Privacy Policy & Data Protection Statement

Comprehensive Data Governance Framework — PIPEDA & Quebec Law 25 Compliant

Effective Date: March 4, 2026 | Version 2.0

WARNING TO USERS IN QUEBEC / AVIS AUX UTILISATEURS DU QUÉBEC

Français : La présente politique de confidentialité est disponible en français et en anglais. En vertu de la Charte de la langue française du Québec et de la Loi 25 (anciennement Loi modernisant des dispositions législatives en matière de protection des renseignements personnels), les utilisateurs résidant au Québec ont le droit de recevoir et de consulter ce document dans la langue française. En utilisant la plateforme, vous confirmez votre volonté expresse et libre d'être lié par la version anglaise de cette politique (si applicable à votre situation particulière), après avoir eu une occasion raisonnable et pleine de consulter la version française dans son intégralité. Si vous avez des questions concernant le traitement de vos renseignements personnels, veuillez communiquer avec notre Responsable de la protection des renseignements personnels à l'adresse privacy@crewd.ai.

English: This Privacy Policy is available in both French and English. Under Quebec's Charter of the French Language and Law 25 (formerly An Act to modernize legislative provisions as regards the protection of personal information), users residing in Quebec have the right to receive and review this document in French. By using the Platform, you confirm your express and free wish to be bound by the English version of this Policy (if applicable to your particular situation), after having had a full and reasonable opportunity to consult the French version in its entirety. If you have questions about the processing of your personal information, please contact our Privacy Officer at privacy@crewd.ai.

1. Introduction and Scope of Application

Crewd Inc. ("Crewd," "we," "us," or "our") is a corporation incorporated under the laws of Canada that operates a digital labour marketplace (the "Platform") facilitating connections between construction contractors ("Seekers," i.e., those seeking skilled labour) and independent trades organizations ("Providers," i.e., those providing skilled labour). The Platform is accessible via web application and mobile application.

This Privacy Policy ("Policy") constitutes the comprehensive data governance framework governing all collection, use, disclosure, processing, retention, and destruction of Personal Information. This Policy has been engineered to comply with the most stringent applicable privacy standards in Canada, including: (i) the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, as amended, and its Breach of Security Safeguards Regulations; (ii) Quebec's Act respecting the protection of personal information in the private sector (APPIPS), as comprehensively reformed by Law 25 (An Act to modernize legislative provisions as regards the protection of personal information), including all provisions in force as of September 22, 2023; (iii) the Employment Standards Act, 2000 (Ontario) as amended by the Working for Workers Act (Bill 88, 2022) regarding electronic monitoring; and (iv) all other applicable provincial privacy legislation.

This Policy applies to all natural persons (individuals) who access or use the Platform in any capacity, including: (a) representatives of Seeker organizations (contractors seeking skilled trades labour); (b) representatives of Provider organizations (trades firms offering skilled trades labour); (c) individual workers employed or engaged by Provider organizations who are assigned to jobs through the Platform; (d) visitors to our publicly accessible website; and (e) any individual whose personal information we receive in connection with the operation of the Platform.

1.1 The Business-to-Business (B2B) Context and Sole Proprietor Exception

The Platform is designed to facilitate commercial transactions between registered business entities. Where a user accesses the Platform in their capacity as a duly authorized representative of an incorporated business entity (corporation, partnership, or registered trade name), the contact information provided by that representative in their professional capacity (business email address, business telephone number, business address) may constitute Business Contact Information (BCI) that is not subject to PIPEDA or Law 25 protection in the same manner as purely personal information.

However, Crewd expressly acknowledges the following critical exception: Quebec Sole Proprietors. In Quebec, an individual operating as a sole proprietor (travailleur autonome) or in a legal form where the business identity is legally indistinguishable from the personal identity of the individual, all information collected about that individual — including their business name, registration number, email, phone number, address, and financial information — is treated by Crewd as personal information subject to the full protections of Quebec Law 25 and PIPEDA. Crewd will not rely on the BCI exclusion to diminish the privacy rights of any Quebec sole proprietor.

Furthermore, regardless of corporate structure, individual workers who are assigned to jobs through the Platform are always treated as natural persons whose personal information (name, phone, attendance records, time entries, reliability score) is fully protected under this Policy. The B2B characterization applies only to the organizational level, never to individual human beings who perform labour.

1.2 Geographic Scope

This Policy applies to all users located anywhere in Canada who access the Platform. Where users are located in Quebec, the heightened protections of Law 25 apply in full. Where users are located in other provinces, PIPEDA and applicable provincial legislation apply. The Platform is not currently offered to users outside of Canada, and Crewd makes no representation that the Platform is appropriate for use or accessible in any jurisdiction outside of Canada.

1.3 Privacy Governance and Accountability

Crewd has designated a Privacy Officer who is accountable for Crewd's compliance with this Policy and all applicable privacy legislation. The Privacy Officer is responsible for: (a) developing and maintaining privacy policies and procedures; (b) receiving and responding to privacy complaints and Subject Access Requests; (c) conducting Privacy Impact Assessments (PIAs) for new or materially changed data processing activities; (d) maintaining a record of processing activities as required by Law 25; (e) reporting confirmed privacy breaches to the Office of the Privacy Commissioner of Canada (OPC) and the Commission d'accès à l'information du Québec (CAI) as required; and (f) training staff on privacy obligations. The Privacy Officer may be contacted at: privacy@crewd.ai. Crewd will acknowledge receipt of all privacy inquiries within five (5) business days and will respond substantively within thirty (30) calendar days, as required by PIPEDA.

2. Data Collection and Full PII Inventory

Crewd collects only the personal information that is necessary for the identified purposes described in this Policy. The following constitutes an exhaustive inventory of all categories of personal information collected, organized by data category. This inventory is maintained in accordance with Law 25's requirement to document all personal information held by Crewd.

