Privacy Policy

PoolCar by Shuttlers ("PoolCar", "we", "us") provides a multi-tenant marketplace and operating platform for vehicle leasing companies, businesses, business staff, and retail customers. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and what choices you have. It applies to our website, mobile-responsive web app, and all related services (collectively, the "Platform").

Account data. Name, email, phone number, profile photo, organization affiliation, role, and authentication credentials.

Booking data. Vehicle selections, pickup and dropoff addresses, trip times, driver assignments, audit-trail entries.

Payment data. Invoice records, payment-transaction references from Paystack, refund records, and payout records. We do not store full card numbers or bank credentials — Paystack does.

Driver data. Limited identifiers needed for driver passcode authentication, vehicle assignment, and trip confirmation.

Device & log data. IP address, browser, operating system, referring URL, and pages visited, used for security, abuse-prevention, and product analytics.

We use personal data to operate the Platform: authenticate users; route bookings; coordinate drivers; charge customers and pay leasing companies; send transactional email; investigate fraud or security incidents; and improve the product. We do not sell personal data to third parties.

Within an organization. Members of your organization can see records associated with your shared activity (bookings, invoices, etc.) consistent with their role.

Between counterparties. When a business books a leasing company's vehicle, we share the data necessary to fulfill that booking — driver, vehicle, pickup/dropoff, and contact info.

Service providers. Paystack (payments and payouts), Resend (email delivery), Vercel (hosting), Upstash (rate limiting), Google or OpenStreetMap (geocoding). Each is bound by their own privacy and security obligations.

Legal compliance. When required by law, valid court order, or to protect rights, property, or safety.

We retain personal data for as long as your account is active or as needed to provide the Platform. Booking, invoice, and payout records are retained for as long as required by Nigerian tax and accounting law (typically six years), then deleted or anonymized.

Depending on where you live, you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise any of these, contact us at privacy@shuttlers.co. We will respond within thirty days.

We use HTTPS in transit, multi-tenant database scoping with database-level invariants, HMAC-verified webhooks, and rate limiting at the edge. No system is perfectly secure, and we ask you to choose a strong password and protect your account credentials.

We use a small number of strictly-necessary cookies for authentication (Lucia session cookie, driver session cookie, customer session cookie) and a CSRF cookie for form security. We do not currently use third-party advertising cookies.

The Platform is not intended for children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@shuttlers.co and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified via email and via a banner on the Platform. The "Last updated" date at the top of this page reflects the most recent change.

For privacy questions or to exercise your rights, email privacy@shuttlers.co. PoolCar by Shuttlers is operated by Shuttlers, registered in Nigeria.