Corelance

Privacy Policy

Last updated: June 24, 2026

1. Introduction

Corelance, LLC ("Corelance," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Corelance operates two distinct products under one platform:

  • The Marketplace— our freelance marketplace through which clients engage independent contractors ("Freelancers" or "Vendors") coordinated by Corelance, with escrow-based payments.
  • Corework (the HRIS)— a software-as-a-service human resources information system that a customer company uses to recruit, hire, onboard, and manage its own W-2 employees and applicants. With respect to Corework, the customer company is the sole employer of record; Corelance is a software provider only and runs no payroll, withholding, or benefits, and makes no employment decisions.

By using Corelance, you consent to the data practices described in this policy. If you do not agree with our policies, please do not use our services.

2. Our Role: Controller vs. Processor

Data-protection law distinguishes between a controller(also called a "business" under U.S. state law), which determines the purposes and means of processing personal information, and a processor(a "service provider" under U.S. state law), which processes personal information on behalf of, and under the instructions of, a controller. Our role depends on the product and the data involved.

2.1 Where Corelance Is a Controller

Corelance acts as a controller for personal information we collect to operate the platform itself, including: marketplace account registration and authentication; Freelancer and Client profiles; identity verification and fraud prevention; escrow and payment processing; marketplace messaging; analytics, security, and platform improvement; and our own marketing. This Privacy Policy governs that processing, and you may exercise the rights in Sections 8 and 9 directly with us.

2.2 Where Corelance Is a Processor (Corework HRIS)

For employee, applicant, and other workforce personal information that a customer company uploads to or generates within the Corework HRIS ("Employee Data"), the customer company is the controller and Corelance is a processor / service provideracting solely on that company's documented instructions. The customer company decides what Employee Data to collect, why, how long to keep it, and who may access it; it is the sole employer of record and makes all employment decisions. Corelance does not use Employee Data for its own purposes, does not sell or share it, and does not combine it with data from other sources except as needed to provide the HRIS.

Our processing of Employee Data is governed by the Data Processing Addendum (DPA) incorporated by reference into the Corelance Master Platform Services Agreement (Article 25 and Section 25.5) accepted by each customer company, and by our Terms of Service, not by this Privacy Policy.

If you are an employee or job applicant of a company that uses Corework and you wish to access, correct, delete, or otherwise exercise rights over your HR records, please direct your request to your employer (or prospective employer), who is the controller of that data. If you contact us directly about Employee Data, we will refer you to the relevant employer and, where required, assist that employer in responding to your request.

3. Information We Collect

3.1 Information You Provide (Marketplace & Accounts)

As a controller, we collect information you directly provide, including:

  • Account Information: Name, email address, password, phone number
  • Profile Information: Professional bio, skills, portfolio, work history, profile photo
  • Identity Verification: Government-issued ID, address, tax identification numbers
  • Company Information: Company name, EIN/tax ID, business address, legal entity details
  • Financial Information: Bank account details, payment card information (processed by our payment providers)
  • Communications: Messages sent through the platform, support inquiries, reviews
  • Project Information: Project descriptions, applications, contracts, deliverables

3.2 Workforce Data We Process for Corework Customers

When a customer company uses the Corework HRIS, that company may have us process the following categories of Employee Data on its behalf, as its processor. The customer company — not Corelance — determines which of these categories are collected:

  • Employee & applicant records: name, contact details, employment status, job title, department, location, role, hire/termination dates, application and interview materials, resumes, and references
  • Government identifiers: Social Security Number (SSN) or other taxpayer/national identification numbers, date of birth
  • Work-authorization records: Form I-9 documentation and supporting work-authorization or immigration evidence, and any E-Verify records the employer maintains
  • Background-check / consumer-report results: screening and consumer-report outcomes the employer obtains and uploads or stores (see Section 4)
  • Compensation & benefits information: salary, pay rate, compensation history, and benefits-eligibility or enrollment status maintained by the employer (Corelance runs no payroll or benefits administration)
  • EEO / diversity data: equal-employment-opportunity, demographic, or diversity information the employer elects to collect for its own compliance or reporting (e.g., EEO-1) purposes
  • Performance & time records: performance notes, time and attendance, and related personnel records the employer maintains

Several of these categories constitute sensitive personal information under applicable law. We process them only to provide the HRIS to the customer company and never for our own purposes (see Sections 2.2 and 9.3).

