← Legal hub

Privacy Policy

Last updated: June 4, 2026

1. Who we are

This Privacy Policy describes how Temp Inc.("we", "us", "our") handles personal information in connection with the WSIB Workflow service (the "Service"), a contractor WSIB clearance and certificate of insurance (COI) readiness platform.

Controller / Privacy contact: Temp Inc., Ontario, Canada — info@temp.ca.

2. Scope and roles

We act as a data controller for the account holders, billing contacts and end users who access the Service, and as a data processor for the contractor and project records our customers upload (we process that information on their behalf and on their documented instructions).

3. Information we collect

  • Account information: name, email, organization, role, hashed password and multi-factor authentication state.
  • Customer content: projects, contractors, contractor documents (WSIB clearance certificates, COI PDFs/images), document request events, internal notes and audit events.
  • Communication data: upload request emails sent to subcontractors, reminder emails, password-reset emails, invite emails.
  • Technical data: IP address, browser user-agent, device type, pages viewed, feature events, error reports, basic performance metrics.
  • Advertising identifiers: if you consent to marketing cookies, a Google Ads click identifier and Google Analytics client ID may be associated with your visit. See the Cookie Policy.

We do not sell personal information and we do not knowingly collect information from children under 16.

4. How we use information

  • Operate the readiness board, document requests, reminders and audit trail.
  • Authenticate users and enforce role and tenant scoping.
  • Send transactional emails (upload links, reminders, password reset, invites).
  • Monitor security, detect fraud and abuse, debug errors.
  • Measure aggregate product usage and the performance of marketing campaigns (only with the relevant cookie consent).
  • Comply with our legal and regulatory obligations.

5. Legal bases

Where PIPEDA applies, we rely on:

  • your express or implied consent for account creation and service delivery,
  • contractual necessity for processing customer content, and
  • legitimate interests in maintaining security and improving the Service.

Where the GDPR applies (e.g. EU/EEA visitors), we rely on Article 6(1)(b) (performance of a contract), 6(1)(c) (legal obligation), 6(1)(f) (legitimate interests) and 6(1)(a) (consent — specifically for non-essential cookies and marketing).

6. Sub-processors and third-party services

We rely on the following service providers. Each is bound by a written agreement (or platform DPA) and is permitted to process personal information only to deliver their service to us.

ProviderPurposeRegion(s)
SupabasePrimary database (Postgres), authentication, object storage for documentsCanada / US (per project)
RailwayApplication hosting for the backend API and the Next.js web appUS (default region)
PostHogProduct analytics, feature flags, session-level event aggregationEU or US (per deployment)
Google Analytics 4 / Google AdsAggregate web traffic measurement and conversion attributionGlobal (Google)
Mistral AI (OCR)Optional OCR extraction of WSIB / COI documents — disabled unless explicitly enabledEU
SMTP email providerDelivery of transactional and reminder emailsPer provider

A current list of sub-processors is maintained in our public repository (docs/SUBPROCESSORS.md). We will give reasonable notice before adding or replacing a sub-processor that handles customer content.

7. International transfers

Personal information may be processed outside Ontario, including in the United States and the European Union. Where required, we rely on Standard Contractual Clauses and equivalent safeguards. Service-provider regions can be reconfigured on request for enterprise customers.

8. Storage, encryption and security

  • Data in transit is protected by TLS 1.2+ enforced by HSTS.
  • Data at rest is encrypted by the underlying Supabase Postgres and storage backends.
  • Webhook signing secrets are encrypted at the application layer with a Fernet key.
  • Access to production is restricted, audited, and follows the principle of least privilege.
  • We maintain an audit trail of mutations to projects, contractors, documents, document requests and authentication events.

9. Retention

We retain account information for the life of the account plus a short grace period for legal and accounting purposes. Customer content is retained for the term of the subscription and deleted or returned on request, subject to backups that expire on the standard rotation. Detailed schedules are in docs/DATA_RETENTION_POLICY.md.

10. Your rights

Depending on where you live, you may have the right to:

  • request access to the personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion or anonymization;
  • withdraw consent (e.g. for marketing cookies) at any time;
  • port your information to another controller in a structured, machine-readable format;
  • lodge a complaint with the Office of the Privacy Commissioner of Canada or with your local supervisory authority.

To exercise any right, email info@temp.ca. We respond within 30 days.

11. Cookies and tracking

We use a small number of essential cookies to keep you signed in and to protect your session. Analytics and advertising cookies (PostHog, Google Analytics, Google Ads) are loaded only after you click Accept on the consent banner. See the Cookie Policy for details and opt-out instructions.

12. Changes to this policy

We will post any material change to this page and update the "Last updated" date. For substantive changes we will also notify account administrators by email.

13. Contact

Temp Inc., Ontario, Canada — info@temp.ca.