Privacy Policy

TradePass is operated by Sovren Services Inc., a corporation incorporated in Alberta, Canada, doing business as “TradePass.” In this policy, “TradePass,” “we,” “our,” and “us” refer to Sovren Services Inc.

Our details: Sovren Services Inc., 186 Inglewood Grove SE, Calgary, Alberta T2G 4T9, Canada. hello@mytradepass.app. ⚑Review— confirm registered office vs. mailing address before publishing

This policy describes how we collect, use, share, and protect personal information when you visit our marketing site, create a TradePass account (as a worker or a company administrator), use the TradePass mobile or web app, or otherwise interact with our services (together, the “Services”).

TradePass serves the trades workforce across the United States and Canada. Our Services and this policy are provided in English.

Privacy questions go to privacy@mytradepass.app. We respond within 30 days.

From workers

• Account information: name, email address, password (hashed by our authentication provider), region.
• Profile data: trade(s), industry, experience level, optional phone number, willing-to-travel flag, optional bio and avatar.
• Certifications and trade tickets: certification names, issuers, issue and expiry dates, certificate numbers, optional notes, and the photographs or PDF scans of the original credentials you upload.
• Sensitive identifiers (optional): if you choose to add them — for example a Social Insurance Number (SIN) or Social Security Number (SSN), passport number, or banking details for a hire-on pack — these are encrypted at rest with per-field AES-256-GCM and are revealed to a company only when you grant that specific field. We never display them in plaintext to anyone you have not authorized. ⚑Review— confirm we want SIN/SSN/banking positioned as in-scope at launch
• Project history: employers, roles, sites, scopes, dates — only what you choose to enter.
• Onboarding checklists: per-company assignments and the items you complete.
• Activity records: sign-in timestamps, IP addresses for security events, and audit-log entries when you take sensitive actions (adding or deleting a certification, changing profile visibility, accepting an invite).
• Device and technical data: device type, browser type, operating system, app version, language preference. We use this for security, compatibility, and aggregate analytics — not to build an advertising or tracking profile.

From company administrators

• Company name, industry, location, billing email and address.
• Worker roster relationships (which workers you have added to your roster).
• Onboarding checklists you create and per-item completion status.
• Subscription and billing data — processed by Stripe. We store only customer and subscription identifiers; payment-card details are tokenized by Stripe and we never see, store, or process them.
• Audit-log entries when you take sensitive actions (adding or removing workers, viewing a worker profile, creating or modifying checklists, exporting data).

Information collected automatically

When you interact with the Services we automatically collect a small amount of technical and usage data: IP address, browser type, device type, pages or screens viewed, referring URL, and timestamps. This data is used only for security, abuse prevention, and aggregate analytics. We do not use it to build advertising profiles, and we do not run third-party device-fingerprinting trackers.

Information from third parties

If a partner company invites you to join a roster, that invitation may carry your name and email address so we can match you to it. We do not receive marketing-list data, employment-verification data, or background-check results from third parties as a normal part of operating the Services.

We use personal information for specific, listed purposes. We do not use it for purposes you wouldn’t expect from a workforce-credentialing tool.

• To provide the Services — render your TradePass, your shareable profile, your dashboards, and your roster relationships.
• To send expiry reminders — your stored expiry dates power the email and in-app reminders you receive before a credential lapses. You can adjust thresholds or opt out in your settings.
• To authenticate you and keep your account secure — including rate-limiting, abuse detection, and breach response.
• To send transactional and account communications — receipts, expiry alerts, invites, password resets, security notifications, and material changes to these terms.
• To bill paying customers — through Stripe, including generating invoices, processing renewals, and handling refunds.
• To improve the Services — through aggregate analytics and product feedback you choose to share.
• To comply with legal obligations — including tax, accounting, anti-fraud, and lawful information requests.
• To enforce our Terms — including investigating violations and protecting our rights and the rights of other users.

We do not use your data to build advertising profiles, and we do not sell your data — to anyone, ever.

We share personal information in only the following ways. Each recipient is bound by a written agreement to handle data only for the stated purpose and to maintain appropriate safeguards.

