Privacy Policy

Effective Date: 1 April 2026 · Last Updated: 1 June 2026 · Versao portuguesa

Operating Entity: Softassure Technologies Ltd. · Contact: privacy@certyco.com

Privacy at a Glance

Certyco exists to give Professionals honest expert feedback and verified signal that Hiring Partners can trust. Privacy is foundational to how that trust works.

  • Your evaluation results and profile are private by default. Nothing is visible to Hiring Partners until you activate “Available for Work”
  • Even after opting in, your identity stays hidden. Personal details are revealed only when a Hiring Partner unlocks your profile
  • Interviews are recorded only with your explicit consent
  • Hiring Partners never see personal details unless they unlock your profile
  • Industry Experts evaluate independently and do not receive unnecessary personal identifiers before interviews
  • AI Resume Import reads your file in your browser and the file is never uploaded. Extracted text is sent to our servers for AI parsing and is not retained
  • We do not sell personal data, ever
  • You can request deletion of your data at any time
  • Industry Experts may be located outside Canada, the US or India. When your evaluation is conducted by an Industry Expert based in the UK or the EU, interview recordings are stored in our EU data centre in Germany

1. Introduction

Certyco is a platform where Professionals receive structured, expert-led evaluations that produce actionable career feedback and verified hiring signal. The resulting 4D Scorecard and Certyco Mark give Hiring Partners pre-validated signal about a Professional's capabilities.

This Privacy Policy explains how Certyco ("we", "our", or "us"), operated by Softassure Technologies Ltd., collects, uses, shares, and protects personal information when you access or use our website, platform, or services.

Certyco operates in Canada, the United States, India, the United Kingdom, and Portugal, and complies with applicable privacy laws in those jurisdictions, including PIPEDA, CCPA/CPRA, India's DPDPA 2023, the UK GDPR, and the EU GDPR.

By creating an account or using the platform, you acknowledge that you have read and understood this Privacy Policy.

2. Platform Availability & Rollout Status

Certyco is currently operating in its Full Launch phase.

Currently Available

  • Account creation (email and password, or OAuth via Google, LinkedIn, or Microsoft)
  • Email verification (standard email for all users; corporate email verification for Industry Experts and Hiring Partners)
  • Profile creation and management (Professional, Industry Expert, and Hiring Partner)
  • AI Resume Import for Professionals and Industry Experts (PDF/DOCX text extraction with AI parsing)
  • Profile onboarding with completion tracking
  • Support page
  • Vercel Analytics (privacy-focused, first-party)

Also Available

  • Evaluation interviews and 4D Scorecard scoring
  • Interview recordings (with consent)
  • Certyco Mark tier assignment
  • Hiring Partner search, discovery, and profile unlocking
  • Discreet Mode
  • Payment processing via Stripe (Professional evaluations, Hiring Partner connection unlocks)
  • Industry Expert payout management via Wise Business
  • Resume export (PDF)

3. Information We Collect

3.1 Account Information (All Users)

  • Full name and email address
  • Password (hashed via bcrypt, managed by Supabase Auth. Certyco does not store plaintext passwords)
  • Role selection (Professional, Industry Expert, or Hiring Partner)
  • Company name (Industry Expert and Hiring Partner)
  • Corporate email address (Industry Expert and Hiring Partner; verified separately)
  • LinkedIn URL (optional)
  • Account status and timestamps
  • OAuth profile data received from Google, LinkedIn, or Microsoft when you sign in with a social provider (name, email, profile URL)

3.2 Profile Information

From Professionals

  • Professional summary, current and desired role titles
  • Skills (with proficiency levels), domain expertise, and platform expertise
  • Work experience, education history, and certifications
  • Portfolio projects and work samples
  • Languages spoken
  • Job preferences (notice period, work authorization, currency, work mode, job type)
  • Availability status

From Industry Experts

  • All Professional profile fields, plus references, evaluation expertise areas, and dual email fields (corporate and personal)
  • Banking and payout details: account holder name, bank account number, routing codes (IFSC, sort code, ACH routing number, institution/transit numbers, or IBAN depending on country), payout currency, and mailing address. These details are collected with your explicit consent for the sole purpose of processing payout transfers for completed evaluations. Banking fields are encrypted at the application level using AES-256-GCM encryption and are accessible only to authorized Certyco administrators.

