CredFlex_X

Privacy Policy

Effective Date: [PLACEHOLDER — legal to insert date before launch]  |  Last Updated: [PLACEHOLDER]

1. Introduction & Effective Date

CredFlex_X ("CredFlex_X," "we," "us," or "our") is a free, AI-powered credit empowerment platform that helps consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and related federal and state laws. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website and services (collectively, the "Service").

By creating an account or using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you register, we collect your first and last name, email address, and password (stored as an Argon2id hash — we never store your plaintext password). You may optionally provide your state of residence to unlock state-specific dispute tools.

2.2 Profile Information

To generate dispute letters on your behalf, we may collect your mailing address, phone number, and state of residence.

2.3 Sensitive Financial Information

If you choose to provide them, we collect the last four digits of your Social Security Number and your date of birth for identity verification purposes. These fields are encrypted at rest using AES-256-GCM encryption. We do not store your full Social Security Number.

2.4 Credit Report Data

You may manually enter tradeline information from credit reports you have obtained directly from AnnualCreditReport.com or directly from the credit bureaus. In future versions of the Service (with your explicit consent), we may retrieve credit reports on your behalf from Equifax, Experian, and TransUnion as a soft inquiry that does not affect your credit score. We only store the last four digits of any account number.

2.5 Bank Account Data

[PLACEHOLDER — GLBA section: finalize with legal before Plaid integration goes live]
If you choose to link a bank account for budget management features, your banking data is retrieved through a third-party bank data aggregator (such as Plaid, Inc.). CredFlex_X does not store your bank credentials. Please review the bank aggregator's own privacy policy for details about how they handle your financial data.

2.6 Usage Data

We collect information about how you interact with the Service, including pages viewed, features used, timestamps of actions, IP address, browser type, and device information. This helps us improve the Service and detect security incidents.

3. How We Use Your Information

We use your information to:

  • Generate FCRA dispute letters, debt validation letters, and payment-for-deletion proposal letters on your behalf.
  • Assist with debt validation and FDCPA compliance tracking (certified mail logs and response deadlines).
  • Provide budget management and bill tracking features.
  • Deliver AI-powered financial education through our coaching agent.
  • Send transactional communications (email verification, deadline alerts, account security notices).
  • Anchor proof-of-existence hashes to the XRPL-EVM blockchain (only salted hashes — never PII).
  • Maintain audit logs for compliance and security purposes.
  • Improve, secure, and debug the Service.

We do not use your information for behavioral advertising and we do not sell your personal data to third parties.

4. How We Share Your Information

We do not sell your personal data. We may share your information with:

  • Credit bureaus (Equifax, Experian, TransUnion) — only when you explicitly authorize a credit report pull or direct us to send a dispute or debt validation letter on your behalf.
  • Payment processors (Stripe) — if the Service introduces any paid features. CredFlex_X does not store card data; Stripe handles all payment processing under PCI DSS.
  • Bank data aggregators — only if you link a bank account. [PLACEHOLDER — finalize with legal before Plaid integration]
  • Infrastructure and hosting providers (Google Cloud Platform) — to operate the Service under appropriate data processing agreements.
  • Law enforcement or government authorities — only when required by applicable law, court order, or to protect the rights, property, or safety of CredFlex_X or our users.

5. FCRA Disclosures

[PLACEHOLDER — finalize with legal before Phase 2 bureau API goes live]

CredFlex_X accesses your credit reports only with your explicit authorization and solely for the purpose of helping you exercise your FCRA rights.

  • Permissible purpose: Credit report access is performed at your request as the subject of the report.
  • Soft inquiry: Automated credit report retrievals will use soft pulls that do not affect your credit score.
  • Your right of access: You may request a copy of the information we hold about you at any time.
  • Disputes: If you believe any information we maintain is inaccurate, contact us at privacy@credflex-x.com.

6. Your Privacy Rights (CCPA / GDPR)

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Right to access: Request a copy of the personal data we hold about you.
  • Right to deletion: Request deletion of your personal data. We will honor deletion requests subject to legal retention obligations.
  • Right to correction: Request correction of inaccurate personal data.
  • Right to opt-out of sale: We do not sell personal data. This right is satisfied by default.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to restrict processing: Request restriction of processing in certain circumstances.

To exercise any of these rights, submit a request to privacy@credflex-x.com. We will respond within 30 days (CCPA) or 30 days (GDPR) of receiving a verifiable request. You will not be discriminated against for exercising your privacy rights.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. When you delete your account:

  • Account and profile data is deleted within 30 days.
  • Dispute and letter records may be retained for up to 7 years to comply with FCRA record-keeping requirements.
  • Audit logs are retained for 3 years for security and compliance purposes.
  • Blockchain-anchored hashes (on XRPL-EVM) are immutable and cannot be deleted — however, these contain only salted hashes and no personally identifiable information.

8. Security Practices

We implement industry-standard security measures to protect your personal information:

  • All data transmitted over HTTPS using TLS 1.2 or higher.
  • Passwords hashed with Argon2id; we never store plaintext passwords.
  • Sensitive fields (SSN last 4, DOB) encrypted at rest with AES-256-GCM using a managed key service.
  • Multi-factor authentication (MFA) available and encouraged for all accounts.
  • Access controls enforced via JWT with short-lived tokens and refresh token rotation.
  • Regular security audits and dependency scanning.

No method of transmission over the Internet or electronic storage is 100% secure. If you discover a potential security vulnerability, please report it to security@credflex-x.com.

9. Contact Information

For privacy-related questions, requests, or complaints, please contact us:

CredFlex_X
Privacy Officer
privacy@credflex-x.com
[PLACEHOLDER — mailing address]

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send an email notification to your registered email address.
  • Display a prominent notice on the Service for at least 30 days.

Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Privacy Policy.