Privacy Policy

1. Controller Identity and Scope

WorkPair, Inc., a corporation organized under the laws of the State of Texas ("WorkPair," "we," "us," "our"), is the data controller for personal information collected through the WorkPair® platform, website, APIs, mobile applications, and related services (collectively, the "Platform"). This Privacy Policy explains how we collect, process, store, share, and protect your personal information, and describes your rights with respect to that information.

This Policy applies to all users of the Platform globally, including individuals, institution representatives, recruiters, and guardians acting on behalf of minor users. For users in the European Economic Area, United Kingdom, or Switzerland, additional rights and disclosures are provided in Section 16. For California residents, additional disclosures are provided in Section 17.

2. Information We Collect

2.1 Information You Provide Directly

• Registration data: Full name, email address, and password
• Identity verification data: Government-issued identification documents, facial biometric data, and liveness checks — processed exclusively by Persona Technologies, Inc. under their privacy policy
• Professional data: Employment history, educational history, credentials, certifications, and professional affiliations
• Profile data: Headline, biography, location, website, and profile photograph
• Communications: Messages sent through the Platform's fee-gated messaging system, connection requests, and feed posts
• Financial data: Payment methods and transaction history, processed through Stripe, Inc. — WorkPair does not store full payment card numbers
• Minor account data: Date of birth and guardian email address for accounts established for users under 18

2.2 Information Collected Automatically

• IP address, device identifiers, browser type, and operating system
• Platform usage data including features accessed, pages viewed, and session duration
• Authentication tokens, session cookies, and security logs
• Transaction logs including wallet funding events, fee charges, and data access events

2.3 Information From Third Parties

• Persona: Identity verification status (verified/unverified) and inquiry identifiers — not raw document images
• Stripe: Payment confirmation data, customer identifiers, and subscription status
• Partner institutions: Verified credential data, institutional membership records, and role designations submitted by approved institution partners

3. Your WorkPair Identity Number (WID)

Your WID is a permanent, unique 10-character alphanumeric identifier. It is classified at the highest level of data sensitivity — equivalent to a government identification number. WorkPair treats your WID as follows:

• Your WID is never displayed publicly on your profile or in any public-facing context
• Your WID is never included in API responses accessible to third parties
• Your WID is never shared with any external party without your explicit written consent
• Access to WIDs within WorkPair's systems is restricted to essential personnel on a need-to-know basis
• Your WID is permanently retired upon account deletion and is never reissued or reassigned

4. Legal Basis for Processing

WorkPair processes your personal information on the following legal bases:

• Contract performance: Processing necessary to create and maintain your account, process transactions, and deliver Platform services
• Explicit consent: Identity verification (biometric processing), data access approvals, and optional features
• Legitimate interests: Fraud prevention, platform security, abuse detection, service improvement, and analytics — balanced against your privacy interests
• Legal obligation: Compliance with applicable laws, court orders, and regulatory requirements

5. Consent-Gated Data Access Architecture

WorkPair's core privacy architecture is built on structural consent-gating. This means:

• No institution, recruiter, employer, background check service, API consumer, or any other third party can technically access your professional history, verified credentials, or identity data without your explicit, affirmative, per-request in-platform approval
• Each access request is individually reviewed and approved or declined by you
• Approved access is time-limited, logged, and visible in your account at all times
• Access requests that expire without response result in zero data disclosure and zero charges
• You may revoke ongoing access at any time through your account settings

This architecture cannot be overridden by commercial agreements between WorkPair and third parties. No contract, subscription, or payment by any third party grants access to your data without your consent.

6. How We Use Your Information

• To create, verify, and maintain your professional identity record
• To facilitate government ID verification through Persona
• To process wallet transactions and subscription billing through Stripe
• To operate the feed, messaging system, connections, opportunity marketplace, and institution portals
• To send transactional and operational emails through Resend
• To detect, investigate, and prevent fraud, unauthorized access, and policy violations
• To maintain audit logs for administrative accountability
• To improve Platform functionality, reliability, and user experience
• To comply with applicable laws and regulatory obligations
• To enforce these Terms and our legal rights

What we expressly do not do with your data:

• We do not sell your personal data to any third party for any purpose
• We do not share your data with advertisers for behavioral or targeted advertising
• We do not use your data to train third-party AI or machine learning models
• We do not share your accountTier (verification status) with any third party in API responses
• We do not engage in automated decision-making that produces legal or similarly significant effects without human review

6.5 Community Standards and Content Moderation Data

WorkPair operates a community policing system to maintain platform safety and enforce community standards. In connection with this system, we collect and process the following data:

• Flag data: When a user flags a post, we record the flagging user's identity, the flagged post, the selected reason category, and any additional details provided by the flagging user
• Enforcement records: We maintain records of automated enforcement actions including post pauses, post removals, and account suspensions triggered by community flags
• Violation history: We track the number of posts removed from a user's account due to community flags, which may be used to determine account-level enforcement actions including suspension

This data is processed on the basis of our legitimate interest in maintaining platform safety and enforcing our Terms of Service. Flag data is accessible only to WorkPair administrators and is not disclosed to third parties except as required by law. Flagging user identities are not disclosed to the authors of flagged posts.

7. Data Sharing and Disclosure

We disclose your personal information only in the following limited circumstances:

7.1 With Your Consent

When you explicitly approve a data access request from an institution, recruiter, or other third party through the Platform's consent-gating system.

7.2 Service Providers

We share data with the following categories of service providers, each bound by data processing agreements that restrict their use of your data to the provision of services to WorkPair:

• Persona Technologies, Inc.: Identity document verification and biometric processing
• Stripe, Inc.: Payment processing and subscription management
• Resend, Inc.: Transactional email delivery
• Vercel, Inc.: Application hosting and infrastructure
• Neon, Inc.: Database hosting and management

7.3 Legal Requirements

We may disclose your information when required by law, valid legal process, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of WorkPair, our users, or the public. To the extent permitted by law, we will notify you of such disclosures.

7.4 Business Transactions

In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to a successor entity. We will provide you with prior notice of any such transfer and your choices regarding your information.

7.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for research, analytics, or industry reporting purposes.

8. Data Retention

• Account data: Retained for the duration of your account, plus 90 days following deletion to allow for account recovery and legal compliance
• Feed posts: Automatically and permanently deleted 30 days after publication unless renewed; deleted posts are not recoverable
• Messages: Retained for 24 months following send date, then automatically purged
• Transaction records: Retained for 7 years for financial, tax, and regulatory compliance purposes
• Identity verification records: Retained as required by applicable law and our agreement with Persona, typically 5–7 years
• Audit logs: Administrative action logs retained for 2 years
• Security logs: Retained for 12 months for fraud detection and security purposes
• Backup data: Backup systems may retain data for up to 90 days beyond the stated retention periods

9. Security

WorkPair implements a comprehensive security program including: 256-bit TLS encryption for all data in transit; AES-256 encryption for sensitive data at rest; bcrypt password hashing with industry-standard cost factors; JWT-based stateless authentication; role-based access control for internal systems; regular security assessments and penetration testing; and incident response procedures.

Access to personal data within WorkPair is restricted to personnel who require such access to perform their job functions, and is governed by least-privilege principles and access logging.

Despite these measures, no system is perfectly secure. WorkPair cannot guarantee the absolute security of your information. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

To report a security vulnerability, contact security@workpair.io. We operate a responsible disclosure policy and will not take legal action against good-faith security researchers.

10. Cookies and Tracking

WorkPair uses essential cookies and session tokens necessary for Platform operation, authentication, and security. We do not use third-party advertising cookies, behavioral tracking cookies, or cross-site tracking technologies. Our use of cookies is limited to:

• Authentication session management
• Security and fraud prevention
• User preference storage (e.g., language preference)
• Essential Platform functionality

11. Children's Privacy

Users under 18 may only access the Platform through a guardian-managed account established by a parent or legal guardian. For minor accounts, we collect the minor's date of birth and the guardian's email address. Parents and guardians have full access to manage, correct, and delete the minor account.

Account ownership and all associated data automatically transfer to the minor upon reaching age 18, subject to completion of independent identity verification. WorkPair does not knowingly collect personal information from children under 13 without verifiable parental consent. If we discover that we have collected information from a child under 13 without proper consent, we will promptly delete it.

12. International Data Transfers

WorkPair is headquartered in the United States. Your personal information may be processed in the United States and other countries where our service providers operate, which may have different data protection laws than your country of residence.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, WorkPair relies on Standard Contractual Clauses approved by the European Commission, supplemented by additional technical and organizational safeguards. A copy of our Standard Contractual Clauses is available upon request at privacy@workpair.io.

13. Your Rights and Choices

Subject to applicable law, you have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of your account and personal information, subject to legal retention obligations
• Portability: Request an export of your verified professional record in a machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests
• Withdrawal of consent: Withdraw consent for processing based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, contact privacy@workpair.io. We will respond within 30 days. We may require identity verification before processing certain requests. We will not discriminate against you for exercising your privacy rights.

14. Advertising on WorkPair

WorkPair does not permit third-party behavioral advertising or sell user data to advertisers. Any advertising displayed on the Platform is submitted by verified WorkPair members and institutions through our in-platform advertising system, is subject to our Advertising Policy, is clearly labeled as "Sponsored," and is never disguised as organic content.

Prohibited advertising categories include consumer products, financial products, pharmaceutical products, political advertising, and any category WorkPair determines is inconsistent with the Platform's professional standards. Advertisers must be verified WorkPair members or institutions and must comply with all applicable advertising laws.

15. Third-Party Links and Services

The Platform may contain links to third-party websites or services. WorkPair is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform. WorkPair's Privacy Policy applies only to information collected through the WorkPair Platform.

16. EEA, UK, and Swiss Users — Additional Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, the following additional provisions apply:

• You have the right to lodge a complaint with your local data protection supervisory authority
• You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal
• You have the right to object to processing for direct marketing purposes at any time
• For automated decision-making, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects
• WorkPair's Data Protection Officer can be contacted at privacy@workpair.io

17. California Residents — CCPA Disclosures

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: The categories and specific pieces of personal information we collect, use, disclose, and sell
• Right to Delete: Deletion of personal information we have collected from you, subject to exceptions
• Right to Correct: Correction of inaccurate personal information
• Right to Opt-Out of Sale: WorkPair does not sell personal information. This right is not applicable.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information to purposes necessary to provide the services you request

To submit a CCPA request, contact privacy@workpair.io or call our toll-free number provided at workpair.io/legal/ccpa. We will verify your identity before processing requests.

18. Changes to This Policy

WorkPair may update this Privacy Policy from time to time. For material changes — including changes that expand our use of your data, add new data sharing practices, or reduce your rights — we will provide at least 30 days' prior notice via email and in-platform notification before the changes take effect. Your continued use of the Platform after the effective date of updated Terms constitutes acceptance.

The "Last Updated" date at the top of this Policy reflects the most recent revision. We maintain an archive of prior versions of this Policy, available upon request.

19. Contact and Data Protection Officer