With companies you choose to share with

A worker controls what their TradePass shows. Companies on your active roster see only the certifications and project-history items you have marked visible to them. A worker can change visibility, leave a roster, or delete their TradePass at any time and the company’s view updates accordingly.

With our service providers (subprocessors)

• Supabase — managed Postgres database, file storage, and authentication, hosted on Amazon Web Services infrastructure. Files are stored in private buckets with row-level access policies scoped to the worker who uploaded them. ⚑Review— confirm AWS region(s) and Canadian-residency claim
• Stripe — billing, subscription management, and payment processing for paying companies (PCI-DSS scope).
• Resend — transactional email delivery (receipts, alerts, password resets, invites).
• Anthropic — optional smart-paste resume parsing for workers who opt in. See “AI and automated processing” below.
• Sentry — error monitoring and incident response, configured to avoid logging personal data.
• Vercel — application hosting and a small amount of anonymous aggregate site analytics.
• RevenueCat / Apple / Google (planned). When our native iOS and Android apps ship, in-app subscription purchases may be processed through the Apple App Store, Google Play, and RevenueCat. This is not yet active; we will update this list before any native purchase path goes live. ⚑Review— add as live subprocessor once native IAP ships

For legal reasons

We may disclose information when we believe in good faith that disclosure is required by applicable law, regulation, legal process, or governmental request, or to protect the safety, rights, or property of TradePass, our users, or the public. Where legally permitted we will notify you before responding to a request.

Business transfers

If TradePass is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will give notice before any transfer involves your information becoming subject to a different privacy policy.

TradePass uses a small number of AI-assisted features. We disclose these explicitly so you know what is happening with your data.

• Smart-paste resume parsing (optional, worker-initiated). When a worker chooses to paste a resume to auto-populate their profile, that text is sent to Anthropic’s Claude API for one-time extraction into structured fields. Anthropic does not use this data to train its models. We do not store the input text after the extraction completes.
• Credential expiry rules — automated computations, not AI. Your stored expiry dates and threshold settings are used deterministically to schedule reminder emails.

We do not use AI to make decisions about pricing, eligibility, or access for individual users. We do not use AI to score or rank workers. The Services do not include any “automated decision-making with legal or similarly significant effects.”

Personal information is hosted on Amazon Web Services data centers in North America through our managed providers (Supabase, Stripe, Resend, Vercel, Sentry, Anthropic). By using the Services you consent to your information being processed in these jurisdictions, which may have different data-protection rules than your home jurisdiction. ⚑Review— confirm specific regions; finalize Canadian-residency wording

Where applicable, we use standard contractual safeguards with our service providers for cross-border transfers (including standard contractual clauses for transfers involving the European Economic Area or the United Kingdom). ⚑Review— confirm SCC coverage per subprocessor

We retain information only as long as needed for the purposes described. ⚑Review— confirm each retention period against legal + operational requirements

• Active accounts: retained while your account is active.
• Account deletion (soft-delete window): when you request deletion, your account enters a 30-day soft-delete window during which the request can be reversed; after it elapses, data is purged from our active systems.
• Audit-log entries: retained for 24 months for security investigation, then pruned — and retained longer only where required by applicable Canadian or US law (configurable per legal requirement).
• Stripe billing records: retained for 7 years per Canadian and US tax and accounting requirements.
• Backups: rolling 7-day window, automatically overwritten after that. Backups are not actively queried and are overwritten on schedule after a deletion.
• Marketing and transactional logs: retained 12 months for deliverability and abuse prevention.
• Anonymized aggregate analytics: retained indefinitely. No personal information is included.

We use industry-standard safeguards designed to be appropriate to the sensitivity of the data we hold:

• HTTPS / TLS for all traffic to the Services.
• Encrypted connections to our database and storage layers.
• Row-level security policies on every table in our database, scoped to the user who owns the row.
• Private storage buckets for uploaded files, with access enforced at the database layer rather than file-name guessing.
• Application-layer AES-256-GCM encryption for sensitive worker fields (such as SIN/SSN, passport number, and banking details), with per-field access grants and key versioning.
• Magic-byte file-type verification on uploads.
• Rate-limiting on authentication endpoints and replay-attack defenses on webhook receivers.
• A strict Content Security Policy.
• An append-only audit log of sensitive actions (cert add/delete, profile visibility change, roster invite/remove, data export).
• Independent error monitoring through Sentry, configured to avoid logging personal information.

