Legal

Privacy Policy

Last updated July 15, 2026. This policy explains what personal data Credorz processes, why, and the choices you have.

1. Who we are

Credorz operates a business identity, verification, and trust platform. When we say "we", "us", or "Credorz" in this policy, we mean the Credorz entity that provides the service to you. For data protection questions, contact privacy@credorz.com.

2. Data we collect

We only collect data we need to run verification, issue and maintain Business Passports, secure the platform, and meet our legal obligations.

Data you provide
Account details (name, work email, company affiliation), company registration and ownership information, and the verification documents you upload (e.g. trade licenses, incorporation certificates, shareholder records).
Data from verification
Results of KYC, KYB, UBO, AML, sanctions, and PEP checks performed on representatives, directors, and beneficial owners — including the provenance and confidence of each result.
Usage and technical data
Product usage telemetry, IP address, device and browser information, and session metadata used to secure and improve the platform.
Communications
Records of messages you send us (support, contact, press) and notifications we send you.

3. How we use data

We process personal data for these legitimate, documented purposes:

  1. Operating verification workflows and computing the Trust Index.
  2. Issuing, maintaining, and sharing Business Passports at your direction.
  3. Securing the platform — authentication, fraud detection, audit logging, and incident response.
  4. Providing customer support and operating notifications.
  5. Improving product quality, reliability, and coverage.
  6. Meeting legal, regulatory, and compliance obligations, including record-keeping and law-enforcement requests where legally required.

4. Legal basis

Where the GDPR or equivalent laws apply, we rely on the following legal bases:

  • Performance of a contract — to provide the account and verification services you requested.
  • Legal obligation — to meet KYC/AML and record-keeping requirements.
  • Legitimate interests — to secure the platform and improve the service, balanced against your rights.
  • Consent — for optional communications and any non-essential analytics, which you can withdraw at any time.

5. Sharing and recipients

We do not sell personal data. We share it only as described here:

  • Processors — infrastructure, storage, and AI providers that help us run Credorz, under contractual safeguards and only to provide the service. See our Data Processing page for the subprocessor overview.
  • Counterparties — only when you explicitly publish or share a Passport. You control what each view exposes through field-level data classification.
  • Authorities — where required by law, court order, or to meet KYC/AML obligations.
  • Business transfers — in connection with a merger, acquisition, or asset sale, subject to confidentiality and this policy.

6. International transfers

Credorz operates across borders, so your data may be processed outside your country of residence. Where this happens, we use appropriate safeguards such as standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms, and we require the same of our processors.

7. Data retention

We keep personal data only as long as necessary for the purposes above and to meet legal requirements.

Active accounts
Kept while your account is active and for a defined period after closure.
Verification records
Retained for the period required by KYC/AML regulations in the relevant jurisdiction.
Audit log
Append-only and retained for the platform's regulatory and integrity period.
Documents
Stored while needed for verification and compliance; deletion requests honored where legally permitted.
Some records cannot be deleted on request because KYC/AML and audit-obligation laws require us to retain them. We will tell you if this applies.

8. Your rights

Depending on your jurisdiction (including the GDPR and UAE PDPL), you may have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion, subject to legal retention obligations.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — for any processing that relies on it.
  • Complain — to your local data protection authority.

9. Exercising your rights

To exercise any right, email privacy@credorz.com. We verify your identity before acting, respond within the period required by law (usually one month), and explain any restrictions.

10. Security

Security is central to how Credorz is built:

  • Field-level data classification governs what each viewer can see.
  • Documents are stored in encrypted object storage; file bytes never live in the database.
  • Sessions are revocable, device-labeled, and JWT-validated on every request.
  • Every sensitive action is recorded in a tamper-evident, hash-chained audit log.
  • AI access to company data passes through a single context gateway that minimizes PII and logs every retrieval.

11. Children's data

Credorz is a business platform and is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe we have done so in error, contact privacy@credorz.com.

12. Changes to this policy

We may update this policy as the platform evolves. We'll indicate the "Last updated" date above and notify users of material changes through the product or by email.