Data Category	Specific Data Elements	Purpose of Collection	Legal Basis
Account Identity	First name; last name; email address; phone number; Clerk authentication identifier (clerkId); user role within the Platform (OrgOwner, OrgAdmin, OrgManager, OrgEmployee, SuperAdmin, Admin); notification preference settings (notificationDisabledTypes); assigned location identifier; denormalized search text field containing first name, last name, and email concatenated for search functionality.	User authentication and account management; role-based access control; in-platform search and discovery; delivery of platform notifications.	Contractual necessity — required to create and maintain an account and deliver Platform services.
Business Identity	Organization name; organization URL slug; organization timezone; business registration number (GST/HST/QST registration or provincial business number); Stripe Connected Account identifier (stripeId); Stripe onboarding completion status (stripeOnboardingComplete); organization type (Provider/Seeker).	Business verification; payment infrastructure setup and management; tax compliance; organizational differentiation within the Platform.	Contractual necessity; legal obligation (tax compliance under the Income Tax Act and Tax Administration Act (Quebec)).
Location and Geolocation Data	Organization location addresses (full civic addresses); geographic coordinates (latitude and longitude) of organization locations; whether a location is the primary operating location (isPrimary flag); maximum travel distance configuration (maxTravelDistance, in kilometers); structured address components including: street number and name, city/municipality, province/state, postal/zip code, and country; job site addresses (full civic addresses); geographic coordinates of job sites (latitude and longitude); structured address components of job sites.	Automated job-to-Provider matching via geographic proximity calculation (see Section 3 — Automated Decision-Making); attendance verification; distance-based filtering in the matching pipeline.	Contractual necessity for matching; legitimate interest in accurate geographic routing.
Employment and Engagement Data	Job posting details including: job site address and coordinates, scheduled job dates, scheduled start time per date (expressed in minutes from midnight in the organization's timezone), scheduled shift duration per date (in minutes), scheduled break duration per date (in minutes); clock-in PIN secret (a TOTP-style 6-digit cryptographic PIN used for worker clock-in/clock-out verification, stored in hashed/encrypted form); organization invitation records including: invitee phone number, one-time invitation code (6-digit), invited role, invitation expiry timestamp, and configuration data specifying assigned positions and assigned location.	Job management and scheduling; secure clock-in/clock-out verification; onboarding of new workers and administrators to organizations.	Contractual necessity.
Time and Attendance Records	Clock-in timestamp (Unix milliseconds); clock-out timestamp (Unix milliseconds); break start timestamp (Unix milliseconds); break end timestamp (Unix milliseconds); indicator of whether break duration exceeded the allotted break time (breakExceededAllotted); shift date; time entry status (pending, confirmed, disputed, overridden); confirmation status; confirmed-at timestamp; confirmed hours (decimal); administrative override reason (free-text, entered by Crewd administrators); identifier of the administrator who overrode the entry (overriddenBy); override timestamp; attendance record shift date; attendance classification (on_time, late_arrival, early_departure, no_show); scheduled start time; scheduled end time; actual start time; actual end time; scheduled hours; actual hours worked; variance percentage between scheduled and actual hours.	Accurate billing calculation; worker payment verification; dispute resolution; employment standards compliance; attendance-based reliability scoring.	Contractual necessity; legal obligation (employment standards record-keeping).
Communications Data	Chat message body content (full text of all messages sent through the Platform's messaging feature); message sender identifier; channel identifier; broadcast group identifier; message creation timestamp; Twilio SMS gateway data including: destination phone number, message body content, Twilio message SID (unique message identifier), message delivery status, Twilio error codes (if delivery failed), number of delivery attempts, timestamp of last delivery attempt.	Facilitating communications between Platform participants; fraud prevention; anti-circumvention enforcement; dispute resolution; SMS notification delivery.	Contractual necessity; legitimate interest in fraud prevention and anti-circumvention.
Financial and Billing Data	Billing period start and end dates; Stripe invoice identifier (stripeInvoiceId); hosted invoice URL (stripeHostedInvoiceUrl — a URL allowing access to the invoice on Stripe's infrastructure); billing period status; late fee application indicator; late fee amount in cents; job billing entry data including: billable dates, line item details (position name, headcount, scheduled hours, worker pay rate, platform commission rate, total labour cost, total platform commission), subtotal in cents, platform commission total in cents, total platform fees in cents; Stripe Connected Account identifier; Stripe session status; Stripe session types; Stripe client secret (for secure frontend payment flows); Stripe Setup Intent identifier; Stripe payment status.	Invoice generation; payment processing; reconciliation of scheduled versus actual hours worked; late fee calculation; Stripe Connect payout management.	Contractual necessity; legal obligation (tax and financial record-keeping).
Onboarding Data	Onboarding form data (free-form structured data, designated in the database schema as v.any(), meaning this field may contain any structured information submitted during the onboarding process, including but not limited to: business registration details, trade certification information, insurance certificate details, banking information submitted for Stripe Connect onboarding, safety training records, and any other information voluntarily provided during the onboarding workflow); onboarding type identifier; current onboarding step; onboarding error state.	Completing Provider and Seeker account setup; verifying business credentials; configuring Stripe Connect payment infrastructure.	Contractual necessity; consent (where onboarding data collection exceeds contractual necessity).
System and Audit Data	Audit log records including: actor identifier (who performed the action); actor type (user, system, administrator); action performed; resource type affected; resource identifier affected; metadata (free-form structured data — v.any() — which may contain contextual details about the action); timestamp; outcome of the action (success, failure); severity classification; notification records including: notification type, notification title, notification body text, notification priority level, notification delivery status, notification metadata (free-form structured data), user identifier, dismissal timestamp, read timestamp.	Security monitoring; fraud detection; regulatory compliance; audit trail maintenance; debugging and operational support.	Legitimate interest in security and fraud prevention; legal obligation (regulatory audit trail requirements).
Performance Metrics	Reliability score (a numeric value from 0 to 100, inclusive, computed algorithmically from attendance data — see Section 3 for the precise formula); component inputs to the reliability score including: on-time arrival rate, no-show rate, shift completion rate, and shift duration variance percentage.	Provider quality assessment; job matching prioritization; surfacing quality metrics to Seekers making hiring decisions.	Legitimate interest; contractual necessity.

2.1 Geolocation Data: Strict Active-Job-Hours-Only Collection Protocol

Crewd recognizes that continuous or background geolocation tracking is among the most privacy-invasive forms of data collection. Accordingly, Crewd implements a strict Event-Based Geolocation Policy designed to collect precise location data only when operationally necessary and never for surveillance, continuous monitoring, or profiling of movement patterns outside of active work engagements.

Collection Trigger: Precise GPS coordinates of individual workers are collected ONLY during an active clock-in event — specifically, when a worker enters the clock-in PIN at a job site to mark the beginning of a shift. The geographic coordinates captured at clock-in are used solely to generate a proximity verification record confirming the worker's presence at or near the designated job site address.
Purpose Limitation: Geolocation data collected at clock-in is used exclusively for: (a) verifying worker presence at the job site for attendance confirmation purposes; (b) providing a "Proof of Presence" record for billing dispute resolution; and (c) safety logistics where applicable. Geolocation data is NOT used for: continuous real-time tracking of worker movements during a shift; tracking worker movements between job sites; monitoring worker locations outside of active shift hours; performance management or productivity monitoring; or any purpose not expressly identified in this Policy.
Cessation of Collection: Geolocation data collection is automatically and immediately suspended upon clock-out. No background geolocation data is collected after a shift ends. Crewd does not maintain records of worker movement between job sites, during transit, or at any time outside of the specific clock-in event.
Organizational Matching Geolocation: Separately, Crewd uses the registered address coordinates of Provider organizations (latitude/longitude stored in the Organization Locations table) as input data for the automated job-matching pipeline (see Section 3.1). This data represents the business address of a legal entity and is not equivalent to real-time individual tracking. The Google Maps Route Matrix API is used to calculate estimated driving distance between Provider locations and Seeker job sites. No individual worker's real-time location is used in this calculation.
Consent: By clocking in via the Platform's PIN-based clock-in system, workers expressly consent to the single-event geolocation capture described above. Workers who do not wish to share their location should not use the clock-in feature and should contact their organization's administrator for alternative attendance verification arrangements.

2.2 Chat and Communications Monitoring

The Platform includes an integrated text-based messaging system enabling communication between Seekers, Providers, workers, and Platform administrators. All users are hereby expressly notified that they have no reasonable expectation of privacy in any communications transmitted through the Platform's messaging system. By using the Platform's messaging features, users explicitly consent to the monitoring, retention, and review of all messages as described in this section.

Permissible Purposes for Chat Monitoring

Fraud Prevention: Detection of phishing attempts, identity fraud, impersonation, and other fraudulent schemes targeting Platform users.
Anti-Circumvention Enforcement: Detection of attempts to arrange off-platform transactions in violation of the Platform's Non-Circumvention Agreement, which requires that all business relationships originating on the Platform be conducted through the Platform for a defined exclusivity period.
Dispute Resolution: Retrieval and review of message records when a formal dispute is raised between a Seeker and a Provider regarding job performance, payment, cancellation, or other contractual matters.
Safety and Community Standards: Detection of harassment, threats, discriminatory language, or other communications that violate Crewd's Community Standards or create a safety risk for any user.
Legal Compliance: Disclosure of message records in response to valid court orders, search warrants, or other lawful demands from law enforcement or regulatory authorities.

