Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: name, email address, and password when you register
• Identity verification: Social Security Number, date of birth, and address — required to pull your credit reports through our authorized third-party provider
• Identity documents: photographs of your government-issued photo ID (front and back) and proof of current address (utility bill, bank statement, or government letter) — uploaded during onboarding and included with dispute letters sent to credit bureaus
• Profile information: credit goals, target score, and timeline preferences
• Mailing information: full name and address used for mailing dispute and freeze letters
• Payment information: billing details processed through Stripe, Inc., our third-party payment processor (we do not store full payment card numbers)

1.2 Information We Obtain on Your Behalf

• Credit reports: full credit report data from Equifax, TransUnion, and Experian, pulled via soft inquiry at your request through Stitch Credit
• Credit scores: credit scores associated with your reports
• Trade line data: account details, balances, payment history, and creditor information from your reports

1.3 Information Collected Automatically

• Usage data: pages visited, features used, actions taken within the Service
• Device information: browser type, operating system, IP address, and device identifiers
• Analytics and session recordings: we use PostHog to collect anonymized usage analytics, conduct feature experiments, and record browsing sessions for identified users to improve the Service. Session recordings capture page interactions (clicks, scrolls, navigation) but do not capture passwords, payment card numbers, or SSN input fields. You may opt out of session recording by contacting us.
• Cookies and similar technologies: session cookies for authentication and analytics cookies to understand Service usage

2. How We Use Your Information

We use the information we collect to:

• Pull and display your credit reports from the three major bureaus
• Provide AI-powered analysis and recommendations based on your credit data
• Generate dispute letters and freeze letters on your behalf
• Include your identity documents (photo ID and proof of address) as enclosures with dispute letters
• Mail physical letters to credit bureaus and creditors through our postal service partner (Lob)
• Process payments and manage your subscription through Stripe
• Send transactional communications (confirmations, alerts, updates) via email
• Analyze usage patterns and conduct A/B experiments to improve the Service
• Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

• Credit data providers (Stitch Credit): we share your identity information to pull your credit reports via soft inquiry
• Mailing services (Lob): we share your name, address, identity documents, and letter content to print and mail dispute and freeze letters
• Electronic signature providers (SignatureAPI): when you sign dispute letters electronically, your signature data is processed by our e-signature partner
• Payment processors (Stripe): your billing information is processed by Stripe, Inc.
• AI service providers (Anthropic): credit report data is processed by Anthropic's Claude AI for analysis. Data is sent via API and is not retained by Anthropic beyond the request processing window per their data usage policy.
• Analytics (PostHog): anonymized usage data and session recordings are processed by PostHog for product analytics. Data is hosted in the United States.
• Email service (Resend): your email address and name are shared with Resend to deliver transactional emails
• Legal requirements: we may disclose information when required by law, subpoena, or government request

4. Data Security

We implement industry-standard security measures to protect your information, including:

• AES-256 encryption of sensitive data (including SSN) at rest
• TLS encryption for all data in transit
• Secure authentication with encrypted session management via Supabase
• Row-level security policies ensuring users can only access their own data
• Identity documents stored in encrypted cloud storage with access controls
• Separate encryption keys for development and production environments

While we strive to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Storage and Location

Your data is stored and processed in the United States. Our primary database is hosted on Supabase (cloud-hosted PostgreSQL). Identity documents are stored in Supabase Storage. All infrastructure is located in US data centers.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Credit report data is stored to enable historical tracking and comparison. If you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing agreements). Identity documents will be deleted within 30 days of account deletion.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Object to or restrict certain processing of your information
• Request a portable copy of your data
• Withdraw consent where processing is based on consent
• Opt out of session recording and analytics tracking

To exercise any of these rights, contact us at privacy@creditpilotpro.com. We will respond within 30 days.

8. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined by the CCPA.

9. Cookies and Tracking

We use essential cookies to maintain your authenticated session and preferences. We use PostHog for analytics cookies to understand how the Service is used, conduct A/B experiments, and manage feature rollouts. You can control cookie preferences through your browser settings, but disabling essential cookies may prevent the Service from functioning properly.

Do Not Track: The Service does not currently respond to browser "Do Not Track" signals. However, you may opt out of analytics tracking by contacting us at privacy@creditpilotpro.com.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete that information promptly.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service prior to the change becoming effective. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@creditpilotpro.com.

Credit Pilot Pro, Inc.
Registered in Delaware via Stripe Atlas