Privacy Policy

This Privacy Policy ("Policy") describes how Creda Technologies, LLC ("Creda Technologies," "we," "our," or "us") collects, uses, discloses, and protects information in connection with our digital identity, credential governance, compliance tokenization, and related infrastructure services (the "Services").

Creda Technologies provides enterprise-grade infrastructure for identity-bound credentials, compliance mobility, and cross-institution trust. Our products include Creda Protocol, Creda Registry, Creda 1, and related applications, APIs, SDKs, and verification interfaces (collectively, the "Creda Family"). This Policy applies to all websites, applications, portals, and service offerings where it is posted or referenced.

This Policy is written with the expectations of healthcare (HIPAA/HITECH), aviation (TSA/DHS), financial services (SEC/FINRA/BSA), and government sectors in mind, and is intended to align with prevailing privacy and security frameworks such as GDPR, CCPA, NIST 800-63, and ISO/IEC 27001/27701.

By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must not use the Services.

1. Scope of This Policy

This Policy governs information we collect when:

• You visit sites under the Creda Technologies domain portfolio (including credatech.io, credaprotocol.com, credaregistry.com, creda1.com, and related subdomains).
• You interact with the Creda Protocol, Creda Registry, Creda 1, or related APIs, SDKs, verification flows, or governance portals.
• You engage with us as an operator, institution, developer, advisor, contractor, clinician, airport/aviation personnel, financial services professional, regulator, or similar stakeholder.

This Policy does not apply to:

• Information processed solely on behalf of an enterprise customer where Creda acts as a service provider or processor under a separate agreement.
• Information held exclusively by an employer, hospital system, airport authority, financial institution, or government agency using our Services.
• Data stored within independent identity providers, background check vendors, credentialing platforms, EMR/EHR systems, or physical access control systems not operated by Creda Technologies.
• Biometric hardware or local devices fully controlled by third-party organizations.

In those cases, the organization controlling the data is generally responsible for compliance, and their privacy notices govern their handling of personal data.

2. Definitions

For clarity in regulated environments, we use the following definitions:

• “Personal Information” (PI) means any information relating to an identified or identifiable natural person.
• “Sensitive Personal Information” (SPI) includes, as applicable: government-issued identifiers, professional licensure numbers, biometric indicators (if processed), background check results, security clearance data, certain health-related credential elements, financial compliance attributes, and location-based access information.
• “De-Identified Information” means data that has been processed to remove identifiers in a manner consistent with applicable de-identification standards (e.g., HIPAA, GDPR, or similar frameworks).
• “Credential Data” means licensing, certification, privileging, suitability, clearance, or compliance-related information.
• “Compliance Token” means a cryptographically structured data object representing eligibility, licensing state, or regulatory status.
• “Identity-Bound Data” means credential information associated with a verified identity or proof-of-human uniqueness.
• “Controllers” and “Processors” have the meanings assigned under the EU/UK GDPR and similar laws.
• “Zero-Knowledge Proof (ZKP) Data” means information used to construct, verify, or maintain cryptographic proofs without exposing underlying raw data.
• “Operational Logs” means logs and metadata generated automatically through system use (e.g., access checks, token verification events, audit trail events).
• “Enterprise Customer” means any organization using Creda Technologies infrastructure or products.

3. Information We Collect

The information we collect will depend on how you interact with the Creda Family.

3.1 Information You Provide Directly

You may provide information directly when you, for example, create an account or profile, submit a contact form, request integration or pilot access, participate in the Advisory Council, or interact with a credential onboarding or verification workflow.

This can include:

Identity Information

• Full name.
• Work or institutional email address.
• Employer or institutional affiliation.
• Role and title.
• Contact details such as phone number.
• Identity verification confirmations (e.g., "verified human," "verified operator").

Credential & Compliance Information

• Professional license or certification numbers and issuing authorities.
• Expiration dates and status indicators (active, suspended, restricted, expired).
• Background check confirmations or suitability determinations (high-level outcomes, not full reports).
• Privileging, clearance, or workforce compliance states relevant to regulated roles.
• Training or continuing education completion states where required by an employer or regulator.

During pilots or integrations, we may also receive workflow descriptions and process details relating to how your institution manages identity, credentialing, and compliance today.

3.2 Information We Collect Automatically

Device & Technical Data

• IP address and approximate location (at the city/region level where permitted).
• Browser type and version, operating system, and device type.
• Referring URLs and pages visited.
• Time and date of access, session duration, and interaction patterns.
• Error logs and performance metrics.

Operational & Security Metadata

• Records of verification events (e.g., "credential token verified successfully").
• Token issuance, refresh, and revocation events.
• Access control outcomes (e.g., "eligible" or "not eligible" for a specific role).
• Audit trail entries showing who performed which action, when, and under which rules.

Cookies & Similar Technologies

We use cookies and similar technologies to maintain secure sessions, provide basic analytics, and ensure reliable operation of portals and verification flows. We do not use advertising cookies.

3.3 Information We Receive from Third Parties

We may receive information from enterprise customers and selected third parties, such as:

• Identity verification providers.
• Credentialing vendors or software platforms.
• Background check and screening providers.
• Healthcare systems and provider networks.
• Aviation security and access control systems.
• Financial compliance platforms or KYC/KYB providers.
• Regulatory or licensing databases.

Data received from third parties is handled in accordance with this Policy, any applicable data protection addenda, and the governing contracts with those parties.

