Privacy Policy

We collect information in three ways:

Information you provide directly:

• Account data: name, email address, password (hashed, never stored in plain text), role (candidate or recruiter)
• Candidate profile: headline, résumé (PDF), skills, seniority level, work experience, location preferences, LinkedIn/portfolio URLs, bio
• Application content: cover notes, application status, recruiter notes, messages exchanged with recruiters
• Recruiter profile: company name, job title, bio, website, verification status, subscription plan
• Listing content: role descriptions, salary ranges, location, tags
• Payment metadata: Stripe customer ID, subscription ID, credit purchase history (we do not store full card numbers)

Information generated automatically:

• Login timestamps, session tokens, IP addresses (for security and fraud prevention), browser/device type (via standard HTTP headers)
• Platform usage logs: listing views, application submissions, message activity

Information from third parties:

• Payment and subscription status from Stripe
• Email delivery confirmations from our transactional email provider

We use personal information only for the purposes described below:

• Operate the platform: accounts, applications, messaging, listings, credits
• Enforce SLA windows and issue automatic credit refunds on SLA breaches
• Send transactional emails (application received, new message, SLA reminder, credit refund, account security)
• Process payments and manage subscriptions via Stripe
• Detect and prevent fraud, abuse, and policy violations
• Improve platform reliability, performance, and user experience using aggregated/anonymised operational data
• Comply with legal obligations (financial records, tax, legal process)

We do not sell your personal information. We do not use your information for advertising, profiling for third-party marketing, or any purpose beyond operating the Koali platform.

No automated decision-making. Koali uses zero automated tools to screen, rank, or reject applications. All application decisions are made by human recruiters.

We share personal information only as described below. We do not sell data to brokers, advertisers, or any third parties.

With recruiters (candidates only):

When you apply to a role, your candidate profile (name, résumé, skills, cover note, headline) is shared with the recruiter managing that role. Recruiters are contractually required to use your data only to evaluate you for the specific role you applied to and to comply with applicable privacy and employment law.

With candidates (recruiters only):

Recruiter name, company, and response rate are shown to candidates as part of listing information to enable informed decision-making.

With service providers:

We share data with the following providers solely to operate the platform:

Cross-border transfers: Our infrastructure providers are based in the United States. By using Koali, you consent to your personal information being transferred to, stored in, and processed in the United States, subject to US law. Each provider operates under appropriate data processing agreements and security standards.

Legal disclosure:

We may disclose personal information if required by law, court order, or lawful government request, or where necessary to protect the safety of users or prevent fraud or illegal activity.

We retain personal information for as long as necessary to fulfil the purposes set out in this Policy, subject to the following minimums:

• Account data (candidates and recruiters): retained for 3 years after account closure, then deleted or anonymised
• Application records and messages: retained for 3 years after the application is closed, then deleted or anonymised
• Financial records (credits, subscriptions, refunds): retained for 7 years to meet tax and accounting obligations
• Security and access logs: retained for 90 days, then deleted

If you delete your account, your profile is removed from the platform within 30 days. Financial records and aggregated anonymised data may be retained longer as required by law or for fraud prevention purposes.

Under PIPEDA and applicable provincial law, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Ask us to correct inaccurate or incomplete information
• Withdrawal of consent: Withdraw consent to certain uses of your data (note: this may prevent you from using parts of the platform that depend on that use)
• Deletion: Request deletion of your account and personal data, subject to our legal retention obligations
• Complaint: File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, email privacy@koali.ca. We will respond within 30 days. We may require identity verification before processing your request.

Koali uses industry-standard security measures including:

• TLS encryption for all data in transit; encryption at rest via our infrastructure providers
• Row-level security (RLS) on all database tables: each user can access only their own data and the data explicitly shared with them
• Passwords are hashed using bcrypt and never stored in plain text
• Payment card details are never stored on Koali servers — all card processing is handled by Stripe, which is PCI-DSS Level 1 certified
• Admin access is restricted and audited

No system is perfectly secure. If you believe your account has been compromised, contact security@koali.ca immediately.

Koali uses only essential cookies required to operate authentication sessions. We do not use advertising cookies, cross-site tracking pixels, or behavioural analytics tools that share data with third parties.

The Koali platform is intended for users 18 years of age or older. We do not knowingly collect personal information from minors. If you believe a minor has submitted information, contact privacy@koali.ca and we will delete it promptly.

We may update this Policy from time to time. Material changes will be communicated via email or in-platform notice at least 14 days before taking effect. Continued use of the platform after that date constitutes acceptance of the updated Policy.

Privacy questions and requests: privacy@koali.ca

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada.