Privacy Policy
Last updated July 15, 2026. This policy explains what personal data Credorz processes, why, and the choices you have.
1. Who we are
Credorz operates a business identity, verification, and trust platform. When we say "we", "us", or "Credorz" in this policy, we mean the Credorz entity that provides the service to you. For data protection questions, contact privacy@credorz.com.
2. Data we collect
We only collect data we need to run verification, issue and maintain Business Passports, secure the platform, and meet our legal obligations.
- Data you provide
- Account details (name, work email, company affiliation), company registration and ownership information, and the verification documents you upload (e.g. trade licenses, incorporation certificates, shareholder records).
- Data from verification
- Results of KYC, KYB, UBO, AML, sanctions, and PEP checks performed on representatives, directors, and beneficial owners — including the provenance and confidence of each result.
- Usage and technical data
- Product usage telemetry, IP address, device and browser information, and session metadata used to secure and improve the platform.
- Communications
- Records of messages you send us (support, contact, press) and notifications we send you.
3. How we use data
We process personal data for these legitimate, documented purposes:
- Operating verification workflows and computing the Trust Index.
- Issuing, maintaining, and sharing Business Passports at your direction.
- Securing the platform — authentication, fraud detection, audit logging, and incident response.
- Providing customer support and operating notifications.
- Improving product quality, reliability, and coverage.
- Meeting legal, regulatory, and compliance obligations, including record-keeping and law-enforcement requests where legally required.
4. Legal basis
Where the GDPR or equivalent laws apply, we rely on the following legal bases:
- Performance of a contract — to provide the account and verification services you requested.
- Legal obligation — to meet KYC/AML and record-keeping requirements.
- Legitimate interests — to secure the platform and improve the service, balanced against your rights.
- Consent — for optional communications and any non-essential analytics, which you can withdraw at any time.
5. Sharing and recipients
We do not sell personal data. We share it only as described here:
- Processors — infrastructure, storage, and AI providers that help us run Credorz, under contractual safeguards and only to provide the service. See our Data Processing page for the subprocessor overview.
- Counterparties — only when you explicitly publish or share a Passport. You control what each view exposes through field-level data classification.
- Authorities — where required by law, court order, or to meet KYC/AML obligations.
- Business transfers — in connection with a merger, acquisition, or asset sale, subject to confidentiality and this policy.
6. International transfers
Credorz operates across borders, so your data may be processed outside your country of residence. Where this happens, we use appropriate safeguards such as standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms, and we require the same of our processors.
7. Data retention
We keep personal data only as long as necessary for the purposes above and to meet legal requirements.
8. Your rights
Depending on your jurisdiction (including the GDPR and UAE PDPL), you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to legal retention obligations.
- Restriction — ask us to limit processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — for any processing that relies on it.
- Complain — to your local data protection authority.
9. Exercising your rights
To exercise any right, email privacy@credorz.com. We verify your identity before acting, respond within the period required by law (usually one month), and explain any restrictions.
10. Security
Security is central to how Credorz is built:
- Field-level data classification governs what each viewer can see.
- Documents are stored in encrypted object storage; file bytes never live in the database.
- Sessions are revocable, device-labeled, and JWT-validated on every request.
- Every sensitive action is recorded in a tamper-evident, hash-chained audit log.
- AI access to company data passes through a single context gateway that minimizes PII and logs every retrieval.
11. Children's data
Credorz is a business platform and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have done so in error, contact privacy@credorz.com.
12. Changes to this policy
We may update this policy as the platform evolves. We'll indicate the "Last updated" date above and notify users of material changes through the product or by email.