Privacy Policy

MotorCoachX Bidding System ("MXBS", "we", "our") is operated by AAGI Corporation, incorporated under the laws of Canada. We operate a B2B marketplace connecting motorcoach charter operators with trip owners across Canada and the United States.

Privacy Officer: [email protected]

We collect:

• Account information: Full name, email address, phone number, password hash.
• Business information: Organization name, business registration number, HST/GST/QST numbers, operating province, banking institution.
• Identity verification: Government-issued ID type and number (fraud prevention and compliance).
• Trip information: Pickup/dropoff addresses, trip dates, passenger counts, notes.
• Driver and fleet information: Driver names, license numbers, VIN, license plates.
• Communications: Messages between trip owners and bus operators on our platform.
• Technical data: IP address, browser type, OS, session identifiers, access timestamps.
• Payment information: Processed via Stripe. We store only tokenized references — never raw card numbers.

• Operate the MXBS marketplace and platform services.
• Verify identities and conduct background checks for trust and safety.
• Facilitate trip booking, bidding, and contract workflows.
• Send transactional communications (booking confirmations, OTP codes, account notifications).
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations under Canadian and applicable US law.

We will not use your information for materially different purposes without fresh consent.

• Consent: Account creation, marketing communications, background check authorization.
• Contractual necessity: Providing the platform services you signed up for.
• Legal obligation: Tax, fraud prevention, and regulatory compliance.
• Legitimate interests: Platform security and fraud detection, subject to your rights to object.

• Other platform users: Limited profile information visible to counterparties (organization name, verified status). Full contact details shared only after a trip award.
• Sub-processors: Google Cloud Platform (infrastructure), Stripe (payments, USA), Twilio (SMS, USA), Amazon Web Services SES (email, USA), Mapbox (mapping, USA), Google OAuth (authentication).
• Legal requirements: Where required by law, court order, or regulatory authority.
• Business transfers: In connection with a merger or acquisition, subject to confidentiality obligations.

Some service providers are located outside Canada (primarily the United States). We transfer personal information outside Canada only with sub-processors providing equivalent protection and, where required by Quebec Law 25 Article 17, after completing a Privacy Impact Assessment. Contact our Privacy Officer to request a copy.

• Active account data: retained while the account is active.
• Transaction records and contracts: 7 years (tax and regulatory requirements).
• Authentication and security logs: 90 days.
• Soft-deleted accounts: pseudonymized within 90 days of deletion request; fully purged within 1 year.
• Marketing consent records: retained for the relationship duration plus 3 years.

• Access: Request a copy of your personal information.
• Correction: Request correction of inaccurate or incomplete information.
• Erasure / De-indexation: Request deletion (subject to legal retention obligations). Quebec residents have additional de-indexation rights.
• Portability: Receive your data in a structured, machine-readable format.
• Withdraw consent: Withdraw consent at any time; does not affect prior processing.
• Complain: Office of the Privacy Commissioner of Canada at priv.gc.ca, or the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

Exercise rights by contacting [email protected]. We respond within 30 days.

• Strictly necessary: Session authentication cookies (MxbsJWT, MxbsRefresh) and onboarding state. Cannot be disabled without breaking the service.
• Functional: Theme preference cookie (mxbs-theme). Stores display preferences locally.
• Analytics: Cloudflare Web Analytics (privacy-preserving, no personal data to third parties). Requires consent in Quebec.

Manage cookie preferences through the banner on your first visit or by contacting us.

We implement AES-256-GCM encryption for sensitive documents at rest, TLS 1.2+ for data in transit, access controls and audit logging, account lockout and multi-factor authentication, and regular security assessments.

In the event of a breach creating a real risk of significant harm, we will notify you and applicable privacy authorities as required by PIPEDA and Quebec Law 25. We maintain a breach register as required by law.

We will notify you of material changes by email and in-platform notice at least 30 days before changes take effect.