Privacy Policy

GlideHire collects only what we need to match clinicians with jobs and to publish a useful market-rate signal. We don’t sell data, don’t share it with ad networks, and never tie a public compensation figure to an individual clinician.

• Account: email address, password (hashed), optional preferred name.
• Identity: NPI number, first/last name, taxonomy. Verified against the public NPPES registry — no SSN, no DOB.
• Profile: credential type, license states, subspecialties, schedule preferences, willingness to travel, home ZIP. You choose what to add.
• Compensation self-reports: employment type, base rate, call frequency, retirement, PTO, malpractice, facility type, years at role, metro. Stored without facility name, employer ID, or any identifier of where the work happens.
• Vault documents: files you upload (CV, license, paystub for verified-comp). Stored encrypted at rest. Shared only with facilities you apply to.
• Activity: job views, applications, messages, offer responses. Used for product analytics and audit logs. See §7 for how interaction events are also used for placement attribution.
• Tax information: When your cumulative reporting bonus earnings exceed $600 in a calendar year, we collect your full legal name, Tax Identification Number (SSN or EIN), and mailing address to fulfill our IRS 1099-NEC reporting obligations. This data is stored encrypted and is never used for any purpose other than tax compliance and bonus payment. See §8 for details.

Two architectural rules govern comp data:

• Anonymized forever. Self-reports never store facility name, employer ID, or any field that ties a report to a workplace. The schema is enforced by Postgres constraints and a database test that fails CI if a workplace-identifying column is ever added.
• Aggregation thresholds. Public market-rate pages publish only when n ≥ 10 reports per (role, metro) combination. In-product cohort views require n ≥ 5. Below those thresholds, the page renders an empty state with no numbers.

A comp report you submit may be displayed publicly as part of an aggregate, but never as an individually identifiable figure.

• No PHI, patient names, MRNs, diagnoses, or procedures.
• No selling or licensing your data to third parties.
• No advertising trackers (Meta Pixel, AdRoll, etc.).
• No scraping of competitor sites for data.

• Clinicians: see their own profile, their own applications, jobs they’re eligible for, anonymous market rate aggregates.
• Facilities: see verified clinicians (name, credential, subspecialties, license states, profile completeness) in search. Contact details are revealed only when a clinician applies. They cannot see comp self-reports tied to any clinician.
• Admins (GlideHire staff): can see all data for support, abuse review, and incident response. Every comp-data access is audit-logged.
• Public: sees your role and rough location only if you opt into a public profile (not the default), plus aggregate market-rate numbers above the n threshold.

GlideHire relies on a small number of third-party services to operate. Each is contractually obligated to protect your data and only process it as we direct.

• Supabase — hosts our Postgres database, auth, and file storage (including encrypted placement agreement PDFs and W-9 data). Data is stored in US East (Northern Virginia) AWS regions.
• Vercel — hosts the website itself. Vercel sees request metadata (IP, user-agent, request paths) as part of normal web traffic but not your account-level data.
• Resend — delivers our transactional and marketing email.
• Twilio — sends SMS verification codes.
• Stripe — processes placement-fee invoices for facilities. Invoice line items may include the hired clinician’s name and employment type for audit purposes. Clinicians do not pay GlideHire; Stripe is not used to process clinician payment data at this time.
• Sentry — collects error reports. Captures stack traces and request context, including request URLs that may contain non-personal resource identifiers. No direct personally identifiable information is intentionally sent to Sentry; error reports are reviewed only by GlideHire staff.
• PostHog — anonymous product analytics. Events are keyed by anonymized session. IP addresses are masked. No PII is sent.
• Cloudflare Turnstile — bot-detection on sign-up and other sensitive forms.
• Upstash Redis — short-lived rate-limit counters. Receives IP addresses and request counts transiently; no persistent personal data is stored.

GlideHire also queries the publicly-available NPPES NPI Registry (operated by CMS) for clinician identity verification. Only the NPI number you provide is used to query the registry; no personal data is transmitted to CMS. The IRS receives 1099-NEC tax filings for clinicians who earn reporting bonuses of $600 or more in a calendar year — this is a legal obligation, not a commercial data share.

When you interact with a facility on GlideHire — applying to a job, sending a message, having your profile viewed, or receiving an offer — we record an attribution event in our database. Each event includes: who interacted with whom, the event type, the timestamp, and minimal metadata (the actor’s IP address and browser user agent at the time, the related job ID).

