Privacy Policy

1. Introduction

Whistler.work ("we," "us," or "our") operates the website located at https://whistler.work and associated services (collectively, the "Platform"). We are committed to protecting the privacy and security of your personal information.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your personal information when you visit our Platform, create an account, post or apply for jobs, or otherwise interact with our services. It applies to all users, including seasonal workers ("Workers"), employers ("Employers"), and visitors.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Policy, please do not use the Platform.

2. Governing Law & Compliance

Whistler.work is operated from British Columbia, Canada. Our privacy practices comply with:

• Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal private-sector privacy law
• British Columbia Personal Information Protection Act (PIPA) — provincial privacy legislation
• Canada's Anti-Spam Legislation (CASL) — governing commercial electronic messages
• General Data Protection Regulation (GDPR) — where applicable to individuals in the European Economic Area
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) — where applicable to California residents

Where local laws provide greater privacy protections, those protections apply in addition to this Policy.

3. Information We Collect

3.1 Information You Provide Directly

When you register, create a profile, post a job, or apply for positions, we collect:

• Account information: email address, password (stored as a bcrypt hash — we never store plaintext passwords), and user role (Worker, Employer)
• Profile information (Workers): name, biographical description, skills, professional certifications, location, and avatar/profile photo URL
• Company information (Employers): company name, description, logo URL, website, and business location
• Job posting information: job title, description, compensation range, housing availability, season, employment type, required skills, and date ranges
• Availability information: start and end dates for availability windows, and optional notes
• Application information: cover letters and application status
• Communications: messages you send to us via email or contact forms

3.2 Information Collected Automatically

When you access the Platform, we automatically collect:

• Device information: browser type and version, operating system, device type, and screen resolution
• Usage data: pages visited, features used, time spent on pages, click patterns, and search queries
• Network information: IP address (anonymised for analytics), referring URL, and ISP
• Request identifiers: unique request IDs generated for each API call (used for debugging and security monitoring — not linked to personal identity)

3.3 Information We Do Not Collect

We do not collect: government-issued identification numbers (SIN, SSN, passport), financial account or payment card details (we do not process payments directly), biometric data, health information, racial or ethnic origin, political opinions, religious beliefs, or trade union membership.

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Delivery

• Create and manage your account
• Display your Worker profile to Employers searching for candidates
• Publish job postings on behalf of Employers
• Match Workers with relevant jobs based on skills, availability windows, season, and location ("Matching Engine")
• Process and manage job applications
• Send in-platform notifications (new applications, application status updates, matching alerts)

4.2 Platform Improvement

• Analyse usage patterns to improve features, performance, and user experience
• Monitor and prevent fraud, abuse, and security threats
• Enforce rate limiting and protect against automated attacks
• Debug issues using structured logs with anonymised request identifiers

4.3 Communications

• Send transactional emails (account confirmations, password resets, application updates) — these are service-related and cannot be opted out of while you hold an active account
• Send promotional communications about new features or seasonal opportunities (only with your express consent; you may opt out at any time)

4.4 Legal Obligations

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from law enforcement or government authorities
• Protect our rights, property, or safety, or that of our users

5. Legal Basis for Processing (GDPR Users)

For individuals in the European Economic Area, we process personal data under the following legal bases:

• Contractual necessity: processing required to provide our Platform services (account creation, job matching, applications)
• Legitimate interests: analytics, fraud prevention, platform security, and service improvement
• Consent: promotional communications and optional cookies
• Legal obligation: compliance with tax, employment, and regulatory requirements

6. Cookies & Tracking Technologies

6.1 Essential Cookies

We use the following cookies that are strictly necessary for Platform operation:

The access_token cookie is set as HttpOnly, meaning it cannot be accessed by client-side JavaScript. This is a deliberate security measure to protect against cross-site scripting (XSS) attacks. The cookie uses the Secure flag in production, ensuring transmission only over HTTPS.

6.2 Analytics Cookies

We may use privacy-focused analytics tools to understand how the Platform is used. Where analytics cookies are employed, they are loaded only after obtaining your consent (where required by law). Analytics data is aggregated and does not personally identify you.

6.3 No Third-Party Advertising Cookies

We do not use third-party advertising cookies, retargeting pixels, or behavioural tracking technologies. We do not sell your data to advertisers. We do not participate in real-time bidding or ad exchanges.