Expressly Prohibited Uses of Chat Monitoring

Crewd expressly disclaims any use of chat monitoring data for: (a) individual worker performance management; (b) disciplinary proceedings against workers on behalf of Seeker organizations; (c) profiling user communications patterns for advertising or commercial targeting; or (d) any purpose not expressly identified above. This limitation is material to maintaining the independent contractor relationship between Provider workers and Seeker organizations, and to Crewd's classification as a technology platform rather than an employer.

Chat Data Retention

All chat message records are retained for a period of seven (7) years from the date of the message, in accordance with Crewd's anti-circumvention enforcement obligations and dispute resolution needs (see Section 8 — Retention Schedule). Users should be aware that deletion of an account does not result in immediate erasure of chat records, to the extent retention is necessary for the legal purposes described above.

3. Automated Decision-Making (ADM) — Law 25 Article 12.1 Disclosure

Quebec Law 25, through Article 12.1 of the Act respecting the protection of personal information in the private sector, requires that organizations disclose to individuals when a decision that produces effects with respect to them is made exclusively through technological means, without human involvement. This section constitutes Crewd's mandatory disclosure of all automated decision-making systems operating on the Platform that may produce legal or similarly significant effects for users.

In connection with all automated decision-making systems described below, you have the following rights: (a) the right to request that Crewd inform you of the parameters used in the automated decision-making process; (b) the right to request that a human review and, where applicable, correct or override the automated decision; (c) the right to present observations regarding any automated decision that affects you; and (d) the right to receive notification when an automated decision produces legal or similarly significant effects, including account suspension, penalty creation, or removal from job matching consideration. To exercise these rights, contact privacy@crewd.ai.

3.1 Three-Stage Automated Job Matching Pipeline

When a Seeker publishes a job on the Platform, an automated pipeline evaluates all registered Provider organizations to determine which Providers are eligible to receive a job offer. This pipeline operates in three sequential stages, with each stage capable of excluding a Provider from receiving an offer. No human reviews matching decisions — the process is fully automated. A Provider that is excluded by the matching pipeline will not receive a job offer and will have no opportunity to bid on the job unless the Seeker manually bypasses the pipeline.

Stage 1 — Geographic Location Matching

The system queries the Google Maps Route Matrix API to calculate the estimated driving distance between each Provider's registered organization location(s) (stored as latitude/longitude coordinates in the Organization Locations table) and the job site address (stored as latitude/longitude coordinates in the Jobs table). The API is queried in batches of up to 25 Provider locations by 25 job sites per API call. A Provider organization is excluded from further consideration and will not receive a job offer if any of the following conditions are true: (i) the Google Maps API returns no navigable driving route between the Provider location and the job site; (ii) the calculated driving distance exceeds the Provider's configured maximum travel distance (maxTravelDistance, in kilometers), as set by the Provider's administrators in their location settings; or (iii) the Provider has not configured a maximum travel distance, meaning the system cannot confirm the Provider is willing to travel to the job site. The geographic coordinates of Provider locations are used as the origin points; the geographic coordinates of job sites are used as the destination points.

Stage 2 — Position and Certification Matching

The system compares the global position requirements defined in the job posting (including required position types and required certifications) against the positions and certifications configured in each Provider organization's profile. A Provider organization is excluded from further consideration if any of the following conditions are true: (i) the total hourly cost that would be charged to the Seeker (calculated as the Provider's worker hourly rate plus Crewd's platform commission rate) exceeds the Seeker's maximum acceptable hourly rate (maxHourlyRate) for the required position; or (ii) the Provider organization does not possess one or more certifications that are marked as required for the job position.

Stage 3 — Availability and Schedule Matching

The system evaluates the Provider organization's configured weekly availability schedule against the job's required dates, start times, and durations, converting all times to the relevant organization's configured timezone. A Provider organization is excluded from further consideration if the Provider's availability schedule does not provide sufficient coverage (i.e., available working hours) for all required dates and times in the job posting. Only Providers that pass all three stages will receive an automated job offer through the Platform. The resulting offer is then subject to the Dynamic Offer TTL rules described in Section 3.3.

3.2 Reliability Score Computation

The Platform maintains a Reliability Score for each Provider organization, expressed as a numeric value from 0 to 100. This score is computed automatically each time a relevant attendance event is recorded (including no-show detection) and is displayed to Seekers as a quality indicator. The Reliability Score may influence whether Seekers choose to extend job offers to a Provider and may be used as an input to future matching pipeline enhancements. The score is computed using the following weighted formula:

Reliability Score = (On-Time Rate × 0.35) + (No-Show Rate × 0.30) + (Completion Rate × 0.20) + (Variance Consistency × 0.15)

Score Component Definitions

On-Time Rate (35% weight): The percentage of all recorded attendance events classified as "on_time" out of all attendance events with a non-no-show classification. A value of 1.0 (100%) means all shifts where the worker was present were on time.
No-Show Rate (30% weight): Calculated as (1 − noShowCount ÷ totalShiftCount). A perfect score (1.0) means zero no-shows. Each confirmed no-show reduces this component. The no-show component has the second-highest weight because no-shows cause the most significant operational disruption for Seekers.
Completion Rate (20% weight): Calculated as the number of shifts completed (all attendance statuses other than no_show) divided by total shifts. This component rewards consistent presence.
Variance Consistency (15% weight): Calculated as (1 − averageVariancePercent ÷ 100), clamped to the range [0, 1]. The averageVariancePercent is the mean of all variancePercent values recorded in the Attendance Records table for the organization. A low variance percentage (meaning workers consistently worked close to the scheduled hours) results in a higher score on this component.

The Reliability Score is automatically recalculated each time a no-show is detected by the automated no-show detection cron job (see Section 3.4). Recalculation is triggered without any human intervention. Providers whose Reliability Score falls below defined thresholds may be deprioritized in matching results or, in extreme cases, reviewed by Crewd administrators for potential account suspension.

3.3 Dynamic Offer Time-to-Live (TTL) Assignment

When the matching pipeline generates a job offer for a Provider, the offer is assigned an automatic expiry time (Time-to-Live, or TTL) based on the proximity of the current date and time to the first shift date of the job. This TTL is assigned without human review. If the Provider does not accept or decline the offer before the TTL expires, the offer is automatically withdrawn and the Provider is excluded from consideration for that job. The TTL tiers are as follows:

48-Hour Offer Window: Assigned when the time remaining until the job's first shift is 120 hours (5 days) or more. Providers have 48 hours from the moment of offer delivery to respond.
24-Hour Offer Window: Assigned when the time remaining until the job's first shift is between 48 hours (2 days) and 120 hours (5 days), exclusive. Providers have 24 hours from the moment of offer delivery to respond.
12-Hour Offer Window: Assigned when the time remaining until the job's first shift is less than 48 hours (2 days). Providers have 12 hours from the moment of offer delivery to respond.
These TTL thresholds are configurable by Crewd platform administrators via platform settings (stored under the key offerExpiryTiers). Any changes to these thresholds will be reflected in the Policy.

3.4 Automated No-Show Detection

The Platform operates an automated hourly cron job (a scheduled background process) that scans all confirmed and active jobs to detect potential worker no-shows. The cron job logic is as follows: for each scheduled shift in a confirmed or active job, if the current time is more than one (1) hour past the scheduled shift end time AND no attendance record exists AND no time entry exists for that shift, the system automatically creates an attendance record with the classification "no_show." This classification is applied without human review.

Upon automatic no-show detection, the following downstream automated actions are triggered without human involvement: (a) the Provider organization's Reliability Score is automatically recalculated (see Section 3.2); (b) automated notifications are dispatched to the Provider organization's administrators, the Seeker organization's representatives, and Crewd's internal operations team; and (c) a no-show penalty record is automatically created (see Section 3.6 regarding penalty types). Important: while the no-show record and penalty record are created automatically, no Stripe charge is executed automatically. All penalties require review and approval by a Crewd administrator before any financial charge is processed against a payment instrument.

