MH Express ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and delivery services.
1. Information We Collect
1.1 Information You Provide Directly
Account Registration:
- Name and display name
- Email address
- Phone number
- Date of birth (optional)
- Profile photo/avatar (optional)
- Authentication credentials (managed securely by Firebase Authentication)
Booking Information:
- Pickup and delivery addresses
- Location names and coordinates
- Package details (weight, dimensions, type)
- Special delivery instructions
- Contact information for delivery
Payment Information:
- Payment method preferences (Cash, Card, Wallet)
- Wallet balance and transaction history
- Payment card details (processed securely by third-party payment providers)
- Billing addresses
1.2 Information Collected Automatically
Location Data:
- Precise Location: GPS coordinates when using location-based features
- Cached Location: Last known location stored in SharedPreferences for performance
- Real-time Tracking: Active location during deliveries (drivers only)
- Location History: Pickup and delivery locations for completed bookings
Device Information:
- Device type, model, and manufacturer
- Operating system and version (Android/iOS)
- Unique device identifiers
- Mobile network information
- App version and build number
- Device locale and language preferences
Firebase Cloud Messaging (FCM) Data:
- FCM device tokens for push notifications
- Notification preferences and settings
- Notification delivery status
Usage Data:
- App features accessed and time spent
- Booking history and patterns
- Search queries and map interactions
- Error logs and crash reports
- Performance metrics
1.3 Information from Third Parties
Firebase Authentication:
- Google Sign-In: Name, email, profile photo from your Google account
- Phone Authentication: Phone number verification data
- Firebase UID and authentication status
Map and Location Services:
- Google Maps/OpenStreetMap: Address geocoding and reverse geocoding
- Google Places API: Location suggestions and place details (when API key configured)
Payment Processors:
- Transaction confirmation and status
- Fraud detection data
- Payment success/failure notifications
2. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Provide Delivery Services | Location, booking details, contact information |
| Process Payments | Payment method, transaction history, wallet balance |
| Send Notifications | FCM tokens, booking status, driver location |
| Customer Support | Account info, booking history, communication logs |
| Improve Services | Usage patterns, performance metrics, feedback |
| Verify Identity | Firebase authentication, phone/email verification |
| Prevent Fraud | Device info, location, transaction patterns |
| Ratings & Reviews | User ratings, delivery history, driver performance |
2.1 Profile Synchronization
After successful authentication, we synchronize your profile with our backend servers using the /auth/sync endpoint. This ensures:
- Consistent user data across devices
- Up-to-date account information
- Proper authentication state management
- Backup of user preferences
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your personal data based on:
- Contractual Necessity: To provide delivery services you've requested
- Consent: For optional features like location tracking and marketing communications
- Legitimate Interests: To improve our services, prevent fraud, and ensure security
- Legal Obligations: To comply with applicable laws and regulations
4. Data Sharing and Disclosure
4.1 Service Providers
We share information with trusted third-party service providers:
- Firebase (Google): Authentication, cloud messaging, analytics, crash reporting
- Map Providers: Google Maps or OpenStreetMap for location services
- Payment Processors: Secure payment processing and fraud prevention
- Cloud Storage: Secure data storage and backup
- Customer Support: Communication and ticketing systems
4.2 Drivers and Customers
To facilitate deliveries, we share limited information:
- With Drivers: Customer name, phone, pickup/delivery locations, package details
- With Customers: Driver name, phone, vehicle details, real-time location during delivery
4.3 Legal Requirements
We may disclose your information when required by law:
- In response to valid legal requests (subpoenas, court orders)
- To protect our rights, property, or safety
- To enforce our Terms of Service
- To investigate fraud or security issues
- In connection with business transfers or mergers
4.4 Aggregated Data
We may share anonymized, aggregated data that cannot identify you personally:
- Usage statistics and trends
- Geographic service patterns
- Performance metrics
- Market research
5. Data Storage and Security
5.1 Security Measures
We implement industry-standard security practices:
- Encryption: Data encrypted in transit (HTTPS/TLS) and at rest
- Secure Storage: Sensitive data stored using Flutter Secure Storage
- Firebase Security: Authentication and database security rules
