PIPEDA Compliance Statement

1. About PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It sets out rules for how organisations collect, use, and disclose personal information in the course of commercial activities. Candidoor operates as a Canadian corporation and is subject to PIPEDA.

2. Our Privacy Officer

Candidoor has designated a Privacy Officer responsible for our compliance with PIPEDA. You can contact our Privacy Officer at privacy@candidoor.ca. We respond to all privacy inquiries within 30 days.

3. The ten PIPEDA principles and how we apply them

• •Accountability — Candidoor Inc. is responsible for the personal information under our control. Our Privacy Officer is accountable for our compliance with PIPEDA.
• •Identifying purposes — We collect personal information only for the purposes identified at or before the time of collection. Those purposes are set out in our Privacy Policy.
• •Consent — We obtain consent for the collection, use, and disclosure of personal information. By creating an account you consent to our Privacy Policy and these practices.
• •Limiting collection — We collect only the personal information necessary for the identified purposes. We do not collect names, salary information, or information about third parties.
• •Limiting use, disclosure, and retention — We use personal information only for the purposes for which it was collected. We do not sell data. We retain data only as long as necessary.
• •Accuracy — We take reasonable steps to ensure that personal information is accurate and up to date. Users can request corrections at any time.
• •Safeguards — We protect personal information with security measures appropriate to the sensitivity of the information. This includes encrypted connections, database encryption at rest, and access controls.
• •Openness — Our privacy practices are documented in our Privacy Policy available at candidoor.ca/privacy.
• •Individual access — Individuals have the right to access their personal information held by Candidoor. Requests can be made to privacy@candidoor.ca.
• •Challenging compliance — Individuals can challenge our compliance with PIPEDA by contacting our Privacy Officer. If the matter is not resolved you have the right to complain to the Office of the Privacy Commissioner of Canada.

4. Anonymity by architecture

Candidoor is structurally designed to separate personal identity from interview data. At account creation a random Feed ID is generated and permanently decoupled from the user email. Interview threads are stored against the Feed ID only. This architectural decision means that even if compelled by legal process, Candidoor cannot link published threads to individual email addresses.

5. Data residency

Candidoor stores all personal data in Supabase's Canada Central (ca-central-1) region hosted on AWS. This means your personal information remains in Canada at rest. Some processing may occur through Vercel's global edge network for performance purposes.

6. Cross-border data transfers

Some service providers we use — including Supabase and Vercel — may process data outside Canada in the course of providing their services. We ensure that any such transfers are governed by appropriate data processing agreements and privacy protections consistent with PIPEDA.

7. Data breach notification

In the event of a data breach that poses a real risk of significant harm to individuals, Candidoor will notify the Office of the Privacy Commissioner of Canada and affected individuals as required by PIPEDA breach notification provisions.