1 Introduction
Mirroroof LTD ("we", "us", or "our") is committed to protecting the privacy and personal information of every individual who visits our website, submits an application, or otherwise engages with our services. This Privacy Policy explains what data we collect, why we collect it, how it is used, how long it is retained, and what rights you have in relation to your personal information.
By accessing our website at Mirroroof or any related subdomain, or by completing any form or registration on our platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of our website immediately.
This policy applies to all information collected through our website, digital applications, email correspondence, social media interactions, and any other channels through which we provide services or communicate with you.
We respect your right to privacy and are committed to being transparent about our data practices. If at any time you have questions or concerns about this policy, please contact us at [email protected].
2 Who We Are
Mirroroof LTD is a Canada-based talent recruitment and placement company specialising in connecting qualified remote workers with e-commerce and digital commerce organisations around the world. Our registered address is .
For the purposes of applicable data protection laws - including the General Data Protection Regulation (GDPR) for individuals located in the European Economic Area, the UK GDPR for individuals located in the United Kingdom, and the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian residents - Mirroroof acts as a data controller in respect of the personal data we collect directly from you through this website.
Where we process data on behalf of employers or partner organisations, we may act as a data processor. In those circumstances, the relevant employer or partner organisation is the data controller and their privacy policy will also apply.
3 Information We Collect
We collect various types of information in connection with your use of our website and our services. The categories of information we may collect include:
3.1 Information You Provide Directly
- Contact and Identity Information: Your first and last name, email address, telephone number, postal address, date of birth, and any other personal details you choose to provide when completing an application form or making an enquiry.
- Application and Career Information: Your CV or résumé, cover letter, work history, educational background, skills, references, professional certifications, languages spoken, and any other employment-related information.
- Account Credentials: If you register for an account on our platform, we collect your chosen username, password (stored in encrypted form), and security questions and answers.
- Communications: The content of any messages you send us via contact forms, email, live chat, or other communication channels, including attachments and supporting documents.
- Financial Information: Where you enter into a service agreement with us, we may collect bank account details, tax identification numbers, or other financial data necessary for payment processing. We do not store full card numbers; payment transactions are handled by PCI-DSS compliant third-party processors.
3.2 Information Collected Automatically
- Usage Data: Information about how you navigate and interact with our website, including pages visited, time spent on each page, links clicked, search queries entered, and the sequence of your navigation through the site.
- Device and Technical Information: Your IP address, browser type and version, operating system, device type (desktop, tablet, mobile), screen resolution, language settings, and time zone.
- Referral Source: The URL of the website that referred you to our site, if applicable.
- Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies to collect information about your browsing behaviour. For full details, please see our Cookie Policy.
3.3 Information From Third Parties
We may receive information about you from third-party sources, including:
- Social media platforms such as LinkedIn, Facebook, or Twitter if you connect your account or interact with our pages.
- Background check and identity verification providers where permitted by law and with your prior consent.
- Partner employers and organisations who provide us with information about candidates referred through their own systems.
- Publicly available sources, including professional networking sites, company websites, and public records.
- Advertising platforms that share conversion and engagement data with us to improve the effectiveness of our marketing.
4 How We Use Your Information
We use the personal information we collect for a range of legitimate purposes related to our recruitment and placement services. The primary purposes for which we use your information are:
- Processing Applications: To receive, review, evaluate, and process your application for remote employment or contractor opportunities, and to match your skills and experience with suitable positions.
- Communication: To respond to your enquiries, send you updates about the status of your application, notify you of new opportunities that may interest you, and to conduct interviews or assessments.
- Service Delivery: To provide you with access to our platform, onboarding resources, training materials, and any other services you have requested.
- Account Management: To create and manage your user account, maintain security, and provide personalised features of our website.
- Marketing and Promotional Communications: With your consent, to send you newsletters, career tips, platform updates, promotional offers, and other marketing communications. You may opt out at any time.
- Analytics and Improvement: To analyse how users interact with our website and services, identify trends, measure the effectiveness of our marketing, and continually improve our offerings.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, including employment law, anti-discrimination law, and data protection law.
