Privacy Policy

Last updated: May 5, 2026

1. Introduction

Mackinac ("we," "our," or "the Platform") is a community application for verified seasonal and remote travelling workers. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and how long we retain it.

2. Data We Collect

2.1 Account Information

Email address — used for login, account recovery, and admin communications.
Username — your public display name within the community.
Password — stored as a one-way cryptographic hash (bcrypt). We never store or have access to your plaintext password.

2.2 Identity Verification Data

Government-issued ID photo — a photograph of your passport, driver's license, or national ID card. Used to verify your identity via automated facial comparison.
Selfie photo — a photograph of your face taken during onboarding. Compared against your ID document to confirm you are the person depicted.
Face comparison confidence score — the numerical similarity percentage returned by AWS Rekognition when comparing your ID photo to your selfie.

Why: Identity verification ensures every member of the community is a real, verified individual. This protects all users from fraud, impersonation, and bad actors.

2.3 Employment Verification Data

Work document image — a photograph or scan of a pay stub, dorm contract, employment letter, or equivalent document proving seasonal/remote employment.
Extracted verified fields (locked, non-editable):
- First name
- Last name
- Date of birth
- Place of work / employer name
Raw document extraction data — the full response from AWS Textract, stored for audit and dispute resolution purposes.

Why: Employment verification ensures only legitimate seasonal and remote workers can access the community. Extracted fields are locked to prevent identity misrepresentation.

2.4 Administrative & Access Data

Account status — tracks your position in the verification pipeline (created, pending, approved, suspended).
Approval timestamp and approving admin ID — records when and by whom your account was approved.
Access expiration date — your account access expires 8 months after approval, requiring re-verification with a current work document.

2.5 Community Activity Data

Chat messages and comments — content you post in community chat rooms and comment sections.
Location data — approximate location used for location-based feeds and chat rooms (50-mile radius).
Events and posts — content you create on the events board or Life Hacks forum.

3. How We Use Your Data

To verify your identity and employment status during onboarding.
To maintain community safety through moderation (chat/comment logs are periodically reviewed by AI flagging with human admin oversight).
To provide location-based community features.
To communicate with you about your account status, approvals, or policy violations.
To enforce the 8-month access expiry and re-verification requirement.

4. Third-Party Services

AWS Rekognition — facial comparison between your ID and selfie. Images are transmitted securely to AWS for processing.
AWS Textract — document text extraction from your work document. Documents are transmitted securely to AWS for processing.
AWS S3 — secure encrypted storage for all uploaded documents and images.
AWS SES — transactional emails (approval notifications, admin communications).

All AWS services operate under AWS's data processing agreements and are hosted in the US East (Ohio) region.

5. Data Retention

We retain all personal data, uploaded documents, and images for up to 2 years after you terminate your account. This retention period exists to support dispute resolution, fraud prevention, and compliance with potential legal obligations.

After the 2-year retention period, all personal data and associated files are permanently deleted from our systems and backups.

6. Immediate Data Deletion

If you wish to have your data deleted immediately upon account termination (without the 2-year retention period), you may request immediate deletion by emailing security@nomadsoft.us. Upon verification of your identity, we will permanently delete all your personal data, uploaded documents, and images within 30 days of receiving your request.

7. Data Security

All documents and images are stored in private S3 buckets with server-side encryption. Access is restricted to the uploading user and authorized administrators. Presigned URLs with 1-hour expiry are used for temporary document access. Passwords are hashed using bcrypt with per-user salts.

8. Your Rights

Access — you can view your stored data through your profile.
Correction — verified fields (name, DOB, place of work) cannot be edited as they are extracted from official documents. If they are incorrect, you may submit a new work document during re-verification.
Deletion — you may request immediate deletion by contacting security@nomadsoft.us.
Portability — you may request an export of your data by contacting security@nomadsoft.us.

9. Contact

For privacy-related inquiries, data deletion requests, or concerns, contact us at security@nomadsoft.us.