DATA PROTECTION
Privacy Policy
Your data is yours. We collect only what's necessary, protect it rigorously, and give you full control. Transparency isn't optional β it's our foundation.
NEXSHIPA ("we", "us", or "our") is committed to protecting your personal data with the highest standards of transparency, security, and ethical processing. This policy explains exactly what we collect, why we collect it, how we safeguard it, and the absolute control you retain over your information. We comply fully with the UK GDPR, Data Protection Act 2018, and relevant international privacy frameworks.
1. Our Privacy Commitment
Privacy is not an afterthought β it's engineered into our systems by design. We operate on a strict data minimisation principle: we only collect what's essential to deliver, track, and improve your logistics experience. We never sell, rent, or trade personal data to third parties for marketing purposes. If we ever change how we process your data, you will be notified transparently before the change takes effect.
2. Who Controls Your Data
NEXSHIPA Ltd acts as the Data Controller for all personal information processed through our platform, freight services, warehousing operations, and client portal. Our Data Protection Officer (DPO) oversees compliance, handles requests, and ensures ongoing alignment with evolving privacy regulations.
3. What Data We Collect
We collect data in four transparent categories:
- Identity & Contact: Name, email, phone, company name, billing/shipping addresses.
- Shipment & Operational: Cargo descriptions, weights, dimensions, pickup/delivery coordinates, customs declarations, and tracking identifiers.
- Technical & Usage: IP address, device type, browser, OS, page views, session duration, and platform interaction logs (anonymised where possible).
- Payment & Financial: Transaction history, payment method tokens (processed securely via PCI-DSS compliant gateways), and invoice records.
4. How & Why We Use It
We process your data only under clear lawful bases:
- Contract Performance: To book shipments, generate labels, track cargo, process payments, and deliver services you request.
- Legal Obligation: To comply with customs, tax, HMRC, and international trade regulations.
- Legitimate Interest: To improve routing algorithms, prevent fraud, enhance platform security, and send service-related notifications.
- Consent: For marketing communications, optional analytics cookies, or third-party integrations. You may withdraw consent at any time.
5. Data Sharing & Third Parties
We share data strictly on a need-to-know basis, bound by written Data Processing Agreements (DPAs) and GDPR Article 28 compliance:
- Carriers & Customs: Only shipment-specific data required for transport, clearance, and delivery.
- Payment Processors: Stripe, PayPal, or bank gateways (we never store full card details).
- Cloud & Infrastructure: AWS/GCP for secure hosting, backup, and disaster recovery (ISO 27001 certified).
- Analytics & Support: Anonymised usage metrics for platform optimisation; support tickets retain conversation logs for 12 months.
We never share personal data for advertising networks, data brokers, or unvetted third parties.
6. Data Retention & Deletion
We retain data only as long as legally and operationally necessary:
- Active Accounts & Shipments:
- Financial & Tax Records: 6 years (UK HMRC requirement).
- Customs & Trade Docs: 5 years per international trade compliance standards.
- Marketing Preferences: Until you unsubscribe or request deletion.
You may request permanent deletion at any time (see Section 7). We will anonymise or purge your data within 30 days, barring legal retention obligations.
7. Your Legal Rights
Under UK GDPR, you retain full control over your personal data:
- Access: Request a complete copy of your data in machine-readable format.
- Rectification: Correct inaccurate or incomplete information instantly.
- Erasure ("Right to be Forgotten"): Request permanent deletion (subject to legal exceptions).
- Portability: Export your data to another service provider.
- Restriction & Objection: Pause or object to processing for marketing or profiling.
- Withdraw Consent: Opt out of non-essential processing at any time.
Exercise these rights via your account dashboard or by contacting dpo@nexshipa.com. We respond within 30 days, free of charge.
8. Security & Encryption
Your data is protected by enterprise-grade security:
- Encryption: AES-256 at rest, TLS 1.3 in transit. Zero-knowledge architecture for sensitive customs data.
- Access Control: Role-based permissions, MFA for staff accounts, and strict audit logging.
- Monitoring: 24/7 intrusion detection, automated threat response, and quarterly penetration testing.
- Incident Response: GDPR-mandated 72-hour breach notification protocol to ICO and affected users.
9. Cookies & Tracking
We use cookies transparently via our consent banner:
- Essential: Session management, security tokens, load balancing (cannot be disabled).
- Analytics: Page performance, feature usage, error tracking (anonymised, opt-in).
- Functional: Language preferences, quote form drafts, UI customisation (opt-in).
Manage preferences anytime via the Cookie Settings icon in the footer. We do not deploy cross-site tracking or fingerprinting scripts.
10. International Transfers
When data leaves the UK/EEA, we ensure equivalent protection through:
- UK Adequacy Regulations for recognised countries.
- International Data Transfer Agreements (IDTAs) with SCC-equivalent safeguards.
- Binding Corporate Rules for global carrier partners.
11. Automated Decision-Making
We use algorithmic routing and risk scoring to optimise delivery ETAs and detect fraudulent bookings. No fully automated decision produces legal or significantly detrimental effects without human review. You may request manual intervention or explanation of any automated outcome affecting your shipment or account.
12. Contact & DPO
For privacy inquiries, data requests, or compliance questions:
- Email: dpo@nexshipa.com
- Post: Data Protection Officer, NEXSHIPA Ltd, Hillington Park, Glasgow G52 4HG
- Regulator: You may lodge a complaint with the Information Commissioner's Office (ICO) if unresolved.
This policy was last reviewed and updated on 15 April 2026. Version 3.0. We commit to continuous improvement in transparency and user control.