Privacy Policy & Data Protection Statement
Comprehensive Data Governance & Compliance Framework
WARNING TO USERS IN QUEBEC
Français : La présente politique de confidentialité est disponible en français et en anglais. En utilisant la plateforme, vous confirmez votre volonté expresse d'être lié par la version anglaise (si applicable) après avoir eu l'opportunité de consulter la version française.
English: This Privacy Policy is available in French and English. By using the Platform, you confirm your express wish to be bound by the English version (if applicable) after having had the opportunity to consult the French version.
1. Introduction and Scope of Application
Crewd Inc. ("Crewd," "we," "us," or "our") operates a digital marketplace facilitating connections between construction contractors ("Clients") and independent trades organizations ("Suppliers") via our mobile application and website (collectively, the "Platform").
This Privacy Policy ("Policy") governs the collection, use, disclosure, and retention of Personal Information. It is engineered to comply with the strictest applicable standards, including PIPEDA (Federal), Law 25 (Quebec), and the Employment Standards Act (Ontario).
1.1 The Business-to-Business (B2B) Context
Suppliers represent that they are utilizing the Platform in their capacity as an independent business entity. Consequently, the contact information provided (business email, business phone) constitutes Business Contact Information (BCI). However, for Sole Proprietors in Quebec, we recognize that business information may be indistinguishable from personal information. Accordingly, Crewd treats all Sole Proprietor data with the high standard of protection mandated for personal information under Quebec Law 25.
2. Data Collection and Inventory
We collect only the information necessary to facilitate the commercial objectives of the Platform.
| Data Category | Data Elements | Purpose & Legal Basis |
|---|---|---|
| Account Identity | Name, Email, Phone, Password (Hashed). | Authentication managed via Clerk. Necessary for contract performance. |
| Credentials | Trade Licenses (RBQ, Skilled Trades Ontario), Insurance Certificates, Safety Cards. | Verification to ensure Suppliers meet regulatory requirements of Act R-20 and OHSA. |
| Project Data | Site Addresses, Blueprints, Access Codes. | Service Delivery. Provided by Clients acting as "Constructors." |
| Financial Data | Bank Coordinates, SIN (Optional for Sole Props). | Payment Processing via Stripe. Crewd does not store full banking credentials. AML compliance. |
2.3 Geolocation Data (Strict "Active Job" Protocol)
To balance operational efficiency with privacy rights, Crewd implements a strict Event-Based Geolocation policy.
- Collection Trigger: Precise GPS data is collected ONLY when a Supplier explicitly toggles their status to "On Duty," "En Route," or "Clocked In" for a specific Job.
- Purpose: Safety logistics (ETA) and Payment Release ("Proof of Presence" verification).
- Cessation: Geolocation collection is automatically suspended when the status is toggled to "Off Duty." We do not track historical movements outside of active engagements.
2.4 Chat and Communication Monitoring
The Platform includes a text-based chat function. You have no reasonable expectation of privacy in communications sent via the Platform.
Permissible Purposes
- Fraud Prevention (Phishing detection).
- Anti-Circumvention (Enforcing fee payment).
- Dispute Resolution.
Prohibited Purposes
Crewd expressly disclaims the use of chat monitoring for "employee performance management" or "disciplinary action." This is material to maintaining the independent contractor relationship.
3. Use of Data and Algorithmic Processing
We process your data to facilitate matchmaking, process payments (Marketplace Facilitator), and verify safety compliance.
3.2 Automated Decision Making (ADM) Notification
Crewd utilizes algorithms to rank Suppliers based on Proximity, Trade Certification, and Verified Ratings. In compliance with Quebec Law 25, if a decision affecting you (e.g., account suspension) is made exclusively by automated means, you will be notified and have the right to request information about the parameters used.
5. International Data Transfers
Notice to Users
Your personal information is processed on cloud infrastructure located primarily in the United States.
- Risk Acknowledgment: Data may be subject to access by U.S. law enforcement under the USA PATRIOT Act and the CLOUD Act.
- Mitigation: Crewd has implemented encryption-at-rest and strict access controls to protect your data.
6. User Rights (Law 25 & PIPEDA)
You possess the following rights regarding your personal information:
Right to Data Portability (Quebec)
You may request that your computerized personal information (including reputation/ratings) be communicated to you in a structured JSON format.
Right to De-indexing
You may request that Crewd cease disseminating your information or de-index hyperlinks attached to your name if it causes injury.
Right to Withdraw Consent
You may withdraw consent for optional processing (e.g., location tracking) at any time via App settings.
To exercise these rights, contact privacy@crewd.ai.
7. Data Retention Schedule
We retain personal information only for as long as necessary.
| Record Type | Period | Legal Basis |
|---|---|---|
| Construction Project Records | 7 Years (Minimum) | Aligns with limitation periods for negligence claims and tax audit requirements. |
| Financial Transaction Records | Fiscal Year + 7 Years | Mandated by Income Tax Act (Canada) and Tax Administration Act (Quebec). |
| Geolocation Logs | 30 Days | Transient data for immediate attendance verification. |
| Identity Data | Account Duration + 2 Years | To defend against fraud claims post-closure. |
8. Security Safeguards
We employ defense-in-depth security strategies.
- Encryption: Data in transit is encrypted via TLS 1.3. Data at rest is encrypted using AES-256.
- Access Control: We enforce "Least Privilege" access. MFA is mandatory for all admin access.
Breach Notification: In the event of a breach presenting a "Real Risk of Significant Harm," we will notify the OPC/CAI and affected individuals immediately.
Schedule A: Detailed Retention Protocol
In the construction industry, the tail of liability is long. The "Project Vault" protocol ensures that records (Chat Logs, Photos, Sign-offs) are tagged with a retention date of ProjectCompletionDate + 15 Years to defend against structural defect claims. Conversely, the "Ghost Protocol" ensures that upon account deletion, Auth Data is removed while Tax Data remains in "Cold Storage" for legal compliance.
Schedule B: Electronic Monitoring Transparency
Pursuant to Ontario's Working for Workers Act (Bill 88):
| Monitoring Type | Circumstances | Purpose |
|---|---|---|
| Geolocation | Only when 'On Duty' status is active. | Verify attendance for payment release. |
| Chat Logging | All platform messages. | Fraud prevention & community safety. |
| Activity Logs | Timestamps of bids/logins. | Troubleshooting & contract verification. |
DISCLAIMER: Data collected through electronic monitoring is NOT used for employee performance management or discipline.
Schedule C: Cookie Policy
To comply with Quebec's strict consent rules, non-essential cookies are blocked by default.
- Strictly Necessary:
_clerk_db_jwt(Auth),_stripe_mid(Fraud Prevention). No consent required. - Functional/Analytics: Vercel Analytics. Disabled until user clicks "Accept".
Schedule D: Cross-Border TIA Summary
Destination: United States. Risks: FISA/CLOUD Act access. Safeguards: We utilize 2021 EU Standard Contractual Clauses (SCCs) and AES-256 encryption. We have determined the protection level is substantially equivalent to Quebec principles.