Attribution events power the placement-fee model — they are how we determine that a facility introduced a clinician through the platform and may owe a placement fee if they later hire that clinician. They are retained for the life of the attribution and at minimum the 12-month attribution window.

Attribution events are visible to: (a) the facility’s primary admin (as part of their candidate pipeline and audit-trail features), (b) GlideHire staff administering the platform, and (c) the clinician themselves on request. They are not shared with third parties except as part of an aggregate, anonymized fraud-detection signal.

When your lifetime bonus earnings reach $600, we ask you to complete a Form W-9 — full legal name, address, and Tax Identification Number (SSN or EIN). This information is stored encrypted and used only to issue payments and file year-end Form 1099-NEC reports with the IRS.

Bonus payment method information (bank account or other payout destination) is also stored encrypted. Access is limited to GlideHire staff administering payouts and the clinician themselves.

We retain W-9 and 1099 records for the IRS-required retention period (currently four years from the year the form was filed). After that period, tax records are destroyed unless we are required to retain them for an active dispute or investigation.

We retain your data only as long as necessary for the purpose it was collected or as required by law:

• Account data — retained until you delete your account.
• Attribution events — retained for 3 years after the event date to support fee dispute resolution, then anonymized.
• Placement hire and bonus records — retained for 7 years for tax and contract-dispute purposes.
• W-9 / tax ID data — retained for 3 years after the last 1099-NEC filing in which the data was used, then securely deleted.
• Audit logs — retained for 2 years.
• Anonymized aggregate counts (e.g., the n in a market-rate page) — retained indefinitely because they no longer identify you.

Security incident notification: If we discover a breach of unencrypted personal information affecting Pennsylvania residents, we will notify affected users and the Pennsylvania Attorney General as required by PA Act 12 of 2010. Notifications will be sent to the email address on your GlideHire account.

You can read, edit, export, or delete your data at any time from account settings. Deleting your account removes your profile, applications, vault documents, and self-reports. We retain anonymized aggregate counts, attribution event records, and placement hire records as described in §9.

To submit a formal Data Subject Access Request (DSAR) — including requests for access, correction, portability, or deletion of data not covered by account settings — email gabrielfarkas86@gmail.com with the subject line matching your request type (e.g., “Data Export Request” or “Data Deletion Request”). We will verify your identity by confirming access to the email address on your GlideHire account before processing any request. We respond within 30 days (extendable to 45 days with notice for complex requests).

California residents (CCPA / CPRA): You have the right to know what personal information we collect and how it is used, the right to delete your personal information, the right to correct inaccurate information, and the right to non-discrimination for exercising these rights. GlideHire does not sell or share your personal information within the meaning of CCPA. To submit a verifiable consumer request, email gabrielfarkas86@gmail.com. Categories of personal information collected in the prior 12 months are described in §2; business purposes for collection are described throughout this policy.

EEA and UK users have additional rights under GDPR and UK GDPR (access, portability, erasure, objection, and the right to lodge a complaint with your local supervisory authority). Email gabrielfarkas86@gmail.com to exercise them.

Transactional emails (a new applicant, a new message, an offer) are part of the product and are sent until you turn them off in settings. Drip / educational emails include a one-click unsubscribe link in the footer per CAN-SPAM. Existing-account users can fine-tune everything in account settings. Every commercial email we send includes our physical mailing address in the footer as required by CAN-SPAM (15 U.S.C. § 7704(a)(5)(A)): GlideHire, [REPLACE BEFORE LAUNCH: business mailing address].

GlideHire is for licensed clinicians and the facilities that hire them. We do not knowingly collect data from anyone under 18.

GlideHire occasionally runs voluntary market-research surveys at /research. These surveys help us understand how clinicians think about compensation, schedule, and workplace preferences so we can build better specialty-level personas.

• Scope of questions: surveys ask about professional preferences — compensation structure, schedule, workplace characteristics. They never ask about specific patients and never ask you to identify a specific employer.
• Anonymous by design: each respondent uses a one-time anonymous session token. The survey is not linked to any GlideHire account, even if you happen to be signed in elsewhere.
• Optional email only: the single identifying datum we collect is an email address, supplied optionally at the end of the survey, used solely to send a thank-you gift card. You may decline the email and complete the survey fully anonymously.
• Aggregation and deletion: individual response rows are aggregated to generate specialty-level personas. Once a specialty persona is finalized, individual rows are deleted 90 days later.

We’ll update this page when handling changes. Material changes get a 14-day notice via your account email.