Privacy
Statement

1. About TriCore Partners

TriCore Partners is a specialized risk advisory firm incorporated in Canada, with operations in the United Arab Emirates, serving clients and candidates internationally. This Privacy Statement describes how TriCore Partners ("we," "us," "our") collects, uses, discloses, and protects personal information through our website, platform, and services — regardless of where in the world you are when you interact with us.

2. Scope

This statement applies to:

• Visitors to our website (tricorep.com)
• Candidates who register on our platform, upload CVs, or complete assessments
• Clients and prospective clients who engage our advisory services
• Individuals who contact us or subscribe to our communications
• Individuals who request our service brochure or other materials

3. Information We Collect

3.1 Information You Provide

• Account registration: Name, email address, password
• Candidate profile: Full legal name, date of birth, nationality, phone number, address, professional summary, work experience, education, certifications, languages, salary expectations, profile photograph
• CV/Resume: Uploaded documents (PDF, DOCX, DOC) and the text content extracted from them
• Assessment responses: Answers to our work style assessment questions
• Contact inquiries: Name, email, company, message content
• Brochure requests: Name, email, company

3.2 Information Collected Automatically

• Session data: IP address, browser type, pages visited
• Cookies: Session cookies for authentication (see our Cookie Policy)

3.3 Information Generated by Our Systems

• AI-parsed CV data: Structured professional information extracted from uploaded CVs using artificial intelligence
• Assessment scores: Aggregated dimension scores derived from assessment responses
• Professional bio documents: Generated presentations based on candidate profile data

4. How We Use Your Information

We process personal information for the following purposes:

• Candidate evaluation: To assess suitability for consulting engagements based on professional experience, qualifications, and assessment results
• Profile management: To create, maintain, and update candidate profiles on our platform
• Bio generation: To create professional biography documents for client presentations
• Communication: To respond to inquiries, send engagement opportunities, and provide platform updates
• Platform operation: To maintain, secure, and improve our platform
• Legal compliance: To comply with applicable laws, regulations, and contractual obligations

5. Legal Basis for Processing

We process your personal information based on one or more of the following legal grounds:

• Consent: Where you have given explicit consent (e.g., submitting your CV, completing the assessment, accepting the privacy acknowledgement)
• Contractual necessity: Where processing is necessary to perform services you have requested
• Legitimate interests: Where processing is necessary for our legitimate business interests, provided these do not override your rights
• Legal obligation: Where we are required to process data to comply with applicable law

6. AI and Automated Processing

We use artificial intelligence (AI) services to:

• Parse and extract structured information from uploaded CVs
• Generate professional biography documents in multiple languages

Assessment scores are calculated algorithmically based on your responses. These scores are used as one factor among several in our evaluation process and do not constitute the sole basis for any decision. All significant decisions regarding candidate engagement are made by human evaluators.

CV data is processed through Anthropic's Claude AI service. Anthropic does not use data submitted through their API for training purposes. See Anthropic's Privacy Policy for details.

7. Data Sharing and Sub-Processors

We do not sell your personal information and we do not share it for advertising. Your data may be disclosed only in these limited circumstances:

• TriCore Partners team: Authorized partners and evaluators who need access to assess your candidacy or respond to your inquiry.
• Clients (candidates only): Professional bio documents and relevant qualifications may be shared with prospective clients when we present you for an engagement. We will tell you which client before doing so.
• Legal requirements: When required by law, regulation, lawful subpoena, or to protect our rights, the rights of users, or the public.

We rely on the following sub-processors, each bound by a data-processing agreement:

Provider	Purpose	Data location
Cloudflare	Website hosting, application platform, database (D1), file storage (R2), CDN, DDoS protection	Global edge network; primary data location selected at the regional level. See Cloudflare's privacy policy.
Anthropic	AI-powered CV text parsing and bio generation. CV text is sent to the Anthropic API; the API response is the structured bio used in our PowerPoint documents.	United States. Anthropic does not use API inputs to train its models. See Anthropic's commercial terms.
Microsoft (Graph / Outlook)	Sending transactional and notification emails on our behalf.	Global Microsoft 365 infrastructure.

If we add or change a sub-processor, we will update this table before the new sub-processor begins processing your data.

8. International Data Transfers

Whichever country you are in when you give us your data, that data will leave it. Specifically:

• Our application runs on Cloudflare Workers, a global serverless platform. Your request is served by the Cloudflare data center closest to you and our database/storage is replicated on Cloudflare's infrastructure.
• Your CV text is sent to Anthropic in the United States for AI-powered bio generation.
• Notification emails are sent through Microsoft's global email infrastructure.

To protect these transfers we rely on: (a) data-processing agreements with each provider; (b) the providers' own published privacy and security commitments (linked in Section 7); (c) technical safeguards (encryption in transit and at rest, role-based access). We apply the same protection standards to your data regardless of where it is processed.

If your local law gives you the right to ask where your data is processed or to object to a transfer, you can exercise that right under Section 10 below.

9. Data Retention

We keep your data only as long as needed for the purpose it was collected. The candidate-specific retention rules are detailed in the Candidate Data Notice; the table below is the consolidated view.

• Candidate profile (active): Retained for the duration of your account.
• Candidate profile (inactive): Deleted 2 years after your last login.
• CV documents: Retained for the duration of your account.
• Assessment responses: Locked for 1 year after submission. A partner may release the lock to allow re-submission.
• Evaluation notes (created by our team): Retained for 3 years from the date of the engagement opportunity.
• Contact inquiries: Retained for 1 year.
• Brochure request data: Retained for 2 years.
• Session cookies: Expire after 24 hours.
• Server logs (IP, request metadata) held by our hosting provider: Per Cloudflare's published retention policy, typically up to 30 days.

You can ask us to delete your data sooner — see Section 10.

10. Your Rights — Wherever You Are

You have the following rights over the personal data we hold about you. We honor them for every visitor, regardless of where you live, even where the local law does not formally require us to.

• Access: Ask for a copy of the personal data we hold about you and how we use it.
• Rectification: Ask us to correct anything that is wrong or out of date.
• Erasure / deletion: Ask us to delete your data. We will do so unless we are legally required to keep it (and we will tell you if that's the case).
• Restriction: Ask us to pause processing while we resolve a question about your data.
• Portability: Ask for the data you gave us in a structured, machine-readable format (JSON or CSV).
• Withdraw consent: Where we rely on your consent (e.g., to keep your candidate profile, to send you marketing), you can withdraw it at any time without explanation. Withdrawal doesn't undo past lawful processing.
• Object: Object to processing we do on the basis of legitimate interest. We will stop unless we have an overriding reason.
• Opt out of "sale" or "share": We do not sell or share your personal information for cross-context advertising. If this ever changes, you'll have a clear opt-out.
• Complain: Contact us first — but if we don't resolve it, you may complain to your local data protection authority. Canadian residents may contact the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec. UAE residents may contact the UAE Data Office.

How to use these rights: email [email protected] from the address associated with your account (or any address — we will ask you to verify identity). We respond within 30 calendar days. Exercising a right is free, but if a request is manifestly unfounded or repetitive we may charge a reasonable fee or refuse, and we will explain why.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of passwords using industry-standard hashing (bcrypt)
• Session-based authentication with secure cookie handling
• Access controls limiting data visibility to authorized personnel
• Regular security reviews of our platform and practices

12. Our Legal Baseline

TriCore Partners is registered in Canada and the United Arab Emirates. As a baseline, we apply:

• Canada's PIPEDA (Personal Information Protection and Electronic Documents Act)
• Quebec Law 25 (Act respecting the protection of personal information in the private sector), since we are headquartered in Quebec
• The UAE Federal PDPL (Decree-Law No. 45 of 2021), since we operate in the UAE

Beyond that baseline, we have chosen to extend the same rights and transparency obligations to all visitors. So if you are based in California, you have the practical equivalent of the CCPA/CPRA opt-out and access rights described in Section 10. If you are based in the EU, EEA, or UK, you have the practical equivalent of the GDPR rights — even though TriCore Partners is not established in those territories and has not appointed a representative under Article 27 of the GDPR/UK GDPR. If you are based in the GCC region or elsewhere, the same rights apply.

This is a deliberate choice — we'd rather one clear standard for everyone than a patchwork that depends on where you happen to live.

13. Changes to This Statement

We may update this Privacy Statement from time to time. Material changes will be communicated through our platform or by email. The "Last updated" date at the top of this page indicates the most recent revision.

14. Contact & Privacy Officer

For any privacy question, data-subject request, or complaint, contact our Privacy Officer:

Jean-Philippe Dagher
Privacy Officer, TriCore Partners
Email (privacy matters): [email protected]
Email (general): [email protected]
Montreal, Quebec, Canada

Quebec residents may also contact the Commission d'accès à l'information du Québec. Other Canadian residents may contact the Office of the Privacy Commissioner of Canada. UAE residents may contact the UAE Data Office (u.ae).