Privacy Policy

1. Who We Are

Occasio Technologies Inc. is a federally incorporated Canadian company headquartered in Toronto, Ontario, Canada. We operate occasio.ca and related services that help Canadian post-secondary students discover, track, and apply for scholarships and funding opportunities.

Occasio is the data controller for personal information collected through our platform. Our designated Privacy Officer can be reached at privacy@occasio.ca.

2. Information We Collect

We collect personal information only with your knowledge and consent, and only to the extent necessary to provide our services.

2.1 Information You Provide Directly

• Account information: First name, last name, and email address when you create an account.
• Academic profile: Institution name, program of study, year of study, and GPA range — used solely for matching you with eligible opportunities.
• Citizenship and immigration status: Self-reported status in Canada (e.g., citizen, permanent resident, international student), used to determine eligibility for certain awards. This is sensitive information and is treated with heightened protection.
• Interests and opportunity preferences: Subject areas and types of funding you are seeking.
• Demographic identifiers (optional): Voluntary self-identification for targeted award eligibility (e.g., Indigenous, first-generation student, disability status). This information is never shared with third parties in identifiable form.
• Financial need (optional): A self-reported indicator of whether need-based awards are relevant to you.
• Password: Stored as a bcrypt hash. We never store or transmit plain-text passwords.

2.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, pages visited, and timestamps — for security monitoring and debugging only.
• Session data: Authenticated session tokens stored as secure, HTTP-only cookies.

2.3 Information We Do Not Collect

We do not collect payment card numbers, social insurance numbers, government-issued identification numbers, or any financial account details.

3. How We Use Your Information

We use your personal information only for the purposes identified at or before the time of collection:

• To create and maintain your student profile and account.
• To match you with scholarships, grants, and funding opportunities for which you are eligible.
• To send you your match results and relevant platform notifications via email.
• To improve the accuracy of our matching algorithm using aggregated, de-identified data.
• To comply with legal obligations and resolve disputes.
• To detect and prevent fraud, abuse, or unauthorized access.

We do not sell, rent, or trade your personal information to advertisers, data brokers, scholarship providers, or any other third parties.

4. Legal Basis for Processing

Under PIPEDA, we rely on the following bases to collect and use personal information:

• Consent: You provide express consent when you create an account and submit your profile. You may withdraw consent at any time (see Section 8).
• Contractual necessity: Certain data (email, password) is required to provide the account-based services you have requested.
• Legitimate interest: Log and security data is processed to protect the integrity of the platform and your account, balanced against your privacy interests.
• Legal obligation: We may process information where required by Canadian law or a lawful court order.

5. Disclosure of Your Information

We disclose your personal information only in the following limited circumstances:

• Service providers: We use Supabase (PostgreSQL database hosting) and an internal intake board to process student data on our behalf under data processing agreements and are contractually prohibited from using your data for their own purposes.
• Legal process: If required by a valid Canadian court order, subpoena, or applicable law, we may disclose information to government or law enforcement authorities.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity, subject to equivalent privacy protections. We will notify you via email before any such transfer occurs.
• Your consent: We will share your information with any third party to whom you explicitly consent.

We do not disclose your profile data to scholarship providers, universities, or any third parties without your explicit, prior consent.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Active accounts: Retained for the duration of your account plus 2 years after last activity, to allow account recovery.
• Deleted accounts: Core profile data is permanently deleted within 30 days of a deletion request. Aggregated, de-identified analytics data may be retained indefinitely.
• Log data: Retained for 90 days for security purposes, then automatically purged.
• Legal holds: If we are involved in litigation or a regulatory investigation, we may be required to retain relevant data until the matter is resolved.

7. Security Safeguards

We implement physical, organizational, and technical safeguards appropriate to the sensitivity of the personal information we hold, as required by PIPEDA Principle 7:

• Passwords are hashed using bcrypt (cost factor 12) and are never stored in plain text.
• All data in transit is encrypted using TLS 1.2 or higher.
• Database connections require SSL/TLS.
• Access to production systems is restricted to authorized personnel only.
• We perform regular security reviews of our platform and dependencies.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. If we become aware of a data breach that creates a real risk of significant harm to you, we will notify you and the Office of the Privacy Commissioner of Canada (OPC) as required under PIPEDA.

8. Your Rights Under PIPEDA

As an individual whose personal information we hold, you have the following rights under PIPEDA. To exercise any of these rights, contact us at privacy@occasio.ca.

• Right of access: You have the right to request access to the personal information we hold about you and to receive it in a portable format within 30 days of your request.
• Right to correction: You may request that we correct any inaccurate or incomplete personal information. You can update most profile information directly from your account dashboard.
• Right to withdraw consent: You may withdraw your consent to our processing of your personal information at any time by deleting your account or contacting us. Withdrawal of consent may affect our ability to provide you with our services.
• Right to deletion: You may request that we delete your account and associated personal information. We will complete deletion within 30 days except where retention is required by law.
• Right to complain: If you believe we have not complied with PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca or by calling 1-800-282-1376.

9. Cookies and Tracking

We use the following types of cookies:

• Strictly necessary cookies: Secure, HTTP-only session cookies required for authenticated access to your account. These cannot be disabled without breaking core functionality.
• Analytics (future): If we introduce analytics, we will update this policy and obtain your consent through an appropriate cookie consent mechanism compliant with PIPEDA and applicable provincial law.

We currently do not use third-party advertising cookies, tracking pixels, or fingerprinting technologies.

10. Cross-Border Data Transfers

Some of our service providers may store or process data outside of Canada, including in the United States. When your information is transferred outside Canada, it may be subject to the laws of the receiving jurisdiction, including lawful access by foreign governments.

We take reasonable contractual steps to ensure that service providers operating outside Canada provide a comparable level of protection for personal information, consistent with PIPEDA requirements. By using Occasio, you consent to the transfer of your personal information outside Canada for the limited purposes described in this policy.

11. Children's Privacy

Occasio is intended for use by post-secondary students. We do not knowingly collect personal information from individuals under the age of 13. If you are under 13, please do not use our platform or submit any personal information. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe a minor has provided us personal information, please contact us at privacy@occasio.ca.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send an email notification to all registered users at least 30 days before the change takes effect.
• Where required by law, obtain fresh consent before processing your data under new terms.

Your continued use of Occasio after the effective date of any changes constitutes acceptance of the updated policy.

13. How to Contact Us

For any privacy-related questions, requests, or concerns, please contact our Privacy Officer:

We will acknowledge your request within 5 business days and respond substantively within 30 calendar days, as required by PIPEDA.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada: