How we handle your data.

The short version

We collect the minimum data needed to run a Canadian job board. Resumes are stored privately, not on a public CDN. We don't sell your data. We'll show it to you, correct it, or delete it on request. If you have a privacy concern, email jasonlin@canuckhire.com and we'll respond within 30 days.

The rest of this page is the longer, accurate version, organized by the ten principles set out in Schedule 1 of PIPEDA.

1. Accountability

Canuck Hire is the organization responsible for the personal information in our care. Our designated Privacy Officer is:

Jason Lin
jasonlin@canuckhire.com

We remain accountable for personal information transferred to third parties for processing (see Section 4).

2. Identifying purposes

We collect personal information for the purposes listed below, and not for purposes you wouldn't reasonably expect:

• Operate your account. Email, name, hashed password, sign-in sessions.
• Run job search. Your saved searches, location preferences, and job alerts.
• Connect you with employers. Profile data, resume, application records, messages between you and an employer.
• Verify identity (optional). If you choose to become a Verified seeker, we collect a verification result from Stripe Identity. We do not receive or store your government ID images.
• Bill employer subscriptions. For employers, we use Stripe to process payments. We don't store full card numbers.
• Send transactional and marketing email. Account confirmations, job alerts you opted into, and (with consent) occasional product updates.
• Keep the service safe. Logs, IP addresses, and rate-limit signals to detect abuse, fraud, and spam.
• Improve the product. Aggregated, de-identified analytics about how the site is used.
• Comply with the law. Tax records for employer payments, court orders, and lawful access requests.

3. Consent

We get your consent before we collect, use, or disclose personal information, except where the law allows otherwise (for example, to investigate a breach of an agreement or to comply with a subpoena).

Creating an account, posting a job, applying to a job, or opting into identity verification all involve clear acts of consent. Where we materially change how we use your data, we will ask again.

You can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, change a setting in your profile, unsubscribe from email, or contact our Privacy Officer. Some withdrawals (e.g., closing your account) end your ability to use the Service.

4. Limiting collection

We collect only what is necessary for the purposes in Section 2. We don't buy data brokers' profiles, and we don't fingerprint visitors across the web.

Third-party processors we use:

• Vercel (United States) — hosting and edge runtime. Handles all request data.
• Neon / PostgreSQL (Canada region where available) — primary database.
• Cloudflare R2 — private object storage for resumes and verification documents. Files are accessed only through short-lived signed URLs scoped to authenticated users.
• Stripe / Stripe Identity — payment processing and optional identity verification. Stripe is the controller of the ID images you submit; we receive a verification result.
• Resend — transactional email delivery.
• Vercel Analytics and Google Analytics — aggregated traffic measurement. We do not enable cross-site advertising features.

Some of these processors are located outside Canada. While your data is in their care it may be subject to the laws of those jurisdictions, including lawful access by foreign authorities. We require contractual safeguards consistent with PIPEDA from each processor.

5. Limiting use, disclosure, and retention

We use personal information only for the purposes for which it was collected, except with consent or as required by law. We do not sell personal information.

Disclosure to employers. When you apply to a job, the employer who posted that job sees your application, your resume, and the profile fields visible at the time you applied. Employers agree, in our Terms, to use applicant data only to evaluate you for the role you applied to.

Retention. We keep personal information only as long as needed for the identified purpose, then we delete or anonymize it. Specifically:

• Active account data — kept while your account is active.
• Closed accounts — soft-deleted immediately (your profile and resume disappear from search), then hard-deleted after a 30-day grace period unless we're required to keep specific records longer (e.g., for tax or fraud investigation).
• Identity verification raw payload — purged from our database 90 days after verification completes. We also instruct Stripe Identity to redact the underlying verification session at that point.
• Application records — retained while either you or the employer maintains an account, then deleted with the account.
• Email and messaging logs — retained 12 months.
• Server logs — retained 30 days.
• Analytics — retained per processor defaults (typically 90 days for Vercel Analytics, up to 14 months for Google Analytics).

6. Accuracy

We keep personal information as accurate, complete, and up-to-date as is needed for the purposes for which it's used. You can update most of your information yourself from your profile settings. If something we hold about you is wrong and you can't fix it through the app, contact our Privacy Officer.

7. Safeguards

We protect personal information with safeguards appropriate to its sensitivity:

• In transit: TLS 1.2+ on every connection.
• At rest: Database encryption provided by our managed Postgres host. Resumes and verification documents stored in private object storage; never on a public CDN.
• Access control: Resumes are served through authenticated, per-user signed URLs that expire within minutes. Only the seeker who uploaded a file and the employers they applied to can access it.
• Authentication: Email + password with bcrypt hashing, OAuth (Google, GitHub), and email-confirmation on registration.
• Operational: Production access is limited to the Privacy Officer and engineers under contract with confidentiality obligations. Production secrets are stored in Vercel environment variables and rotated on personnel changes.
• Defensive: GraphQL depth and complexity limits, rate limiting on sensitive endpoints, and per-batch caps on automated job ingestion.

No system is perfect. If we discover a breach that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA, and we will keep records of all breaches whether or not they meet the notification threshold.

8. Openness

This policy is the public statement of our information practices. The version, effective date, and Privacy Officer contact are at the top of this page. When we make material changes, we will update the version date and notify users by email or in-app notice; minor edits will simply update the version date.

9. Individual access

On request, we will tell you what personal information we hold about you, how we use it, and (in general terms) who we have shared it with. We will also give you access to that information unless an exception under PIPEDA applies (for example, where giving access would reveal personal information about a third party that can't be redacted).

To make an access request, email jasonlin@canuckhire.com. We will respond within 30 days. If we need longer (up to a further 30 days for a complex request), we will tell you why. There is no fee for routine requests.

You can also delete your account at any time from your profile settings. Account deletion triggers the retention timeline in Section 5.

10. Challenging compliance

If you believe we have not handled your personal information in accordance with this policy or PIPEDA, please raise it with our Privacy Officer first. We will investigate and respond. If you're not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3
priv.gc.ca · 1-800-282-1376

A note on children

Canuck Hire is not directed at children under 16. We don't knowingly collect information from anyone under that age. If you believe a child has created an account, contact our Privacy Officer and we will delete the account.

A note on cookies

We use first-party cookies for essential functions (sign-in sessions, CSRF protection) and a small number of analytics cookies set by Vercel Analytics and Google Analytics. We do not use cross-site advertising cookies. You can clear cookies in your browser at any time; doing so will sign you out.

Contact

Questions, requests, or concerns about your privacy?

Jason Lin · Privacy Officer
jasonlin@canuckhire.com