiliates (“Khemiva,” “we,” “us”) collect, use, disclose, retain, and protect information when you use our websites, mobile applications, APIs, messaging channels, and admin tools (the “Platform”). It applies to shippers, carriers, administrative users, and website visitors where relevant.
1. Who is responsible for your data?
### 1.1 Data controller
Khemiva Inc.
Privacy: privacy@khemiva.com
Support: support@khemiva.com
Postal / registered office: Available on request at privacy@khemiva.com
For users in the Republic of Ghana and Federal Republic of Nigeria during our West Africa pilot, Khemiva processes personal data as controller for Platform operations. If counsel requires a local representative or affiliate controller, we will publish updated contact details in a new policy version.
### 1.2 Data Protection Officer
We have not appointed a Data Protection Officer. Privacy inquiries: privacy@khemiva.com.
### 1.3 Scope
This policy does not cover third-party websites, payment partner checkout pages, or carrier/shippers’ own practices outside the Platform.
2. What information we collect
We collect information you provide, generated through use, and from third parties as below.
### 2.1 Account, profile, and authentication
| Data | Examples | Source |
|---|---|---|
| Identity | Name, email, phone, password hash | You |
| Profile | Company name, role (shipper/carrier), language, timezone, avatar | You |
| Verification | ID document images, business registration, tax IDs, insurance certificates | You / uploads |
| Security | Login history, device identifiers, 2FA state (if enabled) | Platform |
Passwords are stored using one-way hashing; we do not store plaintext passwords.
### 2.2 Freight, marketplace, and logistics
| Data | Examples | Purpose |
|---|---|---|
| Freight load | Origin/destination, windows, weight, dimensions, reference codes, status | Matching, execution |
| Cargo declarations | Cargo type, packaging, origin notes, declared value, restricted category flags | Compliance, consolidation |
| Bids and matches | Bid amounts, acceptance timestamps, carrier assignment | Contract performance |
| Consolidation | Disposition (shared/FTL), group identifiers, option counts, committed timestamps | Pooling product |
| Compliance review | Review status, reviewer IDs (staff), notes | Risk controls |
| Invoices and payouts | Amounts, currencies, line items, terms version IDs on invoice | Billing, audit |
| Milestones | Pickup, in-transit, delivered status changes | Tracking |
### 2.3 Proof of delivery and compliance capture
| Data | Examples |
|---|---|
| PoD | Recipient name, signature image, delivery photos, GPS at delivery, notes |
| Pickup/delivery capture | Photographs, package counts, GPS at capture, timestamps, checkpoint notes |
### 2.4 Communications
| Data | Examples |
|---|---|
| In-app messages | Message body, attachments, thread participants, timestamps |
| Email / SMS / push | Delivery status, templates used, opt-in/opt-out where applicable |
| Support tickets | Subject, description, attachments, agent notes |
### 2.5 Payments
We generally do not store full card numbers when a payment partner tokenizes them. We may store:
- Transaction IDs, status, amounts, currencies;
- Masked account or wallet identifiers;
- Fraud signals from processors (for example Flutterwave);
- Payout destination tokens you register.
### 2.6 Device, technical, and usage
- IP address, user agent, browser/app version;
- Approximate location from IP (if used);
- Cookies and local storage (Section 9);
- First-party product usage data when signed in (screen views and interaction events sent to our API; no message bodies or payment card data in payloads);
- Error reports via Sentry when enabled (tagged by app surface);
- Audit and security logs (user ID, action type, resource IDs, admin RBAC events);
- Aggregated or de-identified analytics.
### 2.7 Channel integrations (where enabled)
If you interact via USSD, WhatsApp, or similar channels:
- Phone number, session identifiers, message payloads, menu selections;
- Correlation IDs linking channel events to Platform accounts when matched.
### 2.8 Legal acceptance and policy records
When you accept Terms or this Privacy Policy, we store:
- Version record IDs (database identifiers for the specific published legal document version);
- Timestamps of acceptance;
- Audience (shipper terms, carrier terms, privacy).
This creates an audit trail of which document version you agreed to.
### 2.9 Information from third parties
- Payment processors — transaction outcome, chargeback flags;
- Identity/verification vendors — verification results (not always raw documents);
- Maps/geocoding — normalized addresses, coordinates;
- Communications providers — SMS/email delivery events;
- Public or partner registers — where permitted for fraud or KYB checks.
