When you use StatusFlow, you trust us with information about your job search. We understand this is a big responsibility. This Privacy Policy explains what we collect, why we collect it, how we use and share it, and what choices and rights you have.
If you have questions, you can contact us at privacy@statusflow.ca.
1) Scope & Who We Are
This Policy applies to StatusFlow (“we”, “us”, “our”) and covers our website, web application, and any APIs/integrations that we operate (collectively, the “Services”). It does not apply to third-party websites or services that we do not control, even if they link to or integrate with our Services.
Controller. For personal data subject to data protection laws (e.g., GDPR, PIPEDA, CCPA/CPRA), StatusFlow is the data controller.
2) Information We Collect
We collect information to provide, maintain, and improve StatusFlow. The categories below depend on the features you use and the settings you choose.
A. Information you provide
- Account Data: name, email, password (stored as a hash), time zone, locale, and preferences.
- Job Application Data: roles, companies, statuses (e.g., applied, interview, offer), stages, events (e.g., interview dates), outcomes, compensation details you enter, notes, tasks, reminders, follow-ups, attachments (e.g., resumes, cover letters, offer letters), and tags.
- Content & Communications: messages you send to us (support requests, feedback), comments or annotations you add within the app, and any forms you submit.
B. Information from connected accounts (optional)
If you choose to connect third-party services, we receive information only as authorized by you:
- Calendar/Email/Drive Integrations (e.g., Google/Outlook/Dropbox): metadata and content necessary to power features like interview scheduling, email-to-application linking, file import (resumes/notes), and reminders.
- Professional Profiles (e.g., LinkedIn, GitHub): public profile info and links you choose to import.
- ATS/Job Boards: application metadata you explicitly import/sync. We request the minimum scopes needed and store tokens securely. We do not use connected account data to serve third-party ads.
We request the minimum scopes needed and store tokens securely. We do not use connected account data to serve third-party ads. Google API Data: We adhere to the Google API Services User Data Policy (including Limited Use). Human access occurs only for security, legal compliance, or with your explicit consent (e.g., support you initiate).
C. Device, app, and network data (collected automatically)
- Technical Data: IP address, device and browser type/version, operating system, language, referrer, app version, timestamps, and event diagnostics (e.g., crash logs, performance metrics).
- Usage Data: pages and screens viewed, clicks, features used, and frequency/duration of sessions (to improve reliability, performance, and usability).
D. Cookies and local storage
We use:
- Essential (required for login, session, security)
- Preferences (remember choices like theme/timezone).
- Analytics (understand product usage to improve StatusFlow).
You can control cookies in your browser. Blocking essential cookies may break features. We currently do not respond to “Do Not Track” signals.
E. Sensitive categories
We do not intentionally collect sensitive categories (e.g., racial/ethnic origin, health, precise geolocation) unless you choose to include such information in your materials (e.g., resumes). Avoid uploading content you do not want processed by StatusFlow.
F. Children
StatusFlow is not intended for individuals under 16 (or the age required by your jurisdiction). We do not knowingly collect data from children.
3) Why We Collect Data (Purposes of Processing)
We use your information to:
- Provide the Services: account creation, authentication, application tracking, reminders, task management, document storage, and integrations you enable.
- Maintain & Improve: monitor performance, fix bugs, optimize workflows, and enhance features based on aggregated usage insights.
- Personalize & Assist: surface relevant tips, default fields, or timelines; suggest reminders or statuses; pre-fill content you choose (no third-party ads).
- Communicate with You: service notices, security alerts, transactional emails (e.g., password resets), feature updates, and responses to support requests.
- Security & Abuse Prevention: detect, investigate, and prevent fraud, spam, or misuse; protect the integrity of accounts and the platform.
- Compliance & Legal: meet legal obligations, enforce Terms, and protect our rights, users, and the public interest.
- Research & Development: analyze de-identified or aggregated usage trends to build new features and improve reliability.
AI-assisted features (if/when available): Certain features may analyze your data to generate insights (e.g., pipeline summaries, scheduling suggestions). We do not use your data to train third-party models without telling you and, where required, getting your consent.
4) Legal Bases (GDPR/UK GDPR)
Where applicable, we rely on:
- Contract: to provide the Services you requested.
- Legitimate Interests: to maintain and improve security, performance, product experience, and to communicate non-marketing product updates.
- Consent: for optional integrations, certain analytics, marketing communications, or region-specific requirements.
- Legal Obligation: to comply with law and enforce rights.
You may withdraw consent at any time via settings or by contacting privacy@statusflow.ca.