3.5 Time Entry Auto-Confirmation

When a worker clocks out of a shift, a time entry record is created with a status of "pending" or equivalent, pending confirmation by the Seeker organization's representative. The Seeker organization has a window of twelve (12) hours from the clock-out timestamp to review and either confirm or dispute the time entry.

If the Seeker organization's representative does not take any action within the 12-hour review window, the time entry is automatically confirmed by the system without human action. Auto-confirmation has the same legal and financial effect as manual confirmation: the confirmed hours are treated as accurate and are used as the basis for billing calculations, including reconciliation invoices or credit notes.

This automated process may affect billing amounts. Seekers who believe a time entry is inaccurate should dispute the entry within the 12-hour window. After auto-confirmation, corrections require a formal dispute process with Crewd's support team.

3.6 Automated Penalty Creation (Four Penalty Types)

The Platform automatically creates penalty records in response to defined triggering events. There are four (4) penalty types. In all cases, the penalty record is created automatically, but no Stripe charge is executed without administrative review and approval.

client_late (Seeker Late Cancellation Penalty): Automatically created when a Seeker cancels a confirmed job within twenty-four (24) hours of the job's first scheduled shift. The penalty amount reflects the agreed-upon liquidated damages for short-notice cancellation as specified in Crewd's Terms of Service.
auto_nonpayment (Non-Payment Auto-Penalty): Automatically created when a job is cancelled due to non-payment — specifically, when a job has been in a paused state due to an outstanding invoice for seven (7) or more consecutive days and is subsequently auto-cancelled (see Section 3.8). The penalty is calculated based on the value of the cancelled engagement.
trades_firm_withdrawal (Provider Withdrawal Penalty): Automatically created when a Provider organization withdraws from a confirmed job within the defined penalty window. The penalty window and amount are governed by the Terms of Service.
trades_firm_no_show (Provider No-Show Penalty): Automatically created as a direct consequence of the no-show detection described in Section 3.4. Each automatically detected no-show generates a corresponding penalty record for administrative review.

3.7 Automated Organization Payment Blocking

The Platform automatically restricts a Seeker organization's ability to publish new jobs when the organization has one or more overdue invoices. Specifically, if a Seeker organization has an invoice in "overdue" status (meaning payment has not been received by the invoice due date), the system automatically sets a flag on the organization's account that prevents the organization from publishing new job postings.

The organization is automatically unblocked when all overdue invoices are marked as paid in the system. The transition from blocked to unblocked is automated and does not require manual intervention by a Crewd administrator, provided payment has been received and recorded by Stripe.

3.8 Automated Job Cancellation

The Platform operates automated cron jobs that cancel jobs in the following circumstances, without human review:

Expired Published Jobs: A daily cron job (expiredJobsCron) scans all jobs in "published" status. If the job's first scheduled shift date has passed and the job has not been confirmed (i.e., no Provider has been matched and confirmed), the job is automatically cancelled.
Paused Non-Payment Cancellation: A daily cron job (pausedJobsCron) scans all jobs in "paused" status. If a job has been paused due to non-payment for seven (7) or more consecutive days, the job is automatically cancelled. An auto_nonpayment penalty record is created upon such cancellation (see Section 3.6).
In both cases, automated notifications are dispatched to all relevant parties (Seeker organization, Provider organization if one was matched, and Crewd operations) upon auto-cancellation.

3.9 Automated Billing Reconciliation

Following the completion of a job, the Platform's reconciliation system automatically compares the scheduled billing amounts (calculated at job confirmation based on scheduled hours and rates) against the actual confirmed hours (taken from confirmed or auto-confirmed time entries — see Section 3.5). This comparison produces one of three outcomes:

Match: Scheduled and actual hours align within an acceptable variance threshold. No adjustment invoice is generated.
Underpayment (Reconciliation Invoice): If actual confirmed hours exceed scheduled hours beyond the threshold, the system automatically generates a reconciliation invoice for the additional amount owed by the Seeker organization.
Overpayment (Credit Note): If actual confirmed hours are less than scheduled hours beyond the threshold, the system automatically generates a credit note reflecting the overpayment amount owed to the Seeker organization.
Reconciliation invoices and credit notes are created automatically by the system and are reflected in the Stripe invoice infrastructure. Financial impacts of reconciliation are determined algorithmically without human review unless a party formally disputes the outcome.

4. Purposes of Processing and Lawful Bases

Crewd processes personal information only for the specific purposes identified in this Policy. The following table identifies each processing purpose and the corresponding lawful basis under PIPEDA and Quebec Law 25. Crewd does not process personal information for purposes that are incompatible with those originally identified without obtaining fresh consent.

4.1 Platform Facilitation and Service Delivery

Crewd processes personal information to enable the core functionality of the Platform, including: creating and managing user accounts; matching Provider organizations with Seeker job postings through the automated matching pipeline; managing the job lifecycle from posting through confirmation, execution, and completion; enabling communications between Seekers and Providers; and providing role-based access to Platform features. Lawful basis: Contractual necessity. Processing this data is required to deliver the services that users have contracted with Crewd to receive. Without this processing, the Platform cannot function.

4.2 Payment Processing and Financial Administration

Crewd processes financial and billing data to: generate invoices for Seeker organizations based on confirmed time entries; process payments through Stripe Connect; manage Stripe Connected Account onboarding for Provider organizations; calculate and apply platform commissions; calculate and administer cancellation penalties and no-show penalties (subject to administrative review); generate reconciliation invoices and credit notes; manage overdue invoice tracking and associated account restrictions; and issue required tax documentation. Lawful basis: Contractual necessity; legal obligation (Income Tax Act; Tax Administration Act (Quebec); GST/HST/QST reporting requirements).

4.3 Safety and Regulatory Compliance

Crewd processes personal information to maintain records required for regulatory compliance, including: workplace health and safety records that may be required under the Occupational Health and Safety Act (Ontario), the Act respecting occupational health and safety (Quebec), and other provincial legislation; attendance and time records required under applicable employment standards legislation; records of trade certifications required to verify compliance with the Act respecting labour relations, vocational training and workforce management in the construction industry (Act R-20, Quebec) and Skilled Trades Ontario legislation; and records required for WSIB and CNESST workplace accident investigations. Lawful basis: Legal obligation.

4.4 Anti-Circumvention and Platform Integrity

Crewd processes communications data (chat messages) and activity logs to detect and prevent attempts to circumvent the Platform's fee structure by arranging off-platform transactions between Seekers and Providers who were introduced through the Platform. This processing is necessary to protect the commercial viability of the Platform and to enforce the Non-Circumvention Agreement that all users enter into as a condition of Platform access. Lawful basis: Legitimate interest. Crewd has conducted a legitimate interest assessment and determined that the interest in protecting its commercial model from circumvention is proportionate to users' privacy interests, particularly given the express disclosure and consent provided at account creation.

4.5 Tax Reporting and Government Disclosure

Crewd may process and disclose personal information and financial data to: the Canada Revenue Agency (CRA) and Revenu Québec for income tax, GST/HST/QST reporting, and audit compliance purposes; the Commission des normes, de l'équité, de la santé et de la sécurité du travail (CNESST) for workplace accident and labour standards matters; the Workplace Safety and Insurance Board (WSIB) for workplace accident claims; and other regulatory authorities as required by law. Lawful basis: Legal obligation.