From Hiring Partners

  • Company information, hiring preferences, and search preferences

Industry References (Third-Party Data)

Professionals and Industry Experts may provide contact details of industry references (name, email, phone, company, job title, and relationship) as part of their profile. This information is provided by the user on behalf of the referenced individual. Reference data is accessible only to the user who submitted it and Certyco administrators for verification purposes. It is not shared with Hiring Partners or any other third party. If you have been listed as a reference and wish to have your information reviewed or removed, please contact privacy@certyco.com.

3.3 AI Resume Import Data

AI Resume Import lets Professionals and Industry Experts upload a PDF or DOCX resume to pre-populate their profile. Here is exactly what happens with your data:

  1. Your file is read in your browser using client-side libraries. The file itself is never uploaded to any server. The extracted text is sent to Certyco's servers for AI parsing.
  2. Only the extracted text is sent to our backend, which forwards it to the Anthropic Claude API for structured parsing.
  3. The AI returns structured data (experience, education, skills, certifications) which is stored temporarily in your browser session.
  4. You review and approve each parsed section before anything is saved to your profile.
  5. No resume files are stored on Certyco servers at any point. The extracted text is processed in memory and discarded after parsing.

3.4 Authentication & Security Data

  • JWT access tokens and refresh tokens (managed by Supabase Auth)
  • Session data (default 1 day; up to 7 days with Remember Me)
  • OTP verification codes (6-digit numeric codes that auto-expire after 10 minutes)
  • OAuth tokens from social login providers
  • IP addresses
  • Login history and failed login attempt logs
  • Rate limit tracking data
  • Platform access cookie (functional, HMAC-signed, httpOnly, secure, 24-hour expiry, used for access control, not tracking)

3.5 Interview & Evaluation Data

  • Scheduled interview dates, times, and duration
  • Interview status and lifecycle data
  • Individual skill ratings (1–5 scale across multiple dimensions)
  • Aggregated evaluation scores and Certyco Mark tier assignment
  • Written evaluation feedback (strengths and development areas)
  • Interview recordings (audio/video, collected only with explicit consent)

3.6 Hiring Partner Interaction Data

  • Search activity and filter usage
  • Saved candidates lists
  • Profile unlock history
  • Credit usage and purchase history

3.7 Usage & Audit Data

  • Audit logs (admin actions and authentication events)
  • Profile activity logs
  • Email delivery logs

4. Cookies & Analytics

Analytics

Certyco uses Vercel Analytics, a privacy-focused, first-party analytics service. Vercel Analytics:

  • Does not use cookies
  • Does not perform cross-site tracking
  • Does not build behavioral profiles
  • Collects only page views and anonymized device/browser information

Cookies

Certyco does not use advertising cookies, third-party tracking cookies, or behavioral profiling cookies.

The platform uses the following functional cookies:

  • Authentication cookies: essential cookies managed by Supabase Auth for session management and login state
  • Platform access cookie: an HMAC-signed, httpOnly, secure cookie with 24-hour expiry used for platform access control. This cookie is not used for tracking or analytics.

5. How We Use Your Information

We use the information we collect to:

  • Operate, maintain, and improve the Certyco platform
  • Create and manage your account and profile
  • Process AI Resume Import uploads (text extraction and AI parsing)
  • Verify email addresses and corporate email eligibility
  • Generate and deliver OTP codes for verification
  • Facilitate evaluation interviews and scoring
  • Display verified evaluation signals to Hiring Partners
  • Process payments and manage credits
  • Enforce fairness, quality control, and platform integrity
  • Enforce rate limits and prevent abuse
  • Communicate important updates, notifications, and support responses
  • Maintain audit trails for security and compliance
  • Comply with legal and regulatory obligations

We do not use your information for advertising, behavioral profiling, or sale to third parties.

Automated Decision-Making

The Certyco Mark tier (Mark III, Mark II, Mark I, or No Mark) is assigned automatically based on a Professional's aggregated evaluation score using a fixed formula. The evaluation scores themselves are determined entirely by a human Industry Expert -- no AI or automated systems are involved in scoring. The tier assignment determines the Professional's visibility level to Hiring Partners. If you believe your tier assignment is incorrect, you may contact privacy@certyco.com to request a review.

6. Interview Recordings & Consent

Interview recordings are a core part of Certyco's fairness and accountability model.

  • Consent is obtained during interview scheduling and confirmed before recording begins
  • Recordings are not shared or accessed without explicit authorization

Access Rules

  • ProfessionalsFull access to their own recordings
  • Industry ExpertsAccess for up to 24 hours after the interview for evaluation submission
  • Certyco AdminsOngoing access for quality review, audit, and platform integrity
  • Hiring PartnersAccess only with explicit, additional consent from the Professional

Recordings are retained until the Professional requests deletion. They do not expire automatically.

7. Profile Visibility, Unlocking & Discreet Mode

By default, Professional profiles and evaluation results are completely private. No Hiring Partner or Industry Expert can discover, view, or access your profile or scorecard unless you explicitly choose to make yourself visible.

Visibility to Hiring Partners is controlled through two sequential gates:

  • Gate 1: You opt in. Your profile and evaluation results remain invisible to all Hiring Partners until you activate the “Available for Work” toggle on your dashboard. Until you do this, no one can find you in search results, view your scores, or access any part of your profile. You can turn this off at any time to immediately remove yourself from Hiring Partner searches
  • Gate 2: Your identity stays hidden. Even after you opt in, Hiring Partners can only see anonymized evaluation data (scores, feedback, Mark tier). Your name, photo, email, phone number, and all other personal and contact details remain hidden. Personal details are revealed only when a Hiring Partner unlocks your profile
  • Certyco will never share your evaluation results, scorecard, or personal information with any Hiring Partner without your explicit opt-in through the availability toggle
  • Industry Experts do not see unnecessary personal identifiers before evaluations

Discreet Mode

Discreet Mode allows:

  • Professionals to hide their profile from up to 2 specific companies
  • Industry Experts to hide their identity and details from Hiring Partners at the same employer

Discreet Mode is designed to prevent conflicts, protect careers, and preserve evaluation neutrality.

8. Data Sharing & Third-Party Services

When We Share Information

We share personal information only in the following circumstances:

  • With Industry Experts: limited Professional data necessary to conduct evaluations
  • With Hiring Partners: verified evaluation data by default; personal and contact details only after profile unlock
  • With third-party service providers: as described below, to operate the platform
  • With legal or regulatory authorities: when required by applicable law

We do not sell personal data to third parties.

Third-Party Services

ServicePurposeData SharedData Protection Mechanism
SupabaseDatabase, authentication, file storage (hosted on AWS ca-central-1, Montreal, Canada)Account data, profile data, all platform dataCovered by Supabase's DPA. Data hosted in Canada; transfers to/from UK and EU covered by Canada's adequacy decisions (EU 2002, UK 2021).
Google OAuthSocial loginEmail, name, profile URL (only if you choose to sign in with Google)DPF-certified
LinkedIn OAuthSocial loginEmail, name, profile URL (only if you choose to sign in with LinkedIn)DPF-certified
Microsoft OAuthSocial loginEmail, name, profile URL (only if you choose to sign in with Microsoft)DPF-certified
ResendTransactional emailEmail addresses and email contentDPF-certified
VercelFrontend hosting and serverless computePage views, anonymised device/browser informationDPF-certified
Anthropic Claude APIAI featuresResume text only (no files). Processed under Anthropic's Commercial Terms and Data Processing Addendum. Anthropic does not train models on data submitted via the API. Text is not retained after processing.Covered by Anthropic's Data Processing Addendum which incorporates the EU SCCs (Decision 2021/914) and the UK Addendum to EU SCCs
ZoomInterview hosting and recording (Workplace Pro, AI Companion)Evaluation recordings (stored in Germany)DPF-certified; recordings now stored in Germany
StripePayment processing for Professional evaluation purchases and Hiring Partner connection unlocksPayment card details, transaction data. Certyco does not store card numbers; these are handled entirely by Stripe.DPF-certified
Wise BusinessIndustry Expert payout transfersIE banking details (account holder name, account number, routing codes, address) are entered by the admin into Wise to initiate transfers. Certyco stores banking details in its own database; Wise receives them only at the point of transfer.Wise is not DPF-certified. Banking details are stored in Certyco's Supabase database in Canada (covered by the Supabase DPA). Wise receives data only at transfer time as a payment processor.

Each third-party service processes data according to its own privacy policy and terms. We select service providers that maintain appropriate security and privacy standards.