No system is impenetrable. If we ever experience a data breach that creates a real risk of significant harm, we will notify affected users and the applicable regulators as soon as feasible — and within 72 hours where the GDPR or a state law sets that deadline. ⚑Review— confirm PIPEDA 'real risk of significant harm' standard + exact notification windows per jurisdiction

Regardless of where you live, you have the following rights:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete your account and associated personal information.
• Export your data in a portable format (JSON or CSV).
• Withdraw consent for specific processing where consent is the legal basis.
• Object to or restrict certain processing.
• Manage what you share with each company on your roster, from your account settings.
• Make your profile private at any time, from your account settings.

How to exercise these rights today: email privacy@mytradepass.app from your account email address, or use the “Delete my TradePass” and data-copy request controls in your account settings. We verify requests by confirming control of the account email and respond within 30 days.

Scaffolding note: a one-click, self-serve export endpoint (/api/account/export) and an in-app deletion flow are planned; until they ship, export and deletion are handled as verified email requests, fulfilled within the same 30-day window. ⚑Review— remove this note once self-serve export/delete ships

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and with applicable provincial privacy laws (including Alberta’s PIPA and British Columbia’s PIPA) where they apply to our operations.

Canadian residents may also lodge a complaint with the Office of the Privacy Commissioner of Canada or with their provincial privacy commissioner if they believe we have not addressed a privacy concern.

TradePass is provided in English. We are not currently aligned with all obligations under Quebec’s Act respecting the protection of personal information in the private sector (Law 25), and we do not currently onboard Quebec residents. We plan to expand our compliance posture over time. ⚑Review— confirm Quebec stance + Law 25 readiness before accepting QC residents

We honor the rights granted by the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and similar state laws as they come into effect. These rights include:

• The right to know the categories and specific pieces of personal information we collect about you.
• The right to delete personal information we hold about you.
• The right to correct inaccurate personal information.
• The right to portability of your personal information.
• The right to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
• The right to non-discrimination for exercising any of the above rights. Exercising your rights will not affect your access to or quality of the Services.

To exercise these rights, contact us at privacy@mytradepass.app. We verify requests by confirming control of the account email address. You may also authorize an agent to make a request on your behalf with appropriate documentation.

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in the General Data Protection Regulation (GDPR), the UK GDPR, and Swiss data-protection law, including access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.

Our legal bases for processing are: (a) performance of a contract, for account, billing, and core service operations; (b) our legitimate interest, for security, abuse prevention, and product improvement; (c) consent, for optional features such as AI-assisted resume parsing and marketing communications; and (d) compliance with a legal obligation, for tax and lawful information requests.

You may lodge a complaint with your local supervisory authority. For international transfers we rely on the standard contractual clauses adopted by the European Commission, the UK International Data Transfer Agreement, or other appropriate safeguards. ⚑Review— confirm transfer mechanism + whether we actively serve EEA/UK at launch

TradePass is intended for users 18 years of age or older. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact privacy@mytradepass.app and we will delete the information promptly.

We use a small set of cookies and similar technologies for essential functions:

• Authentication cookies — to keep you signed in across pages and sessions.
• Session security cookies — to enforce session caps and protect against cross-site request forgery.
• Preference cookies — to remember your in-product settings (text size, theme, etc.).

We use first-party cookies only. We do not use third-party advertising cookies or cross-site tracking pixels. We use Vercel Analytics for aggregate, anonymized site usage data; it does not set tracking cookies and does not collect personal information.

We will update this policy as the product evolves and as our compliance requirements change. We will post the revised policy with a new “last updated” date and, for material changes (new categories of information collected, new processors, changed retention periods), we will notify you at your account email address at least 14 days before the changes take effect.

Privacy questions or requests: privacy@mytradepass.app. General enquiries: hello@mytradepass.app.

Mailing address:
Sovren Services Inc.
186 Inglewood Grove SE
Calgary, Alberta T2G 4T9
Canada

See also our Terms of Service.