3. Why we use your information
| Purpose | Examples | Typical legal basis |
|---|---|---|
| Provide the Platform | Accounts, posting, matching, messaging, invoicing, payouts | Contract |
| Safety and integrity | Fraud detection, abuse prevention, sanctions screening | Legitimate interests / Legal obligation |
| Compliance | Cargo declarations, operations review, customs-related requests | Legal obligation / Legitimate interests |
| Disputes | PoD review, message retrieval, payout holds | Legitimate interests / Contract |
| Legal acceptance audit | Store terms/privacy version IDs you accepted | Legal obligation / Contract |
| Improve the product | Aggregated analytics, performance monitoring | Legitimate interests |
| Communicate | Service alerts, security notices | Contract / Legitimate interests |
| Marketing | Product updates, surveys | Consent where required |
We balance legitimate interests against your rights. You may object where applicable (Section 10).
4. How we share information
We do not sell personal information to data brokers.
### 4.1 With other users (marketplace)
| Data | Visible to |
|---|---|
| Contact name, phone (as configured) | Matched counterparty for active jobs |
| Pickup/delivery addresses and windows | Matched counterparty |
| Cargo description and non-admin declarations | Assigned carrier for the load |
| PoD, delivery photos, capture GPS | Shipper for that job |
| In-app messages | Thread participants |
| Public profile fields you enable | As configured |
We minimize exposure of government ID images to counterparties; IDs are primarily for verification, not marketplace display.
### 4.2 With service providers (subprocessors)
See Annex A. Providers process data under contract with security and confidentiality obligations.
### 4.3 With Khemiva personnel (admin)
Staff access data on a role-based (RBAC) basis with logging for operations, fraud, support, compliance queues, and disputes.
### 4.4 Legal, regulatory, and safety
We may disclose information when we believe disclosure is required or permitted by law, including to:
- Courts, regulators, and law enforcement;
- Customs and border authorities relating to specific shipments;
- Parties to legal process involving Khemiva.
We may also disclose to protect rights, safety, and security of users, carriers, shippers, or the public.
### 4.5 Business transfers
If Khemiva undergoes merger, acquisition, or asset sale, information may transfer subject to notice as required by law.
5. International transfers
Data may be processed in the United States, European Union, and other countries where our providers operate (including Supabase and Google Cloud Platform regions we configure).
Where required, we use Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms. Contact privacy@khemiva.com for information about safeguards.
6. Retention
We retain data as long as necessary for the purposes above, then delete or anonymize where feasible.
| Category | Typical retention |
|---|---|
| Active account profile | While account is active + short grace after deletion request |
| Invoices, payouts, tax records | 7 years (or longer if law requires) |
| Freight, match, declaration records | 7 years from last activity on the load |
| PoD and compliance captures | 7 years with freight records; may shorten after closed disputes if law allows |
| In-app messages | 3 years after last message in thread (unless linked to open dispute) |
| Legal acceptance records | 7 years or longer if required for proof of consent |
| Security / audit logs | 12–24 months (longer if incident investigation requires) |
| Marketing consents | Until withdrawn + proof of consent |
| Channel session logs | 12–24 months unless tied to active support |
Customs, regulatory, or litigation needs may require longer retention of specific records.
7. Security
We implement measures appropriate to risk, including:
- Encryption in transit (TLS) for web and API traffic;
- Access controls and least-privilege for staff;
- Hashed passwords and secure session handling;
- Logging and monitoring for security events;
- Vendor security reviews for critical subprocessors.
No system is 100% secure. Use strong passwords, protect devices, and report suspected compromise to support@khemiva.com.
8. Data breach notification
If we become aware of a personal data breach that poses risk to your rights, we will notify supervisory authorities and affected users as required by applicable law (for example Ghana DPA or Nigeria NDPA timelines), and take steps to contain and remediate.