4.6 Analytics and Platform Improvement

With separate consent, Crewd processes aggregated and, where technically feasible, anonymized or pseudonymized Platform usage data to: identify patterns in job matching outcomes; improve the accuracy of the matching pipeline; identify and address usability issues; measure Platform adoption and growth; and prepare internal business reports. Where such analytics processing involves personally identifiable data that cannot be anonymized, Crewd will obtain express consent before using such data for analytics purposes. Lawful basis: Legitimate interest (for anonymized/aggregated analytics); Consent (for analytics involving identifiable personal information).

4.7 Security, Fraud Prevention, and Audit

Crewd processes system and audit log data to: detect unauthorized access to user accounts; identify and respond to security incidents; maintain an immutable audit trail of all significant actions taken on the Platform; investigate suspected fraud or abuse; and support law enforcement investigations where legally required. Lawful basis: Legitimate interest; legal obligation.

5. Data Sharing and Sub-processor Registry

Crewd does not sell, rent, or trade your personal information to any third party for commercial purposes. Crewd does not share personal information with third parties for their own marketing or advertising purposes. We engage the following third-party sub-processors to process data on our behalf, in each case under written data processing agreements that require the sub-processor to: (a) process data only on Crewd's documented instructions; (b) implement appropriate technical and organizational security measures; (c) notify Crewd of any personal data breaches without undue delay; (d) assist Crewd in responding to data subject rights requests; and (e) return or destroy personal information upon termination of the agreement.

Sub-processor	Role and Data Processed	Jurisdiction	Specific Data Categories Processed	Contractual Safeguard
Clerk	Identity Provider & Authentication Platform	United States	First name, last name, email address, phone number, authentication tokens, session data, Clerk internal user identifiers, multi-factor authentication credentials.	Data Processing Agreement (DPA) incorporating 2021 EU Standard Contractual Clauses (SCCs) for transfers to third countries; SOC 2 Type II certified.
Convex	Realtime Database Backend-as-a-Service (BaaS)	United States (AWS us-east-1 region)	ALL application data described in Section 2 of this Policy, including: account identity data, business identity data, location and geolocation data, employment and engagement data, time and attendance records, communications data, financial and billing data, onboarding data, system and audit data, and performance metrics. Convex hosts the primary database for the Platform and processes the full PII inventory on Crewd's behalf.	Data Processing Agreement (DPA); AES-256 encryption at rest; TLS 1.3 in transit; SOC 2 Type II certified; access controls limiting Convex personnel access to customer data.
Stripe	Payment Processing and Stripe Connect Marketplace Infrastructure	Global (primary processing in the United States)	Business banking account details (provided directly by Provider organizations during Stripe Connect onboarding); invoice amounts; payment transaction records; Stripe account identifiers; Stripe Setup Intent data; payment method tokens; business identity information submitted for Stripe KYC/AML verification.	Stripe's Binding Corporate Rules (BCRs) approved by relevant European data protection authorities; PCI-DSS Level 1 certified; Stripe processes payment data directly — Crewd does not store full banking credentials.
Vercel	Frontend Application Hosting and Content Delivery Network (CDN)	Global (primary infrastructure in the United States)	User IP addresses; browser user-agent strings; HTTP access logs; session data transmitted through the CDN; edge function execution logs.	Data Processing Agreement (DPA) incorporating 2021 EU Standard Contractual Clauses (SCCs); SOC 2 Type II certified; Vercel Analytics processed with consent only.
Twilio	SMS Communications Gateway	United States	Destination phone numbers; SMS message body content (including invitation codes, notification messages, and OTP codes); Twilio message SIDs; message delivery status; Twilio error codes.	Data Processing Agreement (DPA) incorporating 2021 EU Standard Contractual Clauses (SCCs); ISO 27001 certified; SOC 2 Type II certified.
Google Cloud Platform (Maps API)	Geocoding, Address Validation, and Route Distance Calculation	United States	Organization location addresses and coordinates (latitude/longitude); job site addresses and coordinates (latitude/longitude); route distance queries between Provider locations and job sites (used in the automated matching pipeline described in Section 3.1).	Data Processing Agreement (DPA) incorporating 2021 EU Standard Contractual Clauses (SCCs); ISO 27001 certified; Google Cloud Security Framework.
Svix	Webhook Event Delivery and Signature Verification (via Clerk integration)	United States	Webhook event signatures and headers (used for cryptographic verification of webhook authenticity). Svix processes event metadata for signature verification purposes but does not directly process personal information. Any personal information in webhook payloads is transmitted directly from Clerk to Crewd's Convex backend via signed webhooks.	Inherited from Clerk's Data Processing Agreement; SOC 2 Type II certified.

5.1 Regulatory and Law Enforcement Disclosures

In addition to the sub-processors listed above, Crewd may disclose personal information and financial records to the following authorities without prior notice where legally required or permitted: (a) Canada Revenue Agency (CRA) and Revenu Québec, for income tax audits, GST/HST/QST verification, and T4A/RL-1 tax slip reporting; (b) Commission des normes, de l'équité, de la santé et de la sécurité du travail (CNESST), for workplace accident investigations, labour standards complaints, and health and safety inspections; (c) Workplace Safety and Insurance Board (WSIB) (Ontario), for workplace accident claims and premiums assessments; (d) Régie du bâtiment du Québec (RBQ), for license verification and construction industry regulatory matters; (e) Law enforcement agencies, pursuant to valid search warrants, production orders, or other lawful demands; and (f) Courts and tribunals, pursuant to valid court orders, subpoenas, or other legal process. Where legally permitted to do so, Crewd will notify affected users before disclosing their personal information to law enforcement or regulatory authorities.

5.2 No Sale of Personal Information

Crewd does not sell personal information. Crewd does not share personal information with third parties for the third party's own commercial purposes. No personal information collected through the Platform is used in advertising technology, data brokerage, or commercial profiling by any party other than Crewd itself for the purposes disclosed in this Policy.

6. International and Cross-Border Data Transfers

Notice to All Canadian Users Regarding Cross-Border Data Processing

Crewd's Platform infrastructure is hosted primarily on cloud services located in the United States of America. Specifically, the Convex database (primary data store) is hosted on Amazon Web Services (AWS) in the us-east-1 region; the frontend application is hosted on Vercel's global CDN with US primary nodes; authentication is processed by Clerk with US-based infrastructure; payment processing is conducted by Stripe with US-primary infrastructure; and SMS communications are processed by Twilio in the United States. As a result, substantially all personal information collected through the Platform is transferred to and processed in the United States.

Risk Disclosure — US Government Access Laws: Canadian users should be aware that personal information transferred to and stored in the United States may be subject to access by US government authorities under the following legislation: (a) the USA PATRIOT Act, 18 U.S.C. § 2709, which permits US law enforcement to compel disclosure of user records from US-based service providers, potentially without notice to the affected individual; (b) the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. § 2713, which extends the compelled disclosure authority to data held by US companies regardless of the physical location of the data; and (c) Foreign Intelligence Surveillance Act (FISA) Section 702, which permits US intelligence agencies to compel US-based electronic communications service providers to disclose data about non-US persons. These laws may not provide the same level of privacy protection as Canadian federal or Quebec provincial privacy legislation.

Risk Mitigation Measures: Crewd has implemented the following measures to reduce (though not eliminate) the risk of unauthorized government access: (a) AES-256 encryption of all data at rest in the Convex database, meaning that even if raw data files were accessed, they would be unreadable without Crewd's decryption keys; (b) TLS 1.3 encryption in transit between all system components, preventing interception of data during transmission; (c) strict, role-based least-privilege access controls within the Convex platform, limiting which Crewd personnel can access user data; (d) mandatory multi-factor authentication (MFA) for all Crewd personnel with administrative access; (e) Data Processing Agreements (DPAs) incorporating 2021 EU Standard Contractual Clauses (SCCs) with all US-based sub-processors that process personal information, requiring those sub-processors to challenge overly broad government access requests where legally permissible; and (f) Transfer Impact Assessments (TIAs), described below.

