MASTERS' GUILD - PRIVACY POLICY

Masters' Guild ("we," "us," "our," or the "Platform") is an online marketplace that connects individuals and businesses seeking skilled services ("Consumers") with qualified service providers ("Providers"). We are committed to protecting your personal information and being transparent about how we collect, use, and share it.

This Privacy Policy applies to all users of the Masters' Guild platform, including:

• The Masters' Guild mobile application (iOS and Android)
• The Masters' Guild web application
• Masters' Guild regional websites (mastersguild.io and associated regional sites including Toronto, Vancouver, Montreal, Calgary, Ottawa, Edmonton, New York, Los Angeles, and Chicago)
• All services provided through the Platform

This Privacy Policy supplements our Terms of Service, Independent Contractor Agreement, and Code of Conduct. In the event of any conflict, this Privacy Policy controls with respect to privacy and data protection matters.

By creating an account on the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. During Provider onboarding, you are asked to separately acknowledge this Privacy Policy, and your acceptance is recorded with a timestamp, your IP address, and device information.

You may withdraw your consent at any time by contacting us at support@mastersguild.io, subject to legal or contractual restrictions. Withdrawal of consent may limit your ability to use certain Platform features.

When you create an account, we collect:

You may choose to provide additional profile information:

When you add a payment method or set up Provider payouts, we collect:

Important: We never store your full card number. All payment card data is handled through tokenization by our payment processor, Stripe. Only non-sensitive card metadata is stored on our systems.

When you access the Platform through our mobile application, we automatically collect:

Device information is stored in an append-only format, meaning records are never modified or deleted. This preserves a complete history for fraud investigation and regulatory compliance purposes.

When you use the Platform, we store content you create:

We collect data related to Platform communications:

During Provider onboarding, we collect:

Onboarding documents are stored securely on Amazon Web Services (AWS) S3 with restricted access.

We automatically collect data about how you use the Platform:

Most of the information we collect is provided directly by you when you:

• Create an account and set up your profile
• Add a payment method or connect a payout account
• Post Quests, submit offers, write reviews, or send messages
• Upload onboarding documents for Provider verification
• Accept legal agreements during onboarding
• Contact our support team
• Adjust your notification preferences

We automatically collect certain information when you use the Platform:

• Device information is collected when you log in or launch the mobile application, including device brand, model, operating system, locale, timezone, IP address, and whether the device is a physical device or emulator.
• Usage data is collected through our analytics SDK as you navigate the Platform, including screen views, user actions, and session information.
• Session cookies are used to maintain your authenticated session (see Section 10).

We may receive information about you from third-party services:

• Stripe provides payment status updates, payout confirmations, and Connect account verification results.
• Firebase / Expo provides delivery status for push notifications.
• Brevo provides email delivery and engagement data.

We use your information to:

• Create and manage your account
• Facilitate Quest posting, offer submission, and service delivery
• Match Consumers with relevant Providers based on skills, location, and availability
• Process payments between Consumers and Providers
• Enable real-time chat communication between users
• Deliver notifications about Quest updates, messages, and account activity
• Display your public profile to other Platform users

We use your information to:

• Detect and prevent fraud through device fingerprinting and behavioral analysis
• Moderate user-generated content for policy violations
• Verify Provider identity and work eligibility during onboarding
• Monitor accounts for suspicious activity patterns
• Enforce our Terms of Service and Code of Conduct
• Investigate and resolve disputes between users

We use your information to:

• Send transactional notifications about your Quests, payments, and account activity
• Send marketing communications (with your consent and subject to applicable anti-spam laws)
• Deliver push notifications through Firebase Cloud Messaging or Expo
• Send email notifications through our email delivery service

We use your information to:

• Analyze usage patterns and identify areas for improvement
• Monitor platform health and performance
• Generate aggregated, anonymized analytics for business intelligence
• Improve our AI-powered features based on performance metrics

We use your information to:

• Comply with tax reporting and financial regulations (7-year retention of transaction records)
• Respond to lawful requests from law enforcement and regulatory authorities
• Establish, exercise, or defend legal claims
• Maintain records required by privacy, consumer protection, and anti-spam laws

The Platform uses artificial intelligence to assist with several operational functions. All AI processing is performed using OpenAI's language model technology (currently gpt-4o-mini).