- Fraud Prevention and Security: To detect, investigate, and prevent fraudulent transactions, unauthorised access, and other illegal activities.
- Business Operations: To conduct internal administration, accounting, auditing, and reporting functions necessary to run our business effectively.
We will only use your personal information for purposes other than those described above if those purposes are compatible with the original purpose, or if we have obtained your explicit consent, or if we are required to do so by law.
5 Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires a legal basis for the processing of personal data, the following applies:
| Purpose | Legal Basis |
|---|---|
| Processing your job application | Performance of a contract / Pre-contractual steps at your request |
| Creating and managing your account | Performance of a contract |
| Responding to your enquiries | Legitimate interests / Pre-contractual steps |
| Sending marketing emails | Consent (you may withdraw at any time) |
| Website analytics and improvement | Legitimate interests |
| Fraud prevention and security | Legitimate interests / Legal obligation |
| Compliance with legal obligations | Legal obligation |
| Background checks (where applicable) | Consent / Legal obligation |
Where we rely on legitimate interests, we have carefully considered whether those interests are overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests at any time.
6 Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, regulatory, accounting, or reporting requirements.
Specifically, our data retention guidelines are as follows:
- Active Candidates: While your application is active and for up to two (2) years after your most recent interaction with us, to allow us to consider you for future opportunities.
- Unsuccessful Applicants: Up to twelve (12) months from the date we notify you that your application has not been successful, unless you consent to a longer retention period.
- Placed Candidates: For the duration of your placement and for a minimum of six (6) years thereafter, to comply with employment law, tax obligations, and contractual requirements.
- Website User Data: Aggregated analytics data may be retained indefinitely; individual user session data is retained for no more than twenty-six (26) months.
- Marketing Data: Until you withdraw consent or opt out of marketing communications, and for up to twelve (12) months after your last engagement with our communications.
- Legal Hold: Where we are required to retain data by law, regulation, or active litigation, we will retain it for the duration of the applicable requirement, regardless of the above guidelines.
When personal data is no longer required, we will securely delete or anonymise it in accordance with industry best practices.
7 Sharing Your Information
We do not sell, rent, or trade your personal information to third parties. We may, however, share your information with the following categories of recipients in the circumstances described:
7.1 Partner Employers and Clients
With your explicit consent, we share relevant aspects of your profile and application with potential employers, clients, or organisations for the purpose of evaluating your suitability for a role. We will always inform you before sharing your information with a prospective employer.
7.2 Service Providers and Sub-processors
We engage trusted third-party vendors and service providers to assist us in operating our website and delivering our services. These may include:
- Cloud hosting and infrastructure providers (e.g. Google Cloud, AWS)
- Email delivery and marketing automation platforms
- Customer relationship management (CRM) systems
- Analytics and website optimisation tools
- Payment processing and financial services providers
- Background screening and identity verification companies
- Cybersecurity and fraud prevention services
All such providers are contractually bound to process your data only on our instructions and in accordance with this policy and applicable data protection laws.
7.3 Legal and Regulatory Authorities
We may disclose your personal information where required or permitted to do so by law, or in good faith belief that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with our services; or (d) protect the personal safety of users or the public.
7.4 Business Transfers
In the event that Mirroroof undergoes a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will notify you via email or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
8 International Data Transfers
Mirroroof is headquartered in Canada. However, our operations, service providers, and partner employers are located around the world. As a result, your personal information may be transferred to, and processed in, countries other than your country of residence - including countries that may not provide the same level of data protection as your home country.
Where we transfer personal data from the EEA, the UK, or Switzerland to countries that have not received an adequacy decision from the relevant data protection authority, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission or UK ICO.
- Binding Corporate Rules (BCRs) where applicable.
- Your explicit consent, where obtained at the time of data collection.
- The transfer being necessary for the performance of a contract between you and us, or for pre-contractual steps.
Canada is recognised as providing an adequate level of data protection by the European Commission for commercial organisations subject to PIPEDA. If you would like further information about the specific mechanisms used when transferring your data internationally, please contact us.
9 Your Rights
Depending on your location and the applicable laws, you may have the following rights in respect of your personal data:
- Right of Access: You have the right to request a copy of the personal data we hold about you and information about how it is processed.
- Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure ("Right to be Forgotten"): In certain circumstances, you have the right to request that we delete your personal data. This right is not absolute and may be limited where we have a legal obligation to retain the data.
- Right to Restrict Processing: You have the right to request that we limit the way we use your personal data in certain circumstances, for example while a complaint is being investigated.
- Right to Data Portability: Where processing is based on your consent or is necessary for the performance of a contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to Object: You have the right to object to the processing of your personal data where that processing is based on our legitimate interests or for direct marketing purposes.
- Rights in Relation to Automated Decision-Making: Where decisions are made about you solely on the basis of automated processing (including profiling) that produce legal effects or significantly affect you, you have the right not to be subject to such decisions without human intervention.
- Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of the above rights, please contact us at [email protected]. We will respond to your request within thirty (30) days. In some cases, we may need to verify your identity before processing your request.
If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. In Canada, you may contact the Office of the Privacy Commissioner of Canada.
10 Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your experience on our website, understand how visitors use our site, and deliver relevant content and advertising. Cookies are small text files stored on your device when you visit a website.
The types of cookies we use include strictly necessary cookies (required for the site to function), performance and analytics cookies (to understand usage patterns), functional cookies (to remember your preferences), and marketing cookies (to deliver tailored advertising).
For detailed information about the specific cookies we use, their purposes, and how you can manage your cookie preferences, please read our Cookie Policy.
11 Security of Your Information
We take the security of your personal information very seriously and have implemented a range of technical and organisational measures designed to protect your data against unauthorised access, accidental loss, destruction, or disclosure.
Our security measures include:
- Transport Layer Security (TLS/SSL) encryption for all data transmitted between your browser and our servers.
- Encryption of sensitive data at rest using industry-standard algorithms.
- Access controls ensuring that only authorised personnel can access personal data, on a need-to-know basis.
- Regular security assessments, vulnerability scanning, and penetration testing of our systems.
- Employee training on data protection best practices and security awareness.
- Incident response procedures to detect, contain, and remediate any data breaches promptly.
- Two-factor authentication for administrative access to our core systems.
Despite these measures, no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you suspect that your account has been compromised, please contact us immediately.
In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and will take all reasonable steps to mitigate the impact of the breach.
12 Third-Party Websites and Links
Our website may contain links to third-party websites, social media platforms, and other external resources. These links are provided for your convenience and information only. Mirroroof does not control the content of those websites and is not responsible for the privacy practices of those third parties.
When you click on a link to an external site, you leave our website and any information you provide to that third party is subject to their own privacy policy, not ours. We encourage you to review the privacy policy of any website you visit. The inclusion of a link to a third-party website does not imply our endorsement of that site or its practices.
We are not responsible for the privacy policies or practices of social media platforms such as Facebook, LinkedIn, Twitter, Instagram, or YouTube, even where we maintain official pages or profiles on those platforms.
13 Children's Privacy
Our website and services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under this age. If you are under 16, please do not use our website or submit any information to us.
If we become aware that we have inadvertently collected personal information from a child under the applicable minimum age, we will take immediate steps to delete that information from our systems. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at [email protected] and we will promptly investigate and take appropriate action.
14 Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or by displaying a prominent notice on our website prior to the change becoming effective.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website and services after any changes to this policy are posted will constitute your acknowledgment of the modified policy and your agreement to abide by it.
If changes to this policy result in a material reduction of your rights, we will seek your consent before applying those changes to your existing personal data where legally required to do so.
15 How to Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please reach out to us using any of the following methods:
- Email: [email protected]
- Post: Mirroroof LTD, Ontario, K1P 1A4, Canada
- Website: Use the form below to submit your enquiry online
We aim to acknowledge all privacy-related requests within five (5) business days and to resolve them fully within thirty (30) calendar days. In complex cases, we may require up to ninety (90) days, in which case we will inform you of the extension and the reasons for it.
For urgent security concerns, including suspected data breaches or unauthorised access to your account, please email us immediately at [email protected] and include "URGENT - Security" in the subject line.