6.1 Transfer Impact Assessments (TIAs)

In accordance with Law 25's requirement that organizations assess the adequacy of protection provided by foreign jurisdictions before transferring personal information outside Quebec, Crewd has conducted Transfer Impact Assessments for all US-based sub-processors that receive personal information from the Platform. These assessments evaluate: (a) the nature of the personal information transferred; (b) the sensitivity of the information; (c) the applicable laws of the destination country, including government access powers; (d) the contractual and technical safeguards in place; and (e) whether the overall level of protection is substantially equivalent to the protection provided by Quebec law. Based on these assessments, Crewd has determined that the combination of contractual safeguards (SCCs/DPAs), technical measures (AES-256 encryption, TLS 1.3), and operational controls provides a level of protection that is substantially equivalent to Quebec standards, subject to the residual risks identified above. TIA summaries are available to Quebec users upon request by contacting privacy@crewd.ai. A high-level summary is provided in Schedule D of this Policy.

6.2 Consent to Cross-Border Transfer

By creating an account and using the Platform, you expressly consent to the transfer of your personal information to the United States for processing on the infrastructure described above. This consent is a condition of using the Platform, as the Platform cannot be delivered without US-based infrastructure. If you do not consent to cross-border transfer of your personal information, you should not create an account or use the Platform. You may withdraw this consent at any time, but withdrawal will result in the termination of your account, as continued use of the Platform requires cross-border data transfer.

7. Data Subject Rights

Under PIPEDA and Quebec Law 25, you have the following rights with respect to your personal information. Crewd will respond to all rights requests within thirty (30) calendar days of receipt, as required by PIPEDA. For complex requests under Law 25 that require additional time, Crewd may extend the response period by an additional thirty (30) days with written notice. All rights requests should be submitted to privacy@crewd.ai. Crewd may require identity verification before processing any rights request to protect against fraudulent requests.

7.1 Right of Access (Law 25 Art. 27; PIPEDA Principle 9)

You have the right to request access to: (a) confirmation of whether Crewd holds personal information about you; (b) a copy of all personal information that Crewd holds about you; (c) the purposes for which your personal information is being used; (d) the names of third parties and categories of third parties to whom your personal information has been disclosed; (e) the source of your personal information; and (f) the retention period applicable to your personal information. Crewd will provide access to your personal information in an intelligible format. Crewd may redact information that reveals the personal information of other individuals or that is subject to legal privilege. Where Crewd cannot provide access (e.g., due to legal privilege or third-party confidentiality), Crewd will explain the reason for refusal.

7.2 Right to Rectification (Law 25; PIPEDA Principle 9)

You have the right to request correction of any personal information held by Crewd that is inaccurate, incomplete, or misleading. Where Crewd corrects your personal information, Crewd will notify all third parties to whom the personal information was disclosed, to the extent reasonably practicable, so that those parties can also update their records. Where Crewd determines that a correction is not warranted, Crewd will annotate your file with your request so that any future recipients of the information will be aware that you dispute its accuracy.

7.3 Right to Erasure (with Legal Retention Override)

You have the right to request erasure of your personal information. However, Crewd may refuse or defer an erasure request where: (a) retention is required by applicable law, including: the Income Tax Act (Canada) and Tax Administration Act (Quebec), which require retention of financial records for a minimum of seven (7) years; construction industry limitation periods for negligence and deficiency claims, which may extend for up to seven (7) years or longer; and employment standards record-keeping requirements; (b) retention is necessary for the establishment, exercise, or defence of legal claims, including claims under Crewd's Non-Circumvention Agreement or disputes between Platform users; (c) retention is necessary for the detection and investigation of fraud or other illegal activity; or (d) the information relates to a person other than you and cannot be separated without unreasonable effort. Where erasure is refused in whole or in part, Crewd will provide a written explanation identifying the specific legal basis for each element of the refusal.

7.4 Right to Data Portability (Law 25 Art. 27)

In accordance with Law 25's data portability provisions, which apply to computerized personal information collected from you since September 22, 2023, you have the right to request that Crewd communicate to you the personal information that concerns you in a structured, commonly used, technological format. Crewd will provide portable data in JSON format, which is machine-readable and widely interoperable. The portable data export will include: (a) your account profile data (name, email, phone, role, notification settings); (b) your organization's data where you are an owner; (c) your time and attendance records; (d) your reliability score and component data; (e) your billing records; and (f) your onboarding data. Chat messages are included in portability exports subject to the rights of other parties whose personal information may be contained in those messages. Processing portability requests may require up to thirty (30) days.

7.5 Right to De-indexing (Law 25)

You have the right to request that Crewd cease disseminating your personal information or de-index any hyperlink attached to your name if that dissemination or indexing causes injury to you and is not justified by your freedom of expression, the freedom of the press, or another right or public interest. To request de-indexing, you must demonstrate: (a) that your personal information is publicly disseminated by Crewd (e.g., in a public-facing profile or search index); (b) that the dissemination causes or is likely to cause injury to you; and (c) that the injury outweighs the legitimate interest in disclosure. Crewd will evaluate all de-indexing requests within thirty (30) days and provide a written determination.

7.6 Right to Withdraw Consent

Where processing of your personal information is based on consent (including for optional processing such as analytics cookies, optional geolocation features, and optional communications), you have the right to withdraw that consent at any time without detriment, subject to legal or contractual restrictions. Consent may be withdrawn: (a) for geolocation: by not using the Platform's clock-in feature and contacting privacy@crewd.ai for alternatives; (b) for analytics: via the cookie consent settings accessible in the Platform's footer; (c) for cross-border transfer: by closing your account (noting that closure is required as a condition of withholding this consent, since the Platform cannot function without cross-border transfer); and (d) for any other optional processing: by contacting privacy@crewd.ai. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

7.7 Right to Object to Automated Decision-Making

As described in Section 3 of this Policy, Crewd uses automated decision-making systems that may produce significant effects for you, including exclusion from job matching, reliability score adjustments, no-show classifications, and penalty creation. You have the right to: (a) request that Crewd inform you of the specific parameters applied in any automated decision that affected you; (b) request that a Crewd human reviewer evaluate and, where appropriate, override or correct any automated decision; (c) present observations and additional information to Crewd in connection with your request for human review; and (d) receive notification of automated decisions that produce significant legal or financial effects. To exercise this right, contact privacy@crewd.ai identifying the specific automated decision you wish to contest.

To exercise any of the rights described in this Section 7, or to file a privacy complaint, please contact Crewd's Privacy Officer at privacy@crewd.ai. If you are not satisfied with Crewd's response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or, if you are a Quebec resident, with the Commission d'accès à l'information du Québec (CAI) at www.cai.quebec.ca.

8. Data Retention Schedule

Crewd retains personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with applicable legal obligations, to resolve disputes, and to enforce agreements. The following table identifies the specific retention period and legal basis applicable to each major category of records. Upon expiry of the applicable retention period, records are securely destroyed using methods appropriate to the sensitivity of the data (see Schedule A — Detailed Retention Protocol).

