Skip to content
GetMeritus

Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 13, 2026

1. Introduction

This Privacy Policy describes how OptiMystic Holdings Inc. (“Company,” “we,” “us”) collects, uses, stores, and protects your personal information when you use the Meritus platform (“Service”). We are committed to protecting your privacy and complying with applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, and password when you create an account.
  • Certification data: Certification type, issuing body, issue date, expiry date, and supporting documentation (uploaded files) when you submit a credential.
  • Oath records: The text and timestamp of every Oath of Veracity you swear on the platform.
  • Profile information: Optional fields such as trade category, jurisdiction, and profile display name.
  • Contact form data: Name, email, user type, and message content when you contact us.
  • Payment information: Processed by our third-party payment processor. We do not store full credit card numbers.

2.2 Information Collected Automatically

  • Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps.
  • Device information: Device type and screen resolution for improving user experience.
  • Verification activity: Records of when your credentials are verified by third parties (timestamp, verifier IP — anonymised).

3. How We Use Your Information

We use your personal information to:

  • Operate and maintain the Meritus certification registry.
  • Process and attest your credential submissions.
  • Generate and maintain your permanent verifiable profile.
  • Provide verification services to employers and other authorised parties.
  • Process payments for paid features.
  • Communicate with you about your account, including service updates and security notices.
  • Respond to your enquiries and support requests.
  • Comply with legal obligations and enforce our Terms of Service.
  • Improve the Service through aggregated, anonymised analytics.

4. Data Encryption and Security

We take the security of your data seriously and employ industry-standard measures to protect it:

  • Encryption at rest: All uploaded certification documents are encrypted using AES-256 encryption before storage.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Password security: Account passwords are hashed using Argon2id and are never stored in plaintext.
  • Access controls: Internal access to user data is restricted on a need-to-know basis with role-based permissions and audit logging.
  • Backups: Encrypted backups are maintained in geographically separate locations.

No system is perfectly secure. While we implement reasonable safeguards, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

Meritus operates on a permanent record model. The following retention policies apply:

  • Attestation records: Retained permanently. This includes oath text, timestamps, credential metadata, and cryptographic hashes. This data cannot be deleted because the integrity of the registry depends on permanence.
  • Uploaded documents: Retained for as long as the associated attestation exists. Original files may be purged after a retention period (currently 7 years), but the cryptographic hash and metadata are retained permanently.
  • Account data: Retained for the life of your account plus 2 years after deactivation, to allow for account recovery.
  • Log data: Retained for 12 months and then anonymised or deleted.
  • Contact form submissions: Retained for 2 years.

6. Information Sharing

We share your personal information only in the following circumstances:

  • Public verification: Your profile name, credential types, attestation dates, and status (active/disputed) are publicly accessible via your serial number or QR code. This is the core function of the Service.
  • Employer verification: When an employer verifies your credentials, they receive the information described above. Your email address and uploaded documents are not shared.
  • Service providers: We share data with third-party service providers who assist in operating the Service (hosting, payment processing, email delivery). These providers are bound by contractual obligations to protect your data.
  • Legal requirements: We may disclose information if required by law, subpoena, court order, or to protect the rights, safety, or property of OptiMystic Holdings Inc. or others.

We do not sell your personal information. We do not share your data with advertisers or marketing companies.

7. Your Rights Under PIPEDA

As a user subject to Canadian privacy law, you have the following rights:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request correction of inaccurate account information (note: attested credential records cannot be modified, but corrections can be appended).
  • Withdrawal of consent: You may withdraw consent for non-essential processing. However, you cannot withdraw consent for the retention of attestation records, as this would undermine the fundamental purpose of the Service.
  • Complaint: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Worker Rights and Data Ownership

Meritus is designed to protect worker interests. The following principles govern your data:

  • Your credentials belong to you. No employer can remove or alter your records.
  • Your profile is portable. It follows you between employers, provinces, and countries.
  • Your uploaded documents are encrypted and are not shared with verifiers. Only metadata and status are visible.
  • You control your profile display name and optional fields.
  • You may deactivate your profile at any time to remove it from public search results, while the underlying attestation records are retained.

9. Cookies and Tracking

The Service uses essential cookies for session management and authentication. We do not use third-party advertising trackers. We may use privacy-respecting analytics tools to understand usage patterns. You may configure your browser to reject cookies, but some features of the Service may not function properly.

10. International Data Transfers

Meritus primarily stores data in Canada. If your data is transferred to servers outside Canada, we ensure that appropriate safeguards are in place, including contractual protections consistent with PIPEDA requirements.

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to remove it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted on this page with an updated “Last Updated” date. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

OptiMystic Holdings Inc.
Email: [email protected]