3.3 Information Collected Automatically

When you use Corelance, we automatically collect:

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Data: Pages visited, features used, time spent, click patterns
  • Location Data: General location based on IP address
  • Cookies and Tracking: See our Cookie Policy for details

3.4 Information from Third Parties

We may receive information from identity verification services, payment processors, background-screening providers (at a customer company's direction, for Corework), and publicly available sources to verify identity and prevent fraud.

4. Background Checks & Consumer Reports (FCRA)

The Corework HRIS may store the results of background checks or consumer reports that a customer company obtains for hiring or employment decisions. Where such a report is a "consumer report" under the federal Fair Credit Reporting Act (FCRA) or comparable state law:

  • The customer company is the user of the consumer report and is solely responsible for the required FCRA disclosures and authorizations, permissible-purpose certification, and pre-adverse-action and adverse-action notices, as well as compliance with applicable "ban-the-box," fair-chance, and state consumer-reporting laws.
  • Corelance is a processor that stores and displays these results within the HRIS at the customer company's instruction; Corelance is not a consumer reporting agency and does not furnish, assemble, or evaluate consumer reports.
  • For Marketplace Freelancers, Corelance does not authorize Clients to conduct background, credit, reference, or identity checks on Freelancers without Corelance's prior written approval, consistent with the FCRA and our Master Agreement.

Questions about a background-check result stored in Corework should be directed to the employer that obtained it.

5. How We Use Your Information

As a controller, we use information to:

  • Provide, maintain, and improve our platform
  • Create and manage your account
  • Verify your identity and prevent fraud
  • Process transactions and send payment-related communications
  • Facilitate connections between Clients and Freelancers
  • Send service-related notices and updates
  • Respond to your comments, questions, and support requests
  • Send marketing communications (with your consent)
  • Analyze usage patterns and improve user experience
  • Enforce our Terms of Service and protect against abuse
  • Comply with legal obligations

As a processorfor Corework, we use Employee Data only to provide, secure, and support the HRIS for the customer company on its documented instructions — never for our own marketing, profiling, advertising, or AI-training purposes.

6. Automated Decision-Making & AI Matching

Marketplace: We use algorithmic ranking and AI-assisted matching to surface relevant Freelancers to Clients and relevant projects to Freelancers (for example, ranking search results and recommending engagements based on skills, history, and stated preferences). These tools inform discovery; they do not make legally or similarly significant decisions about you on their own. You may contact us to ask about the logic involved and to request human review where applicable.

Corework HRIS:The HRIS may provide ranking, screening, or recommendation features to help an employer organize applicants. Any employment decision — including hiring, screening criteria, and adverse actions — is made by the customer company, which is the controller and sole employer of record and is responsible for ensuring its use of any such feature complies with anti-discrimination and applicable automated-decision laws. Corelance does not make employment decisions and does not use Employee Data to build or train profiling models for other customers.

We do not use solely automated processing that produces legal or similarly significant effects about you without a lawful basis and, where required, suitable safeguards including the ability to request human intervention.

7. Information Sharing & Subprocessors

7.1 With Other Users

Your Marketplace profile information is visible to other users. When you engage in a project, relevant information is shared with the other party (e.g., Freelancer details with Clients, Client details with Freelancers). Corework Employee Data is shared only within the customer company's own authorized HRIS users, as that company configures.

7.2 Service Providers & Subprocessors

We share information with vetted third-party service providers (acting as our subprocessors for Corework) who perform services on our behalf under contractual confidentiality and data-protection obligations:

  • Payment processors (Stripe)
  • Identity verification and background-screening services
  • Cloud hosting and infrastructure providers (AWS)
  • Analytics providers
  • Email and communications providers
  • Customer support tools

We maintain a current list of subprocessors used for the Corework HRIS and provide it to customer companies on request, along with a mechanism to receive notice of changes, as set out in the DPA.

7.3 Legal Requirements

We may disclose information when required by law, subpoena, or legal process, or when we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. For Employee Data, where legally permitted, we will notify the customer company (controller) before disclosure.

7.4 Business Transfers

If Corelance is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

7.5 No Sale or Sharing of Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. See Section 9 for details and your opt-out rights.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • Encryption of data in transit (TLS) and at rest
  • Secure password hashing
  • Storage of highly sensitive identifiers (e.g., SSNs, government IDs) in a dedicated, access-controlled secrets vault
  • Role-based access controls, least-privilege access, and audit logging
  • Regular security assessments and penetration testing
  • Employee security training
  • PCI-DSS compliant payment processing

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Breach Notification

We maintain an incident-response program to detect, investigate, and respond to security incidents. If a personal-data breach affects information for which Corelance is the controller, we will notify affected individuals and regulators where and when required by applicable law, without undue delay.

If a breach affects Employee Data we process for a customer company, we will notify that customer company (the controller) without undue delay and provide the information and cooperation it needs to meet its own notification obligations. Because the customer company is the controller and employer of record, it is responsible for notifying affected employees, applicants, regulators, and other parties as required by law.

10. Data Retention

We retain personal information for as long as your account is active or as needed to provide services. We also retain information as necessary to:

  • Comply with legal obligations (e.g., tax records for 7 years)
  • Resolve disputes and enforce agreements
  • Prevent fraud and abuse
  • Maintain business records

When you delete your account, we will delete or anonymize your personal information within 90 days, except as required by law or for legitimate business purposes.

For Corework Employee Data, the customer company (controller) sets retention periods. We retain Employee Data for the term of that company's subscription and, on termination, return or delete it in accordance with the DPA and the company's instructions, except where retention is required by law.

10.1 Biometric Information Retention and Destruction Policy

Corelance does not currently collect biometric identifiers or biometric information. If we introduce a verification feature that collects biometric data (for example, facial geometry derived from a verification selfie), we will collect that data only after obtaining a standalone written release from the individual.

Any biometric identifiers or biometric information we collect will be retained no longer than three (3) years after the individual's last interaction with the platform, or until the individual's account is deleted, whichever occurs first, and will then be permanently destroyed. We will never sell, lease, trade, or otherwise profit from biometric identifiers or biometric information, and we will disclose them only to verification providers bound by contractual confidentiality and security obligations, as required by law, or with the individual's consent.

This policy is intended to satisfy the publicly available written retention and destruction policy requirements of 740 ILCS 14/15(a) (the Illinois Biometric Information Privacy Act), Tex. Bus. & Com. Code § 503.001 (CUBI), and Wash. Rev. Code ch. 19.375, and applies regardless of whether you use the platform through the Corelance or Corework brand surface.

11. Your Rights and Choices

11.1 Access and Update

You can access and update your account information through your profile settings at any time.

11.2 Data Portability

You can request a copy of your personal data in a structured, machine-readable format.

11.3 Deletion

You can request deletion of your personal information. Some information may be retained as required by law or for legitimate business purposes.

11.4 Marketing Communications

You can opt out of marketing emails by clicking "unsubscribe" in any marketing email or adjusting your notification preferences. Service-related communications cannot be opted out of.

11.5 Cookies

You can manage cookie preferences through our cookie banner or your browser settings. See our Cookie Policy for details.

11.6 Requests About Corework Employee Data

If you are an employee or applicant of a company that uses Corework, exercise your rights over your HR records with that company (the controller), not with Corelance. We will route such requests to the relevant employer and assist it as required (see Section 2.2).

12. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives you the rights described below with respect to personal information for which Corelance is the business (controller). For Corework Employee Data, the customer company is the business and you should direct requests to it.

12.1 Your Rights

  • Right to know: the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the categories of third parties to whom we disclose it.
  • Right to delete personal information we have collected, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information.
  • Right to limit use of sensitive personal information to permitted purposes.
  • Right to non-discrimination for exercising any of these rights.

12.2 Sale / Share Opt-Out and Global Privacy Control

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA (including sharing for cross-context behavioral advertising). You may nonetheless exercise the opt-out via our cookie preferences and our "Do Not Sell or Share My Personal Information" control. We honor opt-out preference signals, including the Global Privacy Control (GPC), transmitted by your browser or device, and treat a valid GPC signal as a request to opt out for that browser or device.

12.3 Sensitive Personal Information

We collect certain sensitive personal information (for example, government identifiers and financial account information used for identity verification, fraud prevention, and payments). We use and disclose it only for the purposes permitted under the CPRA — such as providing the services you request, verifying identity, preventing fraud and security incidents, and complying with law — and not to infer characteristics about you. You may direct us to limit our use of your sensitive personal information to these permitted purposes.

12.4 Categories Collected and Disclosed (Last 12 Months)

In the preceding 12 months, we have collected the categories of personal information described in Section 3 (identifiers; customer records; commercial information; internet/network activity; geolocation; professional or employment information; and sensitive personal information such as government identifiers and financial account details). We collect this information from you, from your use of the platform, and from the third-party sources described in Section 3.4, and we use it for the business purposes described in Section 5. In the preceding 12 months, we have disclosed personal information for business purposes to the categories of service providers and recipients listed in Section 7, and we have not sold or shared personal information.

12.5 Retention

We retain each category of personal information for the periods described in Section 10, based on the purpose for which it was collected and applicable legal retention requirements.

12.6 How to Exercise Your Rights; Authorized Agents

To exercise your rights, contact us at privacy@corelance.com or through your account settings. We will verify your request before responding. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of your written authorization and may ask you to verify your identity directly. We will not discriminate against you for exercising your rights.

13. European & UK Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the GDPR and UK GDPR give you the following rights with respect to personal data for which Corelance is the controller:

  • Right to access, rectify, or erase your personal data
  • Right to restrict or object to processing
  • Right to data portability
  • Right to withdraw consent at any time (without affecting prior processing)
  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 6)
  • Right to lodge a complaint with your supervisory authority

13.1 Lawful Bases for Processing

Where we act as a controller, we rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract — to create and operate your account and provide the services you request.
  • Legitimate interests — to secure the platform, prevent fraud, analyze and improve our services, and conduct direct marketing, balanced against your rights.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering, and other legal requirements.
  • Consent — for non-essential cookies and certain marketing, which you may withdraw at any time.

For Corework Employee Data, the customer company (controller) determines the lawful basis; Corelance processes only on its instructions as processor.

13.2 EU / UK Representative

Our services are directed to businesses and freelancers primarily located outside the EEA and the UK, and we have not appointed a representative in the EU or the UK at this time. If Article 27 GDPR or Article 27 UK GDPR requires us to appoint a representative, we will do so before directing our services to those markets and will publish the representative's identity and contact details in this policy. If you are in the EEA or the UK, you may direct inquiries about our processing of your personal data to privacy@corelance.com.

14. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Where we transfer personal data out of the EEA, the UK, or Switzerland, we use an appropriate transfer mechanism — principally the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), supplemented by additional safeguards as needed — to protect your information. A copy of the relevant transfer mechanism is available on request at privacy@corelance.com.

15. Children's Privacy

Corelance is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

17. Contact Us

For questions or concerns about this Privacy Policy or our data practices, contact our Data Protection Officer:

Email: privacy@corelance.com
Address: Corelance, LLC, Attn: Privacy, 12460 Crabapple Rd, Ste 202-314, Alpharetta, GA 30004

If you are an employee or applicant of a company that uses the Corework HRIS, please direct privacy requests about your HR records to your employer (the controller), as described in Section 2.2.