When AI processing is triggered (either by your action or on a scheduled basis), the relevant data is sent to OpenAI's API for analysis. The AI returns a structured response including a determination (e.g., "approve," "flag," or "reject"), a confidence score, and reasons for its decision.

• OpenAI receives the data described in the table above. Content submitted for AI review is processed in accordance with OpenAI's API data usage policy, which states that data sent through the API is not used to train OpenAI models.
• We do not send your name, email address, or other directly identifying information to OpenAI. Content is submitted with anonymized context (such as account tier and account age, not your identity).

All AI-powered decisions that materially affect your account are logged in an append-only audit system. This audit trail records:

• The input data that was analyzed
• The AI determination and confidence level
• Any actions taken as a result
• Timestamp and processing details
• Token usage and processing cost

Automated decisions that restrict your account (such as content removal or account suspension) can be reviewed and overridden by a human administrator upon your request.

You have the right to:

• Know that AI processing is being used (this section serves as that disclosure)
• Request human review of any automated decision that affects your account
• Contest an AI-generated determination by contacting support@mastersguild.io
• Access the audit trail for AI decisions that affected your content or account (upon request)

Masters' Guild does not sell, rent, or trade your personal information to third parties for their marketing purposes. We have never sold personal information and have no plans to do so.

We share data with the following third-party service providers who assist us in operating the Platform:

Each service provider is contractually required to use your data only for the purposes described above and in accordance with their own privacy policies.

We may disclose your personal information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, court order, or lawful government request
• Protect and defend the rights, property, or safety of Masters' Guild, our users, or the public
• Detect, prevent, or address fraud, security issues, or technical problems

If Masters' Guild is involved in a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.

Your data is stored on infrastructure provided by Amazon Web Services (AWS), with primary servers located in the United States. Files (documents, images, media) are stored on AWS S3. Our database is PostgreSQL with PostGIS extensions for geographic functionality.

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS. Our infrastructure is protected behind Cloudflare's security layer.
• Encryption at rest: Database and file storage use AWS encryption at rest.
• Password security: Passwords are stored using Django's PBKDF2 hashing algorithm and are never stored in plain text.
• Access controls: Administrative access to production systems is restricted and authenticated.
• Connection pooling: Database connections are managed through PgBouncer to prevent unauthorized direct access.
• Append-only audit logs: Device fingerprints and AI execution records cannot be modified or deleted, ensuring tamper-proof audit trails.

All payment card processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, process, or store your full card number. Only tokenized, non-sensitive card metadata (brand, last 4 digits, expiry) is stored on our systems.

While your account is active, we retain all data necessary to provide our services. After account inactivity, we retain your data for a reasonable period to allow for account reactivation.

Payment transaction records are retained for a minimum of 7 years as required by tax and financial regulations in the United States and Canada. This includes transaction amounts, platform fees, applicable taxes, and payment processor references.

Device fingerprints are stored in an append-only format and retained indefinitely. This data is essential for ongoing fraud detection, pattern analysis, and regulatory compliance. Individual device records cannot be selectively deleted without compromising the integrity of the fraud detection system.

Certain records are soft-deleted rather than permanently erased when you remove them:

• Quests that have received offers are marked as deleted but retained in our systems for dispute resolution and financial record-keeping.
• Payment methods are marked with a deletion timestamp but retained for transaction history integrity.

Soft-deleted data is hidden from the user interface and is not accessible through the Platform.

You may request deletion of your account and associated personal data by contacting support@mastersguild.io. Upon receiving your request, we will:

1. Verify your identity
2. Delete or anonymize your personal data, subject to the retention exceptions described above (financial records, fraud prevention data, and soft-deleted records with legal retention requirements)
3. Confirm completion of the deletion process

Regardless of your location, you have the right to:

• Access your personal information that we hold
• Correct inaccurate personal information (you can edit most profile data directly through the Platform)
• Delete your account and associated personal data (subject to retention exceptions in Section 8)
• Withdraw consent for optional data processing
• Receive a copy of your personal data in a portable format (upon request)
• Object to processing of your personal information for specific purposes
• Request human review of automated decisions that affect your account (see Section 5.5)

If you are a resident of Canada, you have additional rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected (per CCPA requirements): identifiers (email, user ID, IP address), commercial information (transaction records), internet activity (usage data, analytics), geolocation data (location coordinates, IP-derived location), professional information (skills, work experience), sensitive personal information (government ID for onboarding verification).

To exercise any of your privacy rights, contact us at:

• Email: support@mastersguild.io
• Subject line: "Privacy Rights Request"

We will verify your identity before processing your request. We aim to respond to all privacy rights requests within 30 days. If we need additional time, we will notify you of the delay and the reason.

We use the following essential cookies that are necessary for the Platform to function:

These cookies are strictly necessary and cannot be disabled without breaking Platform functionality.

On our regional WordPress websites (mastersguild.io and associated city sites), we use Google Analytics to understand website traffic and usage patterns. Google Analytics uses cookies to collect anonymized session data including pages visited, time spent, and referral source. Google Analytics data is not linked to your Masters' Guild account.

The Masters' Guild mobile application and web application do not use Google Analytics. Usage data within the application is collected through our own analytics system (see Section 2.8).

You can control cookies through your browser or device settings:

• Browser settings: Most browsers allow you to block or delete cookies. Blocking essential cookies will prevent you from using the Platform.
• Google Analytics opt-out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Mobile device settings: You can reset your advertising identifier or limit ad tracking through your device's privacy settings.

We send transactional communications that are necessary for the operation of your account, including:

• Quest status updates (offers received, quest completed, etc.)
• Payment confirmations and payout notifications
• Account security alerts (new device login, password changes)
• Onboarding status updates
• Chat message notifications

Transactional communications are not marketing messages and are not subject to unsubscribe requirements. You may reduce the frequency of some transactional notifications through your notification preferences.

We may send marketing communications about Platform features, promotions, or updates. In compliance with Canada's Anti-Spam Legislation (CASL):

• We obtain your express consent before sending commercial electronic messages
• All marketing emails clearly identify Masters' Guild as the sender
• All marketing emails include our contact information (support@mastersguild.io)
• Marketing emails are sent through Brevo, our email delivery service

If you enable push notifications on your mobile device, we use Firebase Cloud Messaging (FCM) or Expo Push Notifications to deliver alerts about Quest activity, messages, and account updates. Push notifications may be transactional or promotional in nature.

You can manage your communication preferences at any time:

• Email unsubscribe: Click the unsubscribe link in any marketing email. We will process your unsubscribe request within 7 business days, consistent with our Terms of Service (Section 8.3(c)).
• Push notifications: Disable push notifications through your device settings or within the Platform's notification preferences.
• In-app preferences: Adjust your notification preferences within the Platform to control which types of notifications you receive.

Note: You cannot opt out of transactional communications related to your account activity while your account is active.

Masters' Guild serves users in both the United States and Canada. Your personal information may be transferred to and processed in a country other than the one in which you reside:

• Infrastructure: Our primary servers and database are hosted on AWS infrastructure in the United States.
• File storage: Documents and media are stored on AWS S3 in the United States.
• Payment processing: Stripe processes payments in both USD and CAD through separate Stripe accounts, with data processed in the United States.
• AI processing: Content sent to OpenAI for AI processing is processed in the United States.

We implement the following safeguards for cross-border data transfers:

• All data in transit is encrypted using TLS/HTTPS
• Our service providers are contractually bound to protect your data in accordance with applicable privacy laws
• We comply with PIPEDA requirements for cross-border transfers of Canadian personal information
• We evaluate the privacy practices of our service providers before engaging them

Canadian users should be aware that personal information processed in the United States may be subject to US law, including potential access by US government authorities under applicable legal processes.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you by email or through a prominent notice on the Platform
• For significant changes affecting your rights, we will provide advance notice before the changes take effect

This notification process is consistent with Section 16 of our Terms of Service.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Platform and may request account deletion.

For questions, concerns, or requests related to this Privacy Policy or your personal information, contact us at:

Masters' Guild Privacy Contact Email: support@mastersguild.io Subject: Privacy Inquiry

We aim to respond to all privacy inquiries within 30 days.

If you are not satisfied with our response to your privacy concern, you have the right to escalate your complaint:

• Canadian residents: You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca
• Ontario residents: You may also contact the Information and Privacy Commissioner of Ontario (IPC)
• California residents: You may file a complaint with the California Attorney General's office at oag.ca.gov
• All users: You may contact the relevant data protection authority in your jurisdiction