Privacy Policy

Effective: 27 April 2026

This Privacy Policy explains how RisePoint Careers Corp., operating under the StepUpCareers brand ("RisePoint," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you visit https://stepupcareers.com, create an account, or use our products - Spark Careers and Spark Enterprise — (collectively, the "Service"). This Policy applies to all RisePoint entities, brands, and products referenced herein. It applies to organizations that subscribe to the Service (our "Customers"), their personnel, visitors to our public site, and individuals whose resumes or profiles are submitted to our Customers for employment consideration ("Candidates").

1.1 Scope and Your Choices

Depending on the data involved, RisePoint acts in one of two capacities:

Data Controller - for information we collect directly about Customers, their personnel, prospects, and visitors to our websites.

Data Processor (Service Provider) - for personal information Customers upload to or generate through the Service about Candidates and applicants. The Customer remains the Data Controller for that information, and processing is governed by our Data Processing Agreement (Section 3).

If you are a Candidate with questions about how an employer handles your information, please contact that employer directly.

1.2 Information We Collect

1.2.1 Information you provide directly

Account information: organization name, industry, address, your name, work email, role, and password (stored as a bcrypt hash - we never see the plaintext).

Billing information: plan selection, billing contact, and tax identifiers. Payment card details are collected and stored by our payment processor (Stripe) - we do not store full card numbers on our systems.

Content you upload: job descriptions, resumes/CVs, candidate notes, interview notes, and hiring workflow data.

Support communications: messages you send to our support team and the metadata of those messages.

1.2.2 Information collected automatically

Usage data: pages visited, actions taken, feature usage, and timing.

Device and log data: IP address, browser type and version, operating system, referring URLs, access times, and pages viewed. Stored in application logs and audit logs.

Cookies and similar technologies: see our Cookie Policy (Section 7).

1.2.3 Information from third parties

We may receive information from the following third-party sources: identity providers (if you or your organization use single sign-on); job boards, applicant tracking systems, or other platforms that Customers connect to the Service; advertising and analytics partners (such as conversion or attribution data); and publicly available sources. How we use information from these sources is described in Section 1.3.

1.3 How We Use Information

We use personal information to:

Provide, maintain, secure, and improve the Service, including through product analytics and usage measurement;

Authenticate users, enforce access controls, and detect abuse or fraud;

Process billing, manage subscriptions, and send service-related notices;

Respond to support requests and communicate about product changes;

Facilitate integrations with third-party platforms that Customers connect to the Service;

Measure advertising effectiveness and attribute conversions (we do not use this data to build profiles of Candidates);

Generate AI-assisted screening and assessment outputs to help Customers evaluate Candidates, subject to the safeguards described in Section 8;

Produce aggregated, de-identified analytics that do not identify any individual;

Comply with legal obligations and enforce our Terms of Service (Section 2) and Acceptable Use Policy (Section 6).

We do not sell personal information. We do not use Candidate resume content to train third-party foundation models (see Section 8).

1.4 Legal Bases and Consent Framework

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract: to provide the Service to our Customers and their personnel.

Legitimate interests: to secure our systems, prevent fraud, and operate and improve the Service, balanced against the rights of data subjects.

Consent: where required for cookies, marketing communications, or certain optional processing. You can withdraw consent at any time.

Legal obligation: to comply with applicable law.

Canada. Where the Personal Information Protection and Electronic Documents Act (PIPEDA) or substantially similar provincial legislation applies, we collect, use, and disclose personal information with your knowledge and consent, except where the law permits processing without consent (for example, business-contact information used for business purposes, or information necessary to investigate a breach of an agreement). For sensitive information - including resume content, assessment outputs, and any information about health or ethnic origin - we obtain express consent. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at the address in Section 1.13. Where we process personal information of individuals in Quebec, we are committed to complying with Quebec's Act respecting the protection of personal information in the private sector (Law 25). Law 25 imposes additional requirements on organizations that use automated decision-making technology, including the obligation to conduct privacy impact assessments, provide notice to affected individuals, and allow individuals to request that automated decisions be reviewed by a person. RisePoint is actively developing its compliance program to meet these obligations and will update this Policy as those measures are implemented.

1.5 How We Share Information

We share personal information only as necessary, with your consent or under a recognized legal exception (see Section 1.4), and only with the following categories of recipients:

Our Customers and their authorized users, when we act as a Processor on their behalf.

Subprocessors who help us deliver the Service. A current list is maintained in Section 4 of this pack.

Third-party platforms that Customers connect to the Service (such as job boards, applicant tracking systems, or HRIS providers), at the Customer's direction and under the Customer's own agreements with those platforms.

Professional advisors (auditors, lawyers, accountants) under confidentiality obligations.

Authorities where required by law or legal process (such as a court order, subpoena, or warrant), or where necessary to investigate a suspected breach of an agreement or contravention of law, in each case to the extent permitted under applicable privacy legislation.

Advertising and analytics partners, to measure campaign effectiveness and attribute conversions. We share only Customer-side account and usage data for this purpose - we do not disclose Candidate personal information to advertising partners.

Successors in a merger, acquisition, or asset sale - with notice to affected parties where required by law.

1.6 International Data Transfers

The Service is hosted in the United States. When personal information is transferred to a jurisdiction other than the one in which it was collected, we use appropriate safeguards — including Standard Contractual Clauses, contractual commitments, and organizational measures — to ensure it receives a comparable level of protection under applicable law.

1.7 Data Retention

Our detailed retention schedule is in Section 12 (Data Retention Policy). In summary: Customer account data is retained for the life of the subscription plus the applicable grace period; Candidate data is retained for as long as the Customer directs or until the Customer's account is terminated, after which it is handled per Section 12; backup and audit records have defined retention windows. In all cases, we retain personal information only as long as necessary to fulfil the purposes described in this Policy, in accordance with applicable data protection law.

1.8 Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you;

Correct inaccurate or incomplete information;

Delete personal information, subject to lawful exceptions;

Restrict or object to certain processing;

Port your data in a machine-readable format;

Withdraw consent where processing is based on consent;

Lodge a complaint with a supervisory authority. For EEA residents, this is your local Data Protection Authority; for UK residents, the Information Commissioner's Office (ICO); for Canadian residents, the Office of the Privacy Commissioner of Canada (or the applicable provincial commissioner).

To exercise your rights, email support@stepupcareers.com. If you are a Candidate, please contact the employer first; we will support them in responding. For information about how AI-assisted features are used in the Service and your related rights, see Section 8.

1.9 US State Privacy Rights (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and similar)

California, Virginia, Colorado, Connecticut, Utah, and similar-law residents may have additional rights including access, deletion, correction, portability, and the right to opt out of "sale," "sharing," or targeted advertising. We do not sell personal information and do not engage in cross-context behavioral advertising. To submit a request, email support@stepupcareers.com. We will verify requests using the email associated with your account or other reasonable means.

1.10 Security

We maintain administrative, technical, and physical safeguards designed to protect personal information. See our Security & Trust Statement (Section 5) for details on encryption, access controls, antivirus scanning, audit logging, and incident response.

1.11 Children

The Service is intended for business use by individuals 18 years of age or older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, contact support@stepupcareers.com and we will delete it.

1.12 Changes to This Policy

We will update this Privacy Policy as our practices evolve. Material changes will be announced by email to account administrators and by a prominent notice on the Service at least 30 days before they take effect, unless a shorter period is required by law.

1.13 Contact

RisePoint Careers Corp.

Suite #193, 700 8th Avenue SW, Calgary, AB T2P 1H2

Privacy and data protection inquiries: support@stepupcareers.com