5) How We Share Information
We do not sell your personal information. We share it only in these cases:
- At Your Direction: when you connect third-party services, export data, share an application record, or invite collaborators.
- Service Providers/Processors: trusted vendors that host infrastructure, provide analytics, logging, email delivery, customer support tools, payment processing, or security scanning—all under confidentiality and data protection commitments.
- Affiliates & Corporate Transactions: if we undergo a merger, acquisition, or asset sale, your data may transfer subject to this Policy (or a successor policy providing equal or stronger protections).
- Legal & Safety: to comply with law or protect rights, safety, and the integrity of the Services (after appropriate review).
- Aggregated or De-identified Data: information that cannot reasonably be linked to you personally, used for insights and product improvements.
6) Data Transfers
We may process and store information in Canada, the United States, and other countries. Where required, we use appropriate safeguards for international transfers, such as Standard Contractual Clauses and equivalent mechanisms.
7) Retention
We retain data for as long as needed to provide the Services, comply with our obligations, resolve disputes, and enforce agreements. Typical retention periods:
- Account & Profile Data: kept while your account is active; deleted upon request or account closure (subject to legal/operational backups).
- Job Application Records & Attachments: kept until you delete them or close your account.
- Support Communications: generally up to 24 months after resolution (for audit/troubleshooting).
- Analytics & Event Logs: typically 12–18 months in identifiable form; longer in aggregated/de-identified form.
- Backups: rolling backups generally persist for 30–45 days.
When deletion is requested or triggered, we follow a secure deletion process. Some latency may occur before data is purged from active systems and backups.
8) Security
We implement technical and organizational safeguards appropriate to the risk, including (for example):
- Encryption in transit (TLS) and, where supported, encryption at rest.
- Access controls based on least privilege; authentication protections.
- Monitoring and logging for anomalies and abuse.
- Vendor diligence and contractual commitments.
Despite our efforts, no method of transmission or storage is 100% secure. If we learn of a breach, we will notify affected users and regulators when required.
9) Your Choices & Controls
- Account Settings: update profile, preferences, and connected accounts.
- Data Access & Portability: request a copy of your data (e.g., CSV/JSON) via [EMAIL] or in-app controls (if available).
- Correction: edit inaccurate or incomplete information in your account or contact us.
- Deletion: delete specific records (e.g., applications, attachments) or request full account deletion.
- Consent Management: connect/disconnect integrations; manage cookie preferences in your browser and (where provided) our cookie banner.
- Email Preferences: unsubscribe from non-essential emails via links in messages or by contacting us. Essential service and security emails will still be sent.
10) Region-Specific Rights
A. EEA/UK
You have the right to access, rectify, erase, restrict, object, and port your data, and to withdraw consent at any time. You may lodge a complaint with your local supervisory authority. Our contact: privacy@statusflow.ca
B. Canada (PIPEDA)
You may access and correct your personal information, and you can challenge our compliance with PIPEDA. Contact: privacy@statusflow.ca You may also contact the Office of the Privacy Commissioner of Canada.
C. California (CCPA/CPRA)
We do not “sell” or “share” personal information as defined by the CPRA, nor do we use or disclose Sensitive Personal Information for purposes other than those permitted by law (e.g., providing the Services). You have the rights to know, delete, correct, and to opt-out of sale/share (not applicable as we do not sell/share). You will not be discriminated against for exercising your rights. Submit requests at privacy@statusflow.ca
11) Automated Decision-Making & Profiling
StatusFlow does not use automated decision-making that produces legal or similarly significant effects. We may use limited profiling (e.g., suggested reminders or pipeline summaries) to enhance your experience. You can disable optional features where offered.
12) Third-Party Links & Services
Our Services may link to third-party sites or allow you to enable integrations. Their privacy practices are governed by their own policies. Review those policies before enabling or sharing data.
13) Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new “Effective” date and, if changes are material, provide a more prominent notice (and obtain consent where required). Archived versions are available upon request at privacy@statusflow.ca
14) Contact Us
15) Key Definitions (Plain English)
- Personal Data / Personal Information: Any information that identifies or can reasonably be linked to an individual.
- Services: StatusFlow’s website, web app, APIs, and related features.
- Controller / Processor: A controller decides why/how personal data is processed; a processor processes data on a controller’s behalf.
- Sale / Share (CPRA): Disclosing personal information for monetary or other valuable consideration (sale) or for cross-context behavioral advertising (share).
- Aggregated / De-identified Data: Data that cannot reasonably be linked to an identified or identifiable person.