Record Type	Retention Period	Legal Basis for Retention
Construction Project Records (Job postings, job details, job site addresses, schedules, job status history, job events)	7 Years minimum from job completion date	Aligns with limitation periods for negligence, construction deficiency, and breach of contract claims under the Civil Code of Quebec and the Limitations Act, 2002 (Ontario); CRA audit requirements.
Financial Transaction Records (Billing periods, billing entries, invoices, Stripe payment records, reconciliation records, penalty records, credit notes)	Fiscal Year + 7 Years	Mandated by the Income Tax Act (Canada), s. 230; the Tax Administration Act (Quebec), s. 34; and GST/HST/QST audit requirements. The fiscal year offset accounts for tax filing deadlines.
Geolocation Logs (Clock-in GPS coordinates, proximity verification records)	30 Days from capture date	Transient data collected for immediate attendance verification. Retained for 30 days to support short-term dispute resolution regarding attendance. Destroyed after 30 days as no ongoing purpose justifies retention beyond this period.
Chat and Communication Logs (Platform messages, Twilio SMS logs, broadcast messages)	7 Years from message date	Anti-circumvention enforcement obligations (Non-Circumvention Agreement — 24-month monitoring period, plus additional retention for legal proceedings that may arise after the monitoring period); dispute resolution; potential evidence in litigation.
Identity and Account Data (Name, email, phone, role, organization associations, account settings)	Account Duration + 2 Years from account closure	Retained for 2 years post-closure to defend against fraud claims, chargebacks, or legal proceedings initiated after account closure. Destroyed on a rolling basis after the 2-year post-closure period expires, subject to ongoing legal holds.
Attendance and Time Records (Time entries, attendance records, shift classifications, variance data)	7 Years from record creation	Employment standards record-keeping requirements under the Employment Standards Act, 2000 (Ontario) and the Act respecting labour standards (Quebec), which require employers to retain payroll and time records for minimum periods. Extended to 7 years to align with tax audit requirements.
Audit Logs (System audit trail records, administrative action logs, override records)	7 Years from log creation	Regulatory compliance; security audit requirements; fraud investigation support; potential evidence in regulatory proceedings.
Onboarding Data (Submitted forms, certification documents, onboarding state data)	Duration of account + 7 Years from last platform activity	Credential verification records retained for duration of limitation periods applicable to misrepresentation claims.
Reliability Scores and Performance Metrics	Duration of account + 2 Years from account closure	Retained to support dispute resolution regarding historical performance representations made during the account period and for a reasonable period after closure.

9. Security Safeguards and Breach Notification

Crewd implements a defence-in-depth security architecture designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. The following safeguards are implemented at the organizational, technical, and physical levels.

9.1 Encryption Standards: All data transmitted between users and Crewd's Platform is encrypted using TLS 1.3 (Transport Layer Security, version 1.3), the current gold standard for transport encryption, providing forward secrecy and protection against downgrade attacks. All data stored in the Convex database is encrypted at rest using AES-256 (Advanced Encryption Standard, 256-bit key length), which is the encryption standard mandated for US federal government classified data and is industry-standard for highly sensitive commercial data. Encryption keys are managed by Convex's infrastructure and are not accessible to Crewd personnel.

9.2 Access Controls — Least Privilege Architecture: Crewd enforces a least-privilege access control model, meaning all personnel, systems, and processes are granted only the minimum level of access required to perform their specific function. Role-based access controls are implemented at the Convex database level, restricting which authenticated identities can read or write which data tables. Multi-factor authentication (MFA) is mandatory for all Crewd personnel with administrative access to production systems. Administrative access is logged in audit tables, and all logs are reviewed periodically for anomalous activity.

9.3 Security Breach Notification

In the event of a privacy breach — defined as any unauthorized access to, use, disclosure, copying, modification, or disposal of personal information — Crewd will assess whether the breach presents a "Real Risk of Significant Harm" (RROSH) to affected individuals, using the factors prescribed by PIPEDA's Breach of Security Safeguards Regulations, including: the sensitivity of the personal information; the number of individuals affected; the probability that the information will be misused; the damage that could result (bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft, negative effects on employment, business or professional opportunities, or loss of a business opportunity).

If a breach meets the RROSH threshold, Crewd will notify: (a) the Office of the Privacy Commissioner of Canada (OPC) as expeditiously as possible and no later than 72 hours after Crewd becomes aware that a reportable breach has occurred, as required by PIPEDA; (b) the Commission d'accès à l'information du Québec (CAI) within the same 72-hour window, as required by Law 25, Article 3.5; and (c) all affected individuals as soon as feasibly possible after reporting to regulators, providing a clear and plain description of: the facts of the breach, the day or period during which the breach occurred, the personal information involved, Crewd's assessment of the risk, steps taken to reduce the risk of harm, and contact information for Crewd's Privacy Officer.

Crewd maintains a written record of all privacy breaches, whether or not they meet the RROSH threshold, for a minimum of twenty-four (24) months from the date of the breach. This record is available to regulators upon request.

9.4 Security Testing and Review: Crewd conducts periodic security reviews of its Platform infrastructure, including review of access logs, security configuration audits, and dependency vulnerability assessments. Privacy Impact Assessments (PIAs) are conducted before implementing new data processing activities or material changes to existing processing activities.

Operational Schedules and Implementation Protocols

Schedule A: Detailed Data Retention and Destruction Protocol

The Project Vault and Ghost Protocol

A.1 The "Project Vault" Protocol

For all records directly associated with a construction project engagement (including job postings, job site data, chat logs related to a specific job, time entries, attendance records, billing entries, and invoices), Crewd applies the "Project Vault" protocol. Under this protocol, all such records are tagged at the time of job completion with a retention expiry date of job completion date + 7 years. The 7-year floor is derived from the intersection of: (a) the CRA's standard audit period of 6 years post-filing; (b) the general limitation period for negligence and breach of contract in Quebec (3 years under the Civil Code, extendable to 10 years by prescription interruption) and Ontario (2 years basic, 15 years on a judgment); and (c) potential CNESST/WSIB liability tails for workplace accidents. Records in the Project Vault are retained in encrypted cold storage and are not actively processed after the job's closure, except in connection with a formal legal proceeding, regulatory inquiry, or rights request.

Chat logs specifically associated with a project engagement retain their own extended retention window of 7 years (from message date) for anti-circumvention enforcement and dispute resolution purposes, as described in Section 8.

A.2 The "Ghost Protocol" — Account Deletion and Anonymization

When a user or organization closes their Crewd account, the following phased destruction protocol is applied: Phase 1 (Immediate upon confirmed account closure): Clerk authentication credentials are deleted from Clerk's identity platform, immediately preventing the user from logging in. All active session tokens are invalidated. Phase 2 (Within 30 days of account closure): All geolocation logs older than 30 days are destroyed. Active notification records are purged. Non-essential preferences and settings data is deleted. Phase 3 (2 Years post-closure): Account identity data (name, email, phone, Clerk ID) is destroyed or anonymized, replacing identifiable fields with non-reversible pseudonymous identifiers. At this point, the individual can no longer be identified from the account record, but transaction and billing data remains associated with the pseudonymous identifier for tax compliance purposes. Phase 4 (7 Years post-closure or 7 Years post-final-transaction, whichever is later): All remaining financial records, billing entries, and tax-relevant data are destroyed from production and backup systems. At this point, all data associated with the former account reaches end of life.

Note: If a legal hold is placed on an account's data (e.g., due to active litigation or regulatory investigation), destruction is suspended until the legal hold is released, at which point normal destruction procedures resume.

Schedule B: Electronic Monitoring Transparency Notice

Pursuant to Ontario's Working for Workers Act (Bill 88, 2022) and applicable Quebec Electronic Monitoring Obligations

Crewd is required by Ontario's Working for Workers Act, 2022 (which amended the Employment Standards Act, 2000 to add Part XI.1 — Electronic Monitoring) to maintain a written policy on electronic monitoring of employees. While Crewd classifies Platform participants as independent contractors, not employees, Crewd provides this Electronic Monitoring Transparency Notice as a matter of best practice and in recognition of Law 25's requirement for transparency regarding all data collection activities. This notice describes all forms of electronic monitoring conducted through the Platform.