7. Data Sharing & Disclosure

We share your personal information only in the following circumstances:

7.1 Between Platform Users

• Workers: your profile name, bio, skills, certifications, location, and availability windows may be visible to Employers using the matching engine or viewing applications
• Employers: your company name, description, location, and job postings are publicly visible
• Cover letters and application details are shared only with the Employer who posted the relevant job

7.2 Service Providers

We use trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Hosting & infrastructure: Railway (backend), Vercel (frontend), Neon (PostgreSQL database) — all processing data within secure, SOC 2-compliant environments
• Email services: transactional email providers for account and application notifications
• Error monitoring: application performance and error tracking (anonymised)

7.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, or legal process (e.g., court order, subpoena), or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

7.5 No Sale of Personal Information

We do not sell, rent, or lease your personal information to third parties. We have not sold personal information in the preceding 12 months. This applies to all users regardless of jurisdiction.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal information:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS)
• Encryption at rest: database encryption provided by our hosting provider (Neon PostgreSQL)
• Password hashing: passwords are hashed using bcrypt with 12 salt rounds — plaintext passwords are never stored or logged
• Authentication tokens: JWT tokens stored in HttpOnly, Secure cookies — inaccessible to JavaScript
• Input validation: all user input is validated and sanitized using schema validation (Zod) to prevent injection attacks
• Rate limiting: API endpoints are rate-limited to prevent brute-force and denial-of-service attacks
• Security headers: Helmet.js security headers (CSP, X-Frame-Options, X-Content-Type-Options, etc.) applied to all responses
• CORS: strict origin allowlisting to prevent unauthorized cross-origin requests
• Parameterized queries: all database queries use parameterized statements via Prisma ORM — preventing SQL injection
• Structured logging: application logs use structured JSON format with request IDs; sensitive data (passwords, tokens, PII) is never logged
• Access control: role-based access control (RBAC) enforces that Workers, Employers, and Admins can only access resources appropriate to their role

While we employ commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users and relevant authorities of any data breach in accordance with applicable laws.

9. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfil the purposes described in this Policy:

• Active accounts: data is retained for the duration of your account's existence
• Closed accounts: account data is deleted within 30 days of account deletion, except where retention is required by law
• Job postings: closed or filled job postings may be retained in anonymised form for analytics
• Application records: retained for the duration of the job posting lifecycle plus 12 months for dispute resolution
• Logs: API and application logs are retained for up to 90 days, then automatically purged
• Legal holds: data may be retained longer if required by legal proceedings, investigations, or regulatory requirements

10. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

10.1 All Users (PIPEDA / PIPA)

• Access: request a copy of the personal information we hold about you
• Correction: request correction of inaccurate or incomplete personal information
• Withdrawal of consent: withdraw consent for optional data processing (e.g., promotional emails)
• Complaint: file a complaint with the Office of the Privacy Commissioner of Canada or the BC Office of the Information and Privacy Commissioner

10.2 European Economic Area (GDPR)

• Right to access, rectification, and erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability (receive your data in a structured, machine-readable format)
• Right to object to processing based on legitimate interests
• Right to lodge a complaint with your local data protection authority

10.3 California Residents (CCPA / CPRA)

• Right to know what personal information is collected, used, and disclosed
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information

10.4 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@whistler.work. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may request identity verification before processing your request to prevent unauthorized access.

11. International Data Transfers

Your personal information may be processed and stored in Canada and the United States (where our infrastructure providers operate). Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Service provider certifications (SOC 2 Type II compliance)
• Canada is recognized by the European Commission as providing adequate data protection under GDPR Article 45

12. Children's Privacy

The Platform is not intended for individuals under the age of 16 (or the minimum age of employment in the applicable jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@whistler.work.

13. Third-Party Links

The Platform may contain links to third-party websites (e.g., employer company websites). We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any third-party site you visit.

14. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to individuals, we will:

• Notify affected individuals as soon as feasible and no later than 72 hours after becoming aware of the breach (in compliance with PIPEDA, GDPR, and applicable provincial legislation)
• Report the breach to the Office of the Privacy Commissioner of Canada and, where applicable, to the relevant provincial commissioner and/or European data protection authority
• Provide clear information about the nature of the breach, the data involved, measures taken, and steps individuals can take to protect themselves
• Maintain internal records of all breaches, including those that do not meet the threshold for mandatory notification

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last Updated" date at the top of this page; (b) post a notice on the Platform; and (c) for significant changes, notify you via email or in-platform notification. Your continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the changes.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact our Privacy Officer: