Privacy Policy

This Privacy Policy describes how CredentiAlert ("Company," "we," "us," or "our") collects, uses, shares, and protects information about you when you use our software platform (the "Service"). It applies to information collected through the Service, our website at credentialert.com, our email and SMS communications, and our customer support channels.

If you do not agree with this Privacy Policy, do not use the Service.

1. Who We Are

CredentiAlert operates a software platform that helps small and medium local food and beverage businesses track permits, licenses, certifications, fleet units, personnel records, menu data, and event compliance.

For information collected in connection with your CredentiAlert account, we act as the data controller. For business-operational information you upload about third parties (such as your employees), we act as a processor or service provider on your behalf, and you are the controller of that information. See Section 11.

2. Information We Collect

We collect the following categories of information.

2.1 Information you provide directly

• Account information: name, email address, and password.
• Profile information: business name, business type, business address, and phone number (if you choose to provide it).
• Subscription and payment information: billing name, billing address, payment method details, and transaction history. We do not store full payment card numbers; payment information is processed and stored by Stripe.
• Communications: messages you send to support, feedback, and any other content you submit through the Service.

2.2 Business and operational data you store

When you use the Service to manage your business, you upload data such as:

• Permit, license, and certification details, including issuing authority, document numbers, issue and expiration dates, and uploaded copies of the underlying documents.
• Fleet unit details, including vehicle types, identifying details, locations, and images.
• Menu items, descriptions, pricing, allergen information, and item images.
• Event details, including event names, dates, locations, and event-related documents.
• Spending and financial summaries, which may include invoice data, expense categories, and totals.
• Notes, custom fields, and any other content you choose to enter.

2.3 Personnel data (information about your employees)

The Service allows you to record information about your employees and other personnel, including names, contact information, photographs, and credentials. This information is uploaded by you and is processed by us on your behalf in accordance with these Terms and your responsibilities as the controller of that information. See Section 11.

2.4 Automatically collected information

When you use the Service, we and our subprocessors automatically collect:

• Device and connection data: IP address, browser type and version, device type, operating system, time zone, and referring URL.
• Usage data: pages viewed, features used, actions taken (such as document uploads, scans, and reminders sent), session duration, error logs, and timestamps.
• Authentication metadata: login attempts, session tokens, and security events.
• Cookies and similar technologies: see Section 8.

2.5 Communications data

We log the fact that we have sent you email or SMS notifications, including delivery and bounce status, but we do not log the content of those notifications beyond what is necessary for operation and audit.

3. How We Use Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Service.
• Create, secure, and manage your account.
• Process payments and manage subscriptions.
• Send reminders, alerts, and other notifications you have configured.
• Provide customer support and respond to your inquiries.
• Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our policies.
• Comply with legal obligations and respond to lawful requests.
• Analyze usage patterns to improve features, fix bugs, and inform product decisions, typically using aggregated or de-identified data.
• Communicate with you about service updates, new features, security advisories, and, where you have opted in, marketing communications.

We do not use AI to make automated decisions that produce legal or similarly significant effects about you.

4. AI Processing

The Service includes AI-powered features that scan, classify, and extract data from documents you upload (the "Document Scanner"). To provide these features, the document image or PDF and a minimal set of extraction instructions are transmitted to Google's Gemini API, which performs the analysis and returns extracted text and structured data fields to us.

Google processes these inputs in accordance with its Gemini API terms and the data-handling commitments that apply to paid API usage. To the best of our understanding, content submitted through the paid Gemini API is not used to train Google's generally available models. We do not control Google's processing of data once it is in transit to or being processed by Google. If you do not want your documents transmitted to a third-party AI provider, do not use the Document Scanner feature; you may enter document details manually instead.

We do not use Your Content to train artificial intelligence models for our own benefit, and we do not authorize our subprocessors to use Your Content to train generally available AI models.

5. How We Share Information

We do not sell your personal information.

We share information only as follows:

• With service providers (subprocessors) that help us operate the Service, subject to confidentiality and data-protection obligations. See Section 6 for the current list.
• With you and your authorized users through normal use of the Service.
• With third parties when you direct us to share, such as when you initiate an integration or export.
• For legal reasons, when we believe in good faith that disclosure is required to comply with a law, regulation, legal process, or governmental request, to protect the safety of any person, to address fraud or technical or security issues, or to protect our rights, property, or operations.
• In connection with a business transaction, such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case information may be transferred or disclosed as part of due diligence and post-transaction processing. We will notify you of any such transfer that affects your data.

6. Subprocessors and Third-Party Services

We use the following service providers to operate the Service. Each is contractually obligated to handle data in accordance with our instructions and applicable law.

• Vercel: Hosting and edge compute. Processes site traffic, IP addresses, and HTTP headers.
• Supabase: Database, authentication, and file storage. Processes account data, business and personnel data, and uploaded files.
• Cloudflare: DNS, content delivery, and network security. Processes IP addresses, requests, and security events.
• Stripe: Payment processing and subscription management. Processes billing details, payment information, and transaction history.
• Resend: Transactional and notification email delivery. Processes email address and message metadata.
• Twilio: SMS notification delivery, where enabled. Processes phone number and message metadata.
• Google (Gemini API): AI document scanning and data extraction. Processes documents you submit to the Document Scanner.

We may add, replace, or remove subprocessors over time as the Service evolves. Material changes will be communicated in updated versions of this Privacy Policy.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption in transit (TLS) for all data moving between your device and the Service.
• Encryption at rest for data stored with our database and storage providers.
• Authentication and access controls, including hashed passwords and session tokens.
• Role-based access controls limiting which staff members and providers can access user data.
• Rate limiting and abuse-detection mechanisms.
• Regular review of dependencies, providers, and security posture.

No method of transmission or storage is fully secure. We cannot guarantee absolute security, but we work to maintain industry-standard practices appropriate to the size and nature of our Service. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities in accordance with applicable law.

8. Cookies and Similar Technologies

The Service uses cookies and similar technologies for essential functions such as authentication, session management, and security. We do not use third-party advertising cookies or tracking pixels for advertising. We may use first-party analytics or product-analytics cookies to understand how the Service is used and to improve features. You can control cookies through your browser settings; disabling essential cookies will impair the Service.

9. Data Retention

We retain your information for as long as your account is active and for as long as needed to provide the Service. After you delete your account or after termination:

• Active business data, personnel records, and uploaded files are retained for at least thirty (30) days to allow you to export data and to recover from accidental deletion.
• After the retention period, your data is deleted from active systems. Backup copies are typically retained for an additional limited period (generally up to ninety (90) days) before automatic deletion.
• Some records may be retained longer where required by law (such as financial records for tax and audit purposes), where needed to resolve disputes or enforce our agreements, or in de-identified form for analytics.

10. Your Privacy Rights

Depending on where you live, you may have specific rights regarding your personal information. We honor the following rights regardless of jurisdiction, subject to verification of your identity and reasonable limits permitted by law:

• Access: request a copy of the personal information we hold about you.
• Correction: ask us to correct inaccurate or incomplete information. Most fields are editable directly in the application.
• Deletion: request deletion of your account and associated personal information.
• Portability: request a structured export of your data.
• Opt-out of marketing: unsubscribe from marketing email or reply STOP to marketing SMS at any time.
• Object to or restrict processing: ask us to limit how we process your information in certain circumstances.

To exercise any of these rights, contact us at contact@credentialert.com from the email address associated with your account. We will respond within the period required by applicable law (typically forty-five (45) days under U.S. state privacy laws). We do not discriminate against you for exercising any of these rights.

10.1 Residents of California

Under the California Consumer Privacy Act and California Privacy Rights Act (collectively, "CCPA"), California residents have additional rights, including the right to know what personal information we collect and share, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA. We do not use sensitive personal information for purposes that would trigger the right to limit use. You may authorize an agent to make a request on your behalf, subject to verification.

10.2 Residents of other U.S. states with comprehensive privacy laws

If you reside in a U.S. state with a comprehensive privacy law, including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Indiana, Kentucky, Maryland, Minnesota, Nebraska, or Rhode Island, you have rights similar to those described in Section 10 above. You may submit a request through the contact information below. If we deny your request, you may appeal by replying to our response within a reasonable period.

10.3 Residents of the European Economic Area, United Kingdom, and Switzerland

The Service is provided from the United States and is intended for U.S. customers. If you choose to use the Service from outside the United States, you understand that your information will be processed in the United States and other jurisdictions where our subprocessors operate. Where applicable, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to protect your information.

11. Personnel and Third-Party Data

When you upload information about your employees or other individuals, you are responsible for ensuring that you have a lawful basis to collect and share that information with us, and for providing those individuals with required notices and rights. CredentiAlert processes this information solely to provide the Service to you and in accordance with your instructions. If an individual whose information you uploaded contacts us directly, we will direct them to you as the controller of their information, except where applicable law requires us to respond directly.

12. Children's Privacy

The Service is intended for adults age 18 and older operating or working at a business. We do not knowingly collect personal information from children under 18. If you believe a child has provided personal information to us, contact us and we will delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when this Policy was last revised. For material changes that affect how we collect, use, or share personal information, we will provide reasonable advance notice via email or in-app notification. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

14. Contact

Questions, requests, complaints, or comments about this Privacy Policy can be sent to contact@credentialert.com.

© 2026 CredentiAlert. All rights reserved.