Monitoring Type	Circumstances of Collection	Specific Purpose
Geolocation (GPS Coordinates)	Captured as a single-event data point at clock-in only, when a worker enters their clock-in PIN at the designated job site. Not collected at any other time.	Verify worker presence at the job site for attendance confirmation and payment release. Generate a Proof of Presence record for potential dispute resolution.
Platform Chat Messages	All messages sent through the Platform's messaging system are logged with sender, recipient, timestamp, and full message body content. Monitoring is continuous during any session in which the messaging feature is used.	Fraud prevention; anti-circumvention enforcement; dispute resolution; community safety. NOT used for worker performance management or disciplinary proceedings.
Activity Logs (Timestamps of Platform Actions)	Timestamps and identifiers of significant Platform actions are logged to audit tables, including: login events, job offer acceptances/declines, clock-in/clock-out events, invoice acknowledgments, and administrative actions.	Security monitoring; fraud detection; troubleshooting; contract verification (e.g., confirming when a job offer was accepted); regulatory audit trail.
Clock-In PIN Entry Events	Each clock-in PIN entry attempt is logged, including successful and failed attempts, timestamps, and associated job/shift identifiers.	Attendance verification; detection of unauthorized clock-in attempts; security monitoring.
Notification Delivery and Read Receipts	The timestamp at which a notification is delivered to a user, dismissed by a user, and/or read by a user is recorded in the Notifications table.	Confirming receipt of time-sensitive legal and operational notifications (e.g., job offer expiry notices, penalty notifications). Providing evidence that a user was notified of an event.

CRITICAL DISCLAIMER: Data collected through any of the electronic monitoring methods described above is NOT used for employee performance management, productivity monitoring, or disciplinary action against individual workers. This limitation is maintained consistently to support the independent contractor classification of Provider workers, to avoid creating employment-like relationships, and to comply with applicable privacy legislation that requires purpose limitation. Monitoring data is used exclusively for the specific purposes identified in this Schedule. Any use of monitoring data beyond these stated purposes would require fresh disclosure and, where required, consent.

Schedule C: Cookie Policy

Compliant with Quebec Law 25 and Canada's Anti-Spam Legislation (CASL)

This Cookie Policy explains the cookies and similar tracking technologies used on Crewd's Platform. In compliance with Quebec Law 25's strict consent requirements, all non-essential cookies are blocked by default and are only activated after the user provides affirmative, express consent through the cookie consent banner. Cookies are categorized below in order of their necessity.

C.1 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the Platform to function. They cannot be disabled without preventing the Platform from operating. They are set automatically upon access to the Platform.

_clerk_db_jwt — Set by: Clerk. Purpose: Stores the authenticated user's JSON Web Token (JWT), which is required to maintain the user's login session across pages. Without this cookie, the user would be required to re-authenticate on every page load. Duration: Session (expires when the browser session ends, unless 'Remember Me' is selected, in which case it may persist for up to 7 days).
__stripe_mid — Set by: Stripe. Purpose: Stripe's machine identifier cookie, used for fraud prevention and detection. Enables Stripe to verify that payment interactions originate from a legitimate browser session. Duration: 1 year.
__stripe_sid — Set by: Stripe. Purpose: Stripe's session identifier cookie, used for fraud detection during active payment sessions. Duration: Session.

C.2 Functional and Analytics Cookies (Disabled Until Express Opt-In)

These cookies enhance the Platform experience or provide performance analytics. They are disabled by default and are only set after the user affirmatively clicks 'Accept Analytics' in the cookie consent banner.

Vercel Analytics Cookies — Set by: Vercel. Purpose: Collects anonymized performance and usage data about Platform interactions, including page load times, error rates, and navigation patterns. This data is used to improve Platform performance and identify usability issues. Crewd uses Vercel Analytics in privacy-preserving mode, which avoids fingerprinting and cross-site tracking. Duration: Session to 90 days depending on specific cookie.
crewd_cookie_consent — Set by: Crewd. Purpose: Stores the user's cookie consent preference (accepted or declined) so that the consent banner does not re-appear on every visit. Duration: 12 months from consent decision.

C.3 Cookie Consent Management: Users may change their cookie preferences at any time by accessing the Cookie Settings link in the Platform footer. Revoking consent for analytics cookies takes effect immediately upon the user's next page load. For Quebec users, the cookie consent interface is presented in French by default (or bilingual French/English) and uses unambiguous opt-in language. Pre-ticked boxes, opt-out-only designs, and consent bundled with Terms of Service acceptance are not used for non-essential cookies.

Schedule D: Cross-Border Transfer Impact Assessment (TIA) — Summary

Destination Country: United States of America

This Schedule provides a public summary of the Transfer Impact Assessments (TIAs) conducted by Crewd in accordance with Law 25's requirement that organizations evaluate the adequacy of protection in destination jurisdictions before transferring personal information outside Quebec. Full TIA documentation is available to Quebec residents upon request by contacting privacy@crewd.ai.

D.1 Destination Country: United States of America.

D.2 Identified Legal Risks in the Destination Country

The following US government access authorities were evaluated as part of the TIA: (a) USA PATRIOT Act (Section 215): Permits the FBI to compel production of business records held by US companies for counterterrorism and counterintelligence purposes, potentially without prior judicial authorization and with a gag order preventing the company from disclosing the demand. (b) CLOUD Act (18 U.S.C. § 2713): Requires US companies to preserve, backup, or disclose the contents of communications and records — including those stored outside the US — if the company operates from within the US and the data is within its possession, custody, or control. (c) FISA Section 702: Authorizes the US intelligence community to compel US-based electronic communications service providers to disclose data about non-US persons for foreign intelligence purposes, without individualized judicial warrants. These access authorities create a non-negligible risk that Canadian personal information stored on US-based infrastructure could be accessed by US government agencies without prior notice to Crewd or the affected individuals.

D.3 Safeguards Implemented to Mitigate Identified Risks

The following safeguards have been implemented and assessed as significantly (though not completely) mitigating the identified risks: (a) 2021 EU Standard Contractual Clauses (SCCs): All US-based sub-processors that process personal information (Clerk, Convex, Vercel, Twilio, Google Cloud) are contractually bound by Data Processing Agreements (DPAs) incorporating the 2021 SCCs adopted by the European Commission, which are accepted by Canadian regulators as equivalent contractual safeguards. These SCCs require sub-processors to: challenge government access requests that are overbroad; minimize disclosures to the minimum legally required; notify Crewd if legally permitted to do so; and implement supplementary technical safeguards. (b) AES-256 Encryption at Rest: All personal information stored in the Convex database (which processes the full PII inventory) is encrypted at rest using AES-256. This means that even if raw database files were compelled or obtained, they would be unreadable without Crewd's encryption keys. (c) TLS 1.3 Encryption in Transit: All data in transit is protected by TLS 1.3, preventing interception during transmission. (d) Least Privilege and MFA: Strict access controls and mandatory MFA for administrative access reduce the risk of unauthorized access by Crewd personnel or through compromised credentials.

D.4 TIA Conclusion: Based on the assessment of the legal framework of the United States, the specific sub-processors involved, the nature of the data transferred, and the safeguards implemented, Crewd has determined that the overall level of protection provided to personal information transferred to the United States is substantially equivalent to the protection afforded by Quebec Law 25 and PIPEDA. This determination is subject to ongoing monitoring. If legislative or regulatory changes in the US materially increase the risk of government access to Canadian personal information, Crewd will revisit this assessment and, if necessary, implement additional safeguards or seek alternative infrastructure solutions.

Contact Privacy Team

For Data Portability requests, De-indexing requests, Subject Access Requests (SARs), Automated Decision-Making review requests, privacy complaints, or any other inquiries regarding this Policy or Crewd's data practices.