Privacy Policy

1. Introduction and who this policy covers

This Privacy Policy describes how Xpande (“we,” “us,” “our”) collects, uses, discloses, and retains personal information when you use our marketplace Platform that connects Businesses with Field Partners for local field tasks.

This policy is intended to align with Canadian privacy expectations, including the principles in the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws, where they apply. The exact legal framework can depend on your province, our operations, and the nature of the information involved; qualified counsel can confirm how the rules apply to your situation.

2. What personal information we collect

Depending on how you use the Platform, we may collect categories such as:

• Account and identity information: name, email address, phone number, password or authentication artifacts, organization name, role (Business or Field Partner), and verification details we request.
• Profile and marketplace information: skills, service areas, availability, ratings or feedback, job postings, applications, messages, and proof submissions.
• Payment-related information: limited payment metadata processed by payment service providers (we generally do not store full payment card numbers on our servers).
• Device and technical information: IP address, device identifiers, browser type, log data, security signals, and diagnostic information used to operate and protect the Platform.
• Support and communications: information you provide when you contact us or participate in surveys.

3. Why we collect personal information (purposes)

We use personal information for purposes that include:

• creating and maintaining accounts and authenticating Users;
• facilitating connections, applications, assignments, messaging, and proof workflows;
• processing payments, fees, refunds, and fraud prevention;
• operating, securing, monitoring, debugging, and improving the Platform;
• communicating transactional notices and, where permitted, service updates;
• enforcing our Terms, agreements, and community standards; and
• complying with law, responding to lawful requests, and protecting rights and safety.

We aim to collect only what is reasonably necessary for these purposes (data minimization). If we propose a new material use, we will provide appropriate notice and consent where required by law.

4. Legal bases and consent

Where PIPEDA applies, we generally rely on meaningful consent for collection, use, and disclosure, except where the law permits or requires otherwise (for example, certain uses needed to establish or enforce legal claims, or to investigate breaches). You may withdraw consent where withdrawal does not prevent us from meeting legal obligations or retaining information as required for legitimate business purposes permitted by law.

5. Disclosure to service providers and other Users

We may disclose personal information to service providers who process it on our behalf under contractual safeguards (for example, hosting, email delivery, analytics, payment processing, customer support tooling). Those providers are authorized to use personal information only as needed to provide services to us.

The Platform is a marketplace: Businesses and Field Partners may see certain profile information, messages, job details, and proof materials as reasonably necessary to evaluate and perform Tasks. Users should not share sensitive personal information unless it is truly needed for the Task.

We may disclose personal information if required by law, if we believe disclosure is necessary to protect safety, or to investigate fraud, security incidents, or violations of our policies.

6. Cross-border processing

We and our service providers may process or store personal information in Canada and other countries. When personal information is transferred outside Canada, it may be subject to the laws of the destination country. We use contractual and organizational measures where appropriate to help protect personal information, recognizing that legal protections vary by jurisdiction.

7. Retention

We retain personal information as long as reasonably necessary to fulfill the purposes described in this policy, including security, dispute resolution, backups, and legal compliance. Retention periods can depend on the category of information, whether a Task is active, and whether we have an ongoing legitimate need (for example, fraud prevention).

8. Cookies and similar technologies

We use cookies and similar technologies for essential operations (such as authentication and security) and, where enabled, optional purposes described in our Cookie Policy. Where required by law, we obtain appropriate consent for non-essential cookies or similar technologies.

9. Access, correction, deletion, and portability

Subject to legal exceptions, you may request access to personal information we hold about you and request correction of inaccuracies. You may also request deletion where deletion is feasible and not prohibited by law or legitimate business needs (for example, records we must retain for financial reporting or dispute resolution).

To submit a request, contact us using the email shown at the top of this page (if configured) or the contact channel published on the Platform. We may need to verify your identity before responding.

10. Challenging compliance and complaints

If you have concerns about our privacy practices, contact us first so we can try to resolve the issue. You may also have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) or a provincial privacy regulator, depending on applicable law and the circumstances.

11. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

12. Children

The Platform is not directed to children. If you believe a child has provided personal information, contact us and we will take appropriate steps.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on the Platform and revise the “Last updated” date. Where required by law, we will provide additional notice or obtain consent.