9. Conflicts, Fairness & Safeguards

To protect the integrity of evaluations:

  • Industry Experts cannot evaluate Professionals with whom they have a personal or professional relationship
  • Industry Experts may decline evaluations involving current or recent employers, or organizations where a conflict of interest may exist
  • Matching between Industry Experts and Professionals is based on role relevance, domain expertise, platform familiarity, and availability
  • Certyco administrators may silently monitor live interviews for quality control, fairness, and platform integrity
  • Evaluation quality is periodically reviewed by Certyco

10. Data Retention & Deletion

We retain data only as long as necessary to operate the platform, maintain evaluation integrity, and meet legal obligations.

Data TypeRetention Period
Account dataRetained until you request account deletion
Profile dataRetained until you request account deletion
Evaluation data24 months after evaluation date
Interview recordingsRetained until the Professional requests deletion
Banking and payout details (Industry Experts)Duration of contractual relationship plus 10 years (to satisfy tax record retention obligations across all operating jurisdictions). You may request earlier deletion, subject to applicable legal retention requirements.
Payout transaction recordsDuration of contractual relationship plus 10 years (tax compliance)
Audit logs36 months
OTP verification codesAuto-expire after 10 minutes
Session dataUntil logout or session expiry (1–7 days)
AI Resume Import filesNot retained. Processed in your browser and discarded

Account Deletion

You may request deletion of your account and personal data at any time by emailing privacy@certyco.com. Upon receiving a valid deletion request:

  • Your account will be deactivated and personal data will be removed
  • Certain records may be retained where required by law or necessary to maintain the integrity of completed evaluations (e.g., anonymized evaluation records)
  • We will confirm completion of your deletion request

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion of your data
  • Withdraw consent (where processing is based on consent). For banking details, you can withdraw consent and request deletion directly from your Payout Method page or by emailing privacy@certyco.com
  • Object to processing of your data
  • Restrict processing of your data
  • Request data portability
  • Lodge a complaint with a data protection authority

To exercise any of these rights, contact us at privacy@certyco.com. We will respond to valid requests within 30 days (or within 90 days for India DPDPA requests, as permitted by that law). If we need additional time due to the complexity of your request, we will notify you of the extension and the reason for it.

How to Submit a Data Subject Request

If you wish to access, correct, delete, or export your personal data, follow this process:

  1. Email us at privacy@certyco.com with the subject line “Data Subject Request”. Include your full name, the email address associated with your Certyco account, and the specific right you wish to exercise.
  2. Verification: We will verify your identity by sending a confirmation email to the address associated with your account. For deletion requests, we may require additional verification.
  3. Processing: We will review your request and respond within 30 days. If your request is complex or involves a large amount of data, we may extend this period by up to 60 additional days, in which case we will notify you of the extension.
  4. Completion: Once your request has been fulfilled, we will confirm by email. For deletion requests, we will confirm what data has been deleted and note any data that has been retained due to legal obligations (e.g., tax record retention).

You do not need to pay a fee to exercise your rights. We may refuse requests that are manifestly unfounded or excessive, in which case we will explain our reasons.

12. Security Measures

We apply reasonable administrative, technical, and organizational safeguards to protect your data, including:

  • Password hashing via bcrypt (managed by Supabase Auth. Plaintext passwords are never stored)
  • Encrypted data transmission via HTTPS/TLS for all connections
  • HMAC-signed cookies for session integrity and access control
  • JWT-based authentication with token expiry
  • Role-based access controls and Row Level Security on database queries
  • Rate limiting on sensitive endpoints (authentication, OTP generation)
  • Internal access logging and audit trails
  • Periodic security reviews
  • Application-level encryption for banking details: Industry Expert banking fields (account numbers, routing codes, IBAN, sort codes) are individually encrypted using AES-256-GCM with unique initialization vectors before being stored in the database. This is in addition to Supabase's infrastructure-level AES-256 encryption at rest. After initial submission, Industry Experts can only view masked versions of their banking details (e.g., ****5678). Full banking details are accessible only to authorized administrators for processing payouts, and every access is logged in an audit trail.

No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

13. Jurisdiction-Specific Disclosures

Certyco operates in Canada, the United States, and India. The following disclosures apply based on your jurisdiction of residence. Your rights under Section 11 include all applicable rights under these frameworks.

Canada (PIPEDA)

Certyco complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Quebec's Act respecting the protection of personal information in the private sector (Law 25), Alberta's Personal Information Protection Act (PIPA), and British Columbia's Personal Information Protection Act (PIPA).

  • We collect, use, and disclose personal information only for the purposes identified in this Privacy Policy, with your knowledge and consent
  • You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting privacy@certyco.com
  • You have the right to access your personal information held by Certyco and to challenge its accuracy
  • You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

United States: CCPA / CPRA (California)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to opt out of sale: Certyco does not sell personal information. We do not sell, rent, or trade your data to third parties for monetary or other valuable consideration
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
  • Right to correct: You may request correction of inaccurate personal information

Other U.S. states may have similar privacy rights. We honor all valid data subject requests regardless of state of residence.

India (DPDPA 2023)

Certyco complies with the Digital Personal Data Protection Act, 2023 (DPDPA) for users in India.

  • We process personal data based on your consent or for legitimate uses as defined under the DPDPA
  • You have the right to access, correct, and erase your personal data as a Data Principal
  • You may withdraw consent at any time through the mechanisms described in this policy
  • You may file a complaint with the Data Protection Board of India if you believe your rights have been violated

Cross-Border Data Transfers

Certyco's primary database is hosted in Canada (Montreal). Some third-party service providers (such as Stripe, Vercel, and Anthropic) may process data in the United States. When data is transferred to US-based providers, they are either certified under the EU-US Data Privacy Framework or covered by their own Data Processing Agreements. Transfers between Canada and the UK/EU are covered by Canada's adequacy decisions (EU Commission Decision 2002/2 and UK Adequacy Regulation 2021).

Industry Experts Located in the United Kingdom and the European Union

Certyco's core Industry Expert community is based in Canada, the United States and India. As part of a time-bounded pilot programme, we also engage a small number of senior Industry Experts based in the United Kingdom and in Portugal. When you schedule an evaluation, you will see the country of the Industry Expert at the point of selection and may choose any available expert that matches your skill profile.

For evaluations conducted by Industry Experts in the UK or the EU, the following applies:

  • Interview recordings, where you have consented to recording as part of the scheduling flow, are stored in our European Union data centre in Germany. This applies regardless of your own location.
  • Personal data of UK and EU Industry Experts is processed under the UK GDPR and the EU GDPR in addition to PIPEDA, CCPA and India's DPDPA. UK and EU data subjects have the rights of access, rectification, erasure, restriction, portability and objection. To exercise any of these rights, write to privacy@certyco.com and we will respond within one month.
  • Personal data of UK Industry Experts transferred to Canada is covered by the United Kingdom's 2021 adequacy regulation recognising Canada (commercial sector) as providing an adequate level of data protection.
  • Personal data of EU-based Industry Experts (currently in Portugal) transferred to Canada is covered by the European Commission's 2002 adequacy decision recognising Canada (commercial sector) as providing adequate protection.
  • Where data is processed by US-based sub-processors (such as Stripe, Vercel, and Anthropic), those sub-processors are either certified under the EU-US Data Privacy Framework or covered by their own Data Processing Agreements. Certyco's primary database (Supabase) is hosted in Canada.

Legal Basis for Processing

Depending on your jurisdiction, we process personal information on the following bases:

  • Consent: where you have given explicit consent (e.g., interview recordings, AI Resume Import, banking detail collection for Industry Expert payouts)
  • Contractual necessity: to provide the services you have requested (e.g., account creation, profile management, evaluations)
  • Legitimate interest: to operate, maintain, and improve the platform, enforce quality and fairness, and prevent abuse
  • Legal obligation: to comply with applicable laws and regulatory requirements

14. Children's Privacy

Certyco is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or via email. The "Last Updated" date at the top of this page indicates when the policy was last revised.

Continued use of the platform after changes are posted constitutes acceptance of the revised policy.

16. Contact Us

For privacy-related questions, data requests, or concerns, contact:

Privacy Officer

Sharique Shaikh, Founder

privacy@certyco.com

Softassure Technologies Ltd.

222 - 3265 Carding Mill Trail, Suite 222, Oakville, Ontario, L6M 5P7, Canada

The Privacy Officer is responsible for overseeing compliance with applicable data protection laws, including PIPEDA, Quebec's Law 25, CCPA/CPRA, India's DPDPA 2023, the UK GDPR, and the EU GDPR.