- JWT Tokens: Secure token-based authentication with expiration
- Payment Security: PCI-DSS compliant payment processing
- Access Controls: Role-based access and least privilege principle
5.2 Data Retention
We retain your information for as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account Information | Until account deletion + 30 days |
| Booking History | 7 years (for legal/tax purposes) |
| Payment Records | 7 years (legal requirement) |
| Location Data | Duration of delivery + 90 days |
| Cached Location | Until app reinstall or cache clear |
| FCM Tokens | Until token refresh or app uninstall |
| Usage Logs | 90 days |
| Crash Reports | 90 days |
5.3 Data Breach Notification
In the unlikely event of a data breach affecting your personal information, we will:
- Notify affected users within 72 hours (GDPR requirement)
- Report the breach to relevant authorities
- Take immediate steps to secure systems
- Provide guidance on protective measures
6. Your Privacy Rights
6.1 Access and Control
You have the right to:
- Access Your Data: Request a copy of your personal information
- Update Information: Correct inaccurate or incomplete data
- Delete Account: Request permanent deletion of your account
- Export Data: Receive your data in a portable format
- Opt-Out: Unsubscribe from marketing communications
- Restrict Processing: Limit how we use certain data
6.2 Location Privacy
- Manage location permissions in device settings
- Location collected only when app is in use (foreground)
- Drivers: Real-time location shared only during active deliveries
- Cached location can be cleared by reinstalling the app
6.3 Notification Preferences
- Manage push notification permissions in device settings
- Android 13+ users: Explicit notification permission request on first use
- Disable notifications without affecting core app functionality
- Critical delivery updates may still be sent via SMS
6.4 Marketing Communications
- Opt-out of promotional emails via unsubscribe link
- Opt-out of promotional push notifications in app settings
- Service-related communications cannot be opted out (booking confirmations, etc.)
7. Children's Privacy
MH Express is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected information from a child under 18, we will promptly delete that information.
8. International Data Transfers
Your information may be transferred and processed in countries other than your own:
- Firebase services operate globally with data centers worldwide
- We ensure adequate safeguards through Standard Contractual Clauses
- EEA users: Your data may be transferred outside the EEA with appropriate protections
- We comply with cross-border data transfer regulations
9. Cookies and Tracking Technologies
9.1 Mobile App
The MH Express mobile app uses:
- SharedPreferences: Store app settings and user preferences locally
- Secure Storage: Store authentication tokens securely
- Firebase Analytics: Understand app usage (can be disabled)
- Crashlytics: Collect crash reports for debugging
9.2 Website
Our website (if applicable) may use cookies for:
- Essential functionality
- Analytics and performance monitoring
- User preferences
10. Third-Party Services
Our app integrates with third-party services that have their own privacy policies:
- Firebase (Google): firebase.google.com/support/privacy
- Google Maps: policies.google.com/privacy
- Google Sign-In: policies.google.com/privacy
- OpenStreetMap: wiki.osmfoundation.org/wiki/Privacy_Policy
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
11.1 Right to Know
- Categories of personal information collected
- Sources of personal information
- Business purposes for collection
- Categories of third parties with whom we share data
11.2 Right to Delete
Request deletion of your personal information, subject to certain exceptions.
11.3 Right to Opt-Out
We do not sell personal information. If this changes, we will provide an opt-out mechanism.
11.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
To exercise your rights: Contact us at privacy@mh-express.com
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do:
- We will update the "Last Updated" date at the top
- Material changes will be notified via push notification or email
- Continued use after changes constitutes acceptance
- Previous versions will be archived and available upon request
13. Data Protection Officer
For privacy-related questions or concerns, contact our Data Protection Officer:
- Email: dpo@mh-express.com
- Response Time: Within 30 days of receipt
14. Contact Us
For questions about this Privacy Policy or our data practices:
Privacy Inquiries
Email: privacy@mh-express.com
Support: support@mh-express.com
Data Protection Officer: dpo@mh-express.com
We respond to all privacy requests within 30 days
15. Regulatory Compliance
MH Express complies with:
- GDPR: General Data Protection Regulation (EU)
- CCPA: California Consumer Privacy Act
- COPPA: Children's Online Privacy Protection Act
- PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
- Applicable local data protection laws