Legal

Privacy Policy

Effective date: June 25, 2026

Wirehead Corporation (“Wirehead”, “we”, “us”, or “our”) is committed to protecting the privacy of the personal information you provide to us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Wirehead platform (the “Platform”), in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec Law 25, and, where applicable, the European Union General Data Protection Regulation (GDPR).

1. Information We Collect

We collect the following categories of personal information:

  • Identity and contact information: name, email address, and phone number.
  • Resume and professional data: work history, education, skills, certifications, and any other information you include in your uploaded resume or professional profile.
  • Security clearance level: self-reported federal government security clearance status (e.g., Reliability, Secret, Top Secret).
  • Application data: expected billing rate, availability date, preferred contract vehicle (ProServices, TBIPS, SBIPS), and cover letter content submitted through the apply form.
  • Account data: email address used for passwordless (magic link) sign-in, OAuth identifiers when you sign in via Google, Apple, or GitHub, session tokens, and account preferences.
  • Usage data: IP address, browser type, pages visited, search queries, and interactions with the Platform, collected automatically via server logs and our cookieless analytics provider.
  • Verification data: reCAPTCHA v3 token scores generated by Google to protect our sign-in and contact forms from automated abuse.

2. How We Use Your Information

We use your personal information for the following purposes:

  • Platform operation: to create and manage your account, process applications, and provide our core job-matching services.
  • Matching and recruitment: to identify and present your profile to enterprise clients and federal, provincial, and broader public sector employers seeking I&IT contractors with your skills and clearance level.
  • AI Match (AI-powered scoring): your resume text is submitted to the Anthropic API (Claude Haiku) — with OpenAI GPT-4o as failover — to generate an AI Match relevance score comparing your experience against specific job postings. See our AI Policy for full details.
  • Communications: to send you magic link sign-in emails, application confirmation emails, and job alerts you have requested.
  • Platform improvement: to analyse usage patterns, diagnose technical issues, and improve the Platform's features and performance.
  • Legal and compliance: to comply with applicable laws, respond to legal process, and enforce our Terms of Use.

3. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases:

  • Contract performance: processing necessary to provide the job-matching services you have requested (Art. 6(1)(b)).
  • Legitimate interests: fraud prevention, platform security, and improving our services (Art. 6(1)(f)).
  • Consent: where you have given explicit consent, such as for AI-powered resume scoring (Art. 6(1)(a)). You may withdraw consent at any time.
  • Legal obligation: where processing is required by applicable law (Art. 6(1)(c)).

4. Third-Party Processors

We share your personal information with the following trusted third-party processors, each bound by data processing agreements:

  • Anthropic, PBC (United States) — receives resume text (no additional PII) solely to generate AI Match relevance scores. Anthropic processes data under its API commercial terms and does not use API-submitted data to train its models.
  • OpenAI, L.L.C. (United States) — receives the same resume text when Anthropic is unavailable (failover). OpenAI processes data under its API Business Terms and does not use API-submitted data to train its models.
  • Neon, Inc. (United States) — managed Postgres database where your account and application data are stored.
  • Cloudflare, Inc. (United States and global edge) — DNS, R2 file storage (where your resume PDF and profile photo are stored at rest), and edge network.
  • Vercel, Inc. (United States) — application hosting and serverless compute.
  • Resend (United States) — transactional email delivery (magic-link sign-in, application confirmation, unsubscribe). No marketing emails are sent without explicit consent.
  • Sanity (United States / Europe) — content management for public job postings. Does not receive candidate personal information.
  • Sentry (United States) — application error monitoring. Configured with PII disabled by default; user emails or IPs are only attached on explicit auth events.
  • PostHog (United States, self-hosted post-launch) — product analytics. Cookieless, no IP capture; only identifies users after sign-in.
  • Google LLC (reCAPTCHA) — Google's reCAPTCHA v3 service processes IP address and browser interaction data on our sign-in and contact forms to determine whether a request is automated. Google's Privacy Policy applies: policies.google.com/privacy.

We do not sell your personal information to any third party.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. Specifically:

  • Account data: retained until you request deletion or for up to 2 years following your last active session, whichever comes first.
  • Application data: retained for 3 years following the close of the relevant procurement opportunity, as required by federal government procurement record-keeping guidelines.
  • Magic link tokens: automatically expire after 1 hour and are purged within 24 hours of expiry.
  • Soft-deleted accounts: retained for 24 hours after deletion to allow you to restore by signing back in. After 24 hours the account is hard-deleted.
  • Server logs: retained for 90 days for security and diagnostic purposes.

You may request deletion at any time. See Section 6 for your rights.

6. Your Rights

Under PIPEDA (Principle 4.9), Quebec Law 25, and the GDPR (Articles 15–22), you have the following rights:

  • Access (PIPEDA Principle 4.9 / Law 25 §27 / GDPR Art. 15): you may request a copy of the personal information we hold about you.
  • Correction (PIPEDA Principle 4.9.6 / Law 25 §28 / GDPR Art. 16): you may request that we correct inaccurate or incomplete information.
  • Deletion (GDPR Art. 17 / Law 25 §28.1 / PIPEDA Principle 4.5): you may request that we delete your personal information. Exceptions apply where we are required by law to retain data or where data is necessary for the establishment, exercise, or defence of legal claims.
  • Data portability (GDPR Art. 20 / Law 25 §27 — in force since September 2024): you may request your personal data in a structured, machine-readable format.
  • Objection (GDPR Art. 21): you may object to processing based on legitimate interests.
  • Withdrawal of consent: where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.
  • Information about automated decision-making (Law 25 §65.0.1 / GDPR Art. 22): you have the right to be informed of decisions made by automated processing and to request human review. See our AI Policy.

To exercise any of these rights, email us at privacy@wirehead.com. We will respond within 30 days.

If you are in Quebec and believe your rights have not been respected, you have the right to lodge a complaint with the Commission d'accès à l'information du Québec. Elsewhere in Canada, you may contact the Office of the Privacy Commissioner of Canada. If you are in the EEA, you may contact your local Data Protection Authority.

7. Cross-Border Data Transfers

Your information may be transferred to and processed in countries outside Canada, including the United States (for Anthropic, OpenAI, Neon, Vercel, Cloudflare, Resend, Sentry, PostHog, and Google services). Where such transfers occur, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission where required by the GDPR. A migration of primary application data to a Canada Central region is on the post-launch roadmap to align with PIPEDA / Law 25 data residency preferences.

8. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we hold, including encrypted session management, TLS 1.2+ for all data in transit, encryption at rest on all databases and object storage, and access controls limiting data access to authorised personnel only. Wirehead Corporation carries Errors & Omissions, General Liability, and WSIB insurance for all active contractor engagements. We are targeting SOC 2 Type I and Type II attestation post-launch, with audits scheduled on an annual basis. See Trust for the current security posture.

9. Cookies and Tracking

We use only strictly necessary session cookies to maintain your authenticated session and your locale preference. We do not use third-party advertising cookies. Our analytics provider (PostHog) is configured to run cookieless. The Google reCAPTCHA service may set cookies as described in Google's Privacy Policy. You can control cookies through your browser settings; disabling strictly necessary cookies will prevent sign-in from functioning correctly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated effective date and, for material changes, notify registered users by email.

11. Contact Us

For privacy-related inquiries, requests, or complaints:

Wirehead Corporation
Privacy Officer
Email: privacy@wirehead.com
Website: wirehead.com