Privacy Policy

This policy applies to anyone who interacts with the public website, submits the contact form, applies for a cohort, joins a mission, or receives email from us. It does not cover third-party sites we link to (visa offices, airline portals, payment processors) — those operate under their own policies.

We only ask for data we need to deliver the service you came for. The three intake points are the contact form, the cohort registration form, and email correspondence.

Identification data: full name (as on passport), date of birth, gender, nationality, passport details, photograph.

Contact data: email, phone number, postal address, organisation, role.

Commercial data: target sectors, declared product interest, referrer name, how you heard about us.

Travel data: visa status, travel preferences, dietary or accessibility needs, insurance details where you provide them.

Payment data: bank-transfer references and a URL link to your proof of payment. We do not store full card numbers; the future Paystack / Flutterwave / Stripe routes are tokenised at the processor.

Technical data: IP address, device user-agent, basic analytics events. We do not use third-party advertising cookies.

• To process your cohort application and issue the letter of invitation, visa-support documents, and confirmation email.
• To match you with the right factories, interpreters, and partner counterparts on mission.
• To verify payment and provide a receipt for accounting on both sides.
• To deliver post-mission facilitation services — procurement, payment routing, freight — for the period agreed in your contract.
• To send service emails (confirmation, payment instruction, document reminder, mission update, final confirmation), and — only with your tick on the form — the periodic cohort dispatch.
• To meet our regulatory, tax, and anti-money-laundering obligations.

We rely on contract performance for cohort delivery, sourcing, and procurement; legitimate interest for security, fraud prevention, and improving the site; consent for the cohort dispatch newsletter and any optional fields you provide; and legal obligation for tax, AML, and immigration-paperwork retention.

We hold registration records for the duration of your engagement with Shang You and for seven (7) years thereafter to meet Nigerian tax and corporate record-keeping requirements. Visa-support documents are deleted six (6) months after your mission unless you ask us to retain them for a follow-up trip.

Contact-form inquiries that do not progress to an application are held for twelve (12) months and then deleted.

We do not sell personal data. We do share it with:

• Visa offices, airlines, and hotels — only the data they need to issue your invitation, ticket, or booking.
• Factories and counterparts on mission — name, organisation, and declared product interest, so meetings can be prepared.
• Interpreters and on-ground operators — under written confidentiality.
• Payment processors — Paystack, Flutterwave, Stripe — operating under their own policies once those routes are live.
• Cloud infrastructure providers — MongoDB Atlas (database), and our email and hosting providers — bound by contract to process data only on our instruction.

We will only disclose data to law enforcement when compelled by a valid Nigerian court order or by a request that meets equivalent standards in another jurisdiction we operate in.

The platform serves African delegates travelling to China. Personal data may move between Nigeria, the People's Republic of China, and, for hosting, the United Kingdom or European Union. We rely on contractual safeguards equivalent to the Nigeria Data Protection Commission's standard contractual clauses for any onward transfer.

Practical measures, not just policy text:

• TLS in transit and AES-256 at rest for application data.
• Least-privilege access to the admin dashboard — every read is audit-logged with operator identity and reason.
• Multi-factor authentication enforced for every operator account.
• Quarterly access review and an off-boarding checklist for any departing operator.
• Encrypted, versioned backups stored in a region separate from the production database.

Under the NDPA and equivalent regimes, you can ask us to:

• Confirm whether we hold your data, and give you a copy.
• Correct anything that is inaccurate or out of date.
• Delete your data, subject to overriding legal obligations (tax, immigration, AML).
• Restrict processing while a complaint is being resolved.
• Object to processing based on legitimate interest.
• Withdraw consent for the cohort dispatch at any time — one click, every email.
• Receive a portable export of the data you provided to us.

We respond to verified requests inside thirty (30) days. If you are unhappy with our response, you can complain to the Nigeria Data Protection Commission or your local supervisory authority.

We use a single first-party cookie to remember your light/dark theme preference, and minimal anonymous analytics to count page visits and spot broken journeys. No third-party advertising trackers run on the site. When analytics is upgraded for Phase 2, we will publish the exact tooling and the choice to opt out before any data is collected.

The service is intended for adults applying as professionals. Applications from anyone under 18 are declined automatically by the registration desk.

When we change this policy we update the “Last updated” date and, for material changes, email everyone affected before the change takes effect. Questions, corrections, and access requests go to info@shangyoutrade.com — or by post to the Lagos office on the contact page.