Privacy Policy

Account info: name, email, password (hashed), account type, optional phone.

Credit-report content: the PDF files you upload, plus the tradeline data we extract from them (creditor, masked account number, balances, dates).

Dispute activity: which candidates you flag, which letters you draft, status updates you log, response uploads.

Payment info:handled by our payment processor (e.g., Stripe). We don't store full card numbers on our servers.

Usage data: standard server logs (IP, user agent, paths visited, timing) for security and reliability, plus aggregate traffic measurement via Google Analytics 4 (page views, scrolls, outbound clicks, and conversion events such as sign-ups). We do not run third-party advertising trackers on the marketing site.

• To run the Service for you (parse reports, generate letters, track responses).
• To bill you for the plan you chose.
• To email you about your account, security, and (with consent) product updates.
• To debug crashes, prevent abuse, and meet legal obligations.

We do not sell your data. We do not share it with advertisers.

We use a small number of vetted third parties to operate the Service:

• Supabase (managed PostgreSQL + auth + storage)
• Vercel (web hosting + serverless functions)
• Resend (transactional email)
• Google Analytics 4 (aggregate site traffic measurement on marketing pages)
• Stripe (payments — when enabled)

Each processes data on our behalf under their own data-protection terms.

Credit-report files are stored for as long as your account is active. If you cancel, you can export everything from the dashboard before access ends; otherwise files are deleted within 90 days of cancellation.

Account records (email, billing history) are retained for the shorter of 7 years or as required by tax law.

We treat the credit-report content you upload as sensitive consumer information and apply the following safeguards:

• Encryption in transit: all traffic between your browser and our servers, and between our servers and sub-processors (Supabase, Stripe, Resend), runs over TLS 1.2 or higher.
• Encryption at rest: uploaded files, extracted tradeline data, and account records are stored encrypted on disk by our infrastructure providers (Supabase Postgres + Storage, AES-256).
• Row-level access control: every record is scoped to your user account by Postgres row-level security policies; another customer cannot read your data even if our application logic has a bug.
• No third-party data sharing: we do not sell, rent, license, or otherwise share your credit-report content, tradeline data, or dispute drafts with any third party for marketing, analytics, or model-training purposes.
• Restricted employee access: only authorized personnel can access raw uploads, and only when necessary to operate or debug the Service. Access is logged.
• Passwords: hashed by our auth provider (Supabase Auth) using industry-standard adaptive hashing. We never see plain-text passwords.
• Payments: handled entirely by Stripe; full card numbers never touch our servers.
• Breach notification: if a security incident affects your data, we will notify you by email without undue delay and in any event within the timeframe required by applicable law (e.g., CCPA / CPRA).

No system is perfectly secure. If you discover a vulnerability, please report it to security@creditrepair.space.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. California, Colorado, Connecticut, Virginia, Utah, and other state-privacy-law residents have specific rights to opt out of the sale or sharing of personal information. Because we do not engage in either practice, no opt-out is required for this service. If you have questions or want written confirmation of this status, email hello@creditrepair.space with the subject “Do Not Sell opt-out” and we will respond within 15 business days.

You can:

• Access and download your data from the dashboard.
• Correct inaccurate account info from your profile page.
• Request deletion of your account and all associated data by emailing hello@creditrepair.space.
• Opt out of marketing emails using the unsubscribe link in any email.

California residents: under the CCPA / CPRA you have additional rights to know what we collect, request deletion, and opt out of any “sale” of your personal information. We do not sell personal information.