9. Cookies and similar technologies
| Type | Purpose | Duration | Consent |
|---|---|---|---|
| Session / auth | Login, security | Session / up to 30 days | Strictly necessary |
| Preferences | Language, UI | Up to 12 months | Necessary / preferences |
| CSRF / security tokens | Form protection | Session | Necessary |
| Analytics (if enabled) | Usage measurement | Per vendor | Consent where required |
We use local storage in web apps for drafts and tokens. Where law requires, we show a cookie banner before non-essential cookies. Browser controls may disable cookies and affect functionality.
10. Your rights
Depending on your location, you may have rights to:
- Access a copy of your personal data;
- Correct inaccurate data;
- Delete data (subject to legal retention exceptions);
- Restrict or object to certain processing;
- Data portability where technically feasible;
- Withdraw consent for consent-based processing;
- Lodge a complaint with a supervisory authority.
How to exercise: email privacy@khemiva.com. We may verify identity. We respond within 30 days where GDPR-style timelines apply (extensions permitted by law).
Account closure: you may request account deletion; some records may be retained for legal, tax, or dispute reasons as in Section 6.
11. Children
The Platform is not directed to anyone under 18. We do not knowingly collect children’s personal information. Contact privacy@khemiva.com if you believe we have.
12. Automated processing and profiling
We use automated processing for:
| Activity | Effect |
|---|---|
| Risk scoring / shipper tier | May affect consolidation eligibility |
| Compliance review triggers | May hold or restrict loads |
| Matching and ranking | Prioritizes carriers or consolidation options |
| Fraud signals | May block transactions or accounts |
These processes may affect your access to features but do not produce solely automated legal consequences (for example permanent ban) without human review for material account actions.
You may request human review of significant risk decisions via support@khemiva.com.
13. Verified reports and document storage
If you use verified report or document features, we may process PDFs, signatures, and metadata to generate tamper-evident records. These may be stored in private object storage with access controls and signed URLs for download. Retention follows Section 6 and product-specific rules.
14. Changes to this policy
We post updates with a new version label and effective date. Material changes may require notice or re-acceptance in the Platform. The version ID stored at acceptance is the record of what you agreed to.
15. Contact
Privacy: privacy@khemiva.com
Support: support@khemiva.com
Postal: Available on request at privacy@khemiva.com
Terms of Service: Shipper and Carrier terms at https://khemiva.com/legal/.
16. Regional addenda
### 16.1 Ghana (Data Protection Act, 2012 (Act 843))
- Processing aligned with lawfulness, purpose limitation, accuracy, security, and retention principles.
- Complaints: Data Protection Commission of Ghana.
- Cross-border transfers: appropriate safeguards per Commission guidance.
### 16.2 Nigeria (Nigeria Data Protection Act / NDPA)
- Processing for contract and legal obligation for freight and payments.
- Sensitive data (for example government IDs): collected only for verification, with restricted access.
- Complaints: Nigeria Data Protection Commission (NDPC).
- Registration: we will complete NDPC registration if counsel determines it is required at our scale.
### 16.3 European Economic Area / United Kingdom (if applicable)
- Legal bases in Section 3; SCCs for transfers; right to complain to your supervisory authority.
- EU/UK representative listed in Section 1 if we target those markets.
### 16.4 California (CPRA) — if applicable
- We do not sell personal information.
- Share for business purposes per Section 4.
- Rights: know, delete, correct, opt out of sale/share (N/A for sale), non-discrimination.
- Contact privacy@khemiva.com.
Annex A — Subprocessors (draft list)
| Provider | Service | Typical location |
|---|---|---|
| Supabase | Database, authentication, object storage | EU / US (project region) |
| Google Cloud Platform | API hosting, Cloud Run, logging, legal archive buckets | Configured region (e.g. europe-west1) |
| Flutterwave | Card, bank, mobile-money payments | Nigeria / multi-region |
| Email provider(s) | Transactional email | US / EU |
| SMS provider(s) | OTP, notifications | US / EU / regional |
| Mapping / geocoding | Address validation, maps | US |
| Sentry (if enabled) | Error monitoring (API, web, mobile) | US / EU |
| RabbitMQ hosting | Async job / notification queue | Configured region |
We update this annex when vendors change; material additions will be reflected in a new version label where required.
17. Acknowledgment
By using the Platform, you acknowledge that you have read this Privacy Policy (or the version linked at signup or re-acceptance).
Document version 1.0.0. The version you agreed to is recorded in your Khemiva account.