Privacy Policy

RemoteWorkers.online operates the website at remoteworkers.online. For privacy questions contact support@remoteworkers.online.

Account information (when you register):

• Name, email address, password (stored as a bcrypt hash — we cannot read it)
• Email verification one-time codes (deleted after use or 10-minute expiry)
• Login activity, including failed attempts and lockout state for security

Application information (when you apply to a role):

• Legal first / middle / last name, date of birth
• Residential address (street, city, state/province, postal code)
• Phone number
• Citizenship country and work-eligibility status (citizen / PR / work visa)
• Tax identifier: Social Security Number (US), Social Insurance Number (Canada), or Tax File Number (Australia)
• Government-issued ID (driver's licence, state/provincial ID, passport, or Medicare card): type and number
• Photos of the front and back of your ID
• A selfie photo of you holding your ID
• Resume / CV file or URL
• Portfolio / LinkedIn URL
• Work history (up to five prior jobs, including responsibilities)
• Schedule preferences (timezone, hours per week, available days, earliest start date)
• Cover letter / why you're a fit, expected hourly rate

Engagement information (if hired):

• Application status changes (e.g. approved, hired, active, paused)
• Hours worked, hourly rate, wages paid
• Internal admin notes about your engagement (not visible to you)

Information collected automatically:

• IP address, user-agent string, and basic request metadata (server logs)
• Strictly necessary cookies — see our Cookie Policy

• Identity verification — to confirm you are who you say you are and prevent fraud, multiple-account abuse, and impersonation. We review every application manually.
• Work eligibility — to confirm you can legally work in the US, Canada, or Australia. We do not currently accept applicants from outside these three countries.
• Tax reporting — if you are hired, your tax identifier may be used to issue forms required by your country (1099, T4A, or Australian PAYG documentation).
• Communication — to send transactional email (verification codes, application status updates, password resets) and respond to your support requests.
• Security — to detect brute-force login attempts, rate-limit abuse, and investigate fraud reports.

We do not use your data for advertising, marketing analytics, ad personalization, or training machine-learning models. We do not sell your data.

Where applicable, we process your data under one or more of the following bases:

• Contract — most processing is necessary to evaluate your application and, if you're hired, perform the engagement.
• Consent — for collecting your tax identifier, ID photos, and selfie at application stage, we ask you to actively check a consent box before submitting.
• Legitimate interests — fraud prevention, security, abuse detection.
• Legal obligation — tax reporting, responses to lawful government requests.

All data lives in services we operate or contract with. Each of these providers maintains its own privacy and security commitments, which apply to your data while it is with them:

• Database — Neon (PostgreSQL hosted in US-East). Stores all account and application records.
• File storage — Vercel Blob (private mode). Stores your ID photos, selfie, and resume file. Files are only accessible through an admin-authenticated proxy on our server — not by anyone with a guessable URL.
• Email delivery — Resend, Inc. Delivers verification codes, password resets, application status updates, and other transactional email.
• Hosting — Vercel, Inc. Runs our application code.
• Domain / DNS — Hostinger. Handles DNS records only; does not see application data.

Internally, application data is visible only to authorised members of our review team logged in as administrators. Your tax identifier is masked by default (last four digits only) and requires an explicit reveal action to see in full — this is logged on the server.

• All connections use HTTPS / TLS in transit.
• Passwords are stored as bcrypt hashes — we cannot read them, and we cannot reset them to a value you choose. Resetting requires email verification.
• Email verification codes are stored as bcrypt hashes; the plaintext value is never persisted.
• ID photos and selfies are stored as private Vercel Blob objects — they cannot be retrieved by URL alone; access requires an admin-authenticated server-side request.
• Failed login attempts trigger account lockout (5 failed attempts → 15-minute lockout).
• OTP rate limits prevent automated email-verification abuse (3 sends per 15-min window per email, 10-min code expiry, 5 verify attempts per code).

Limitations we're honest about: at present we do not encrypt the tax identifier field at the database level — it is stored as plaintext in our PostgreSQL instance. We mask it in our admin interface and never include it in emails or logs, but in the event of a database breach this field would be readable. We are working to add column-level encryption.

• Active accounts — for as long as you have an account.
• Closed applications (rejected, withdrawn, expired) — KYC documents (ID photos, selfie, tax identifier) are deleted within 90 days of closure. Application metadata (status, timestamps, app number) is retained for 7 years for tax and audit purposes.
• Hired workers — engagement records retained for 7 years after the engagement ends, as required by tax law.
• Server logs — 90 days.

Wherever you are based, you can:

• Access — request a copy of the data we hold about you.
• Correct — ask us to fix inaccurate or out-of-date data.
• Delete — request deletion of your account and all associated KYC documents.
• Withdraw consent — for processing based on consent (you can withdraw, but this means we can't continue to consider your application).
• Object / restrict — object to certain processing or ask us to restrict it while we investigate.
• Portability — receive your data in a machine-readable format.

To exercise any of these rights email support@remoteworkers.online with the subject "Privacy request". We respond within 30 days.

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect and the right to opt out of any "sale" or "sharing" (we do neither).

The platform is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has submitted an application, email us and we will delete it immediately.

We will post any material change here and email registered users at least 14 days before it takes effect.