4. How We Use Information

We use Personal Information and Credential Data to:

4.1 Provide and Operate the Services

• Verify identity and bind identities to credentials and compliance tokens.
• Issue, validate, and revoke compliance tokens and credential representations.
• Maintain registries and anchors for credential state, revocation, and audit trails.
• Support secure, logged access to portals, APIs, and verification endpoints.
• Provide customer support and respond to inquiries.

4.2 Support Regulatory, Security, and Audit Requirements

• Help enterprise customers demonstrate compliance during audits and reviews.
• Investigate suspicious or fraudulent activity and mitigate security risks.
• Comply with legal and regulatory obligations in relevant jurisdictions.
• Preserve records where required by law, regulation, or contract.

4.3 Improve, Research, and Develop

• Enhance the reliability, performance, and security of the Creda Family.
• Design and test new features, including zero-knowledge proof workflows and rules engines.
• Conduct internal research using de-identified and aggregated data where possible.
• Inform standards development for digital identity and credential governance.

4.4 Communicate with You

• Respond to questions about pilots, integrations, governance, or advisory participation.
• Provide updates about changes to the Services or this Policy.
• Notify you, where appropriate, of security incidents, credential issues, or regulatory impacts.

5. How We Share Information

We do not sell Personal Information. We may share Personal Information in the following limited ways:

5.1 With Enterprise Customers

If you interact with the Services as part of a hospital system, provider network, airport, financial institution, agency, or other organization, we may share:

• Credential verification outcomes and token states relevant to your role.
• Identity-bound eligibility or compliance confirmations.
• Audit logs or access records where necessary for compliance or investigations.

Enterprise customers are responsible for their own internal use of such information in accordance with their legal and regulatory obligations.

5.2 With Service Providers

We use trusted third-party vendors to support hosting, security, logging, analytics, and related operations. These providers may have access to Personal Information solely to perform services on our behalf and are required to protect it under appropriate contractual and technical safeguards.

5.3 For Legal, Security, and Regulatory Reasons

We may disclose information when we believe it is necessary to:

• Comply with applicable laws, regulations, subpoenas, or legal processes.
• Cooperate with law enforcement or regulators, where authorized or required.
• Protect the rights, property, or safety of Creda Technologies, our customers, or the public.
• Investigate, prevent, or respond to suspected fraud, security incidents, or misuse of the Services.

5.4 During Corporate Events

In the event of a merger, acquisition, financing, or sale of all or part of our business, Personal Information may be transferred to another entity, subject to appropriate confidentiality and regulatory constraints.

6. How We Protect Information

We maintain a security program designed for high-stakes sectors where identity, credentials, and compliance must be correct the first time. Safeguards may include:

• Encryption of data in transit and at rest.
• Strict access control and role-based permissions.
• Network segmentation and zero-trust security principles.
• Multi-factor authentication for privileged access.
• Comprehensive logging and monitoring of system activity.
• Regular vulnerability assessments and penetration testing.
• Vendor risk management and contractual safeguards for processors.

No system can be guaranteed 100% secure. However, we design and operate Creda infrastructure with the assumption that our customers operate under regulatory scrutiny and audit expectations.

7. Biometric Information

To the extent Creda Technologies interacts with biometric signals as part of identity-bound workflows (for example, integrating with proof-of-human systems), we follow these principles:

• We do not require storage of raw biometric images where not strictly necessary.
• We favor architectures that use cryptographic attestations or pseudonymous identifiers rather than direct biometric templates.
• Biometric-related processing is subject to additional safeguards and, where applicable, specific biometric privacy laws.
• Where Creda operates purely as a processor of biometric-related data, the enterprise customer’s policies and consents also apply.

8. Data Retention

We retain Personal Information, Credential Data, and Operational Logs for as long as reasonably necessary to:

• Provide the Services and operate the Creda Family.
• Support enterprise customers’ regulatory, audit, and compliance obligations.
• Comply with applicable laws and contractual requirements.
• Resolve disputes and enforce our agreements.

Credential revocation data, compliance tokens, and audit trails may be retained longer in order to preserve the integrity and evidentiary value of compliance records.

9. International Data Transfers

Where Personal Information is transferred across borders, we implement appropriate safeguards, which may include:

• Standard Contractual Clauses (SCCs) or similar mechanisms.
• Additional technical safeguards such as encryption and key management controls.
• Risk assessments consistent with applicable data protection laws.

10. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Information, including:

• The right to request access to the Personal Information we hold about you.
• The right to request correction of inaccurate or incomplete information.
• The right to request deletion of your information, subject to legal and contractual limits.
• The right to object to or restrict certain types of processing.
• The right to data portability in some circumstances.
• The right to withdraw consent where processing is based on consent.
• The right to lodge a complaint with a data protection authority.

To exercise these rights, contact us using the information in the Contact Us section below. We may need to verify your identity before fulfilling your request, and certain rights may be limited where we are required to retain data for regulatory, security, or contractual reasons.

11. Children’s Privacy

The Services are not directed to children under 18, and we do not knowingly collect Personal Information from individuals under 18. If we become aware that we have collected such information, we will take reasonable steps to delete it or to work with the relevant enterprise customer to address the issue.

12. Third-Party Services and Links

The Services may include links to third-party websites, applications, or services that we do not control. This Policy does not apply to those third-party properties. We encourage you to review the privacy notices of any third-party services you access.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our Services, applicable laws, or other operational needs. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, provide additional notice.

Your continued use of the Services after any update constitutes your acceptance of the revised Policy.

14. Contact Us

If you have questions about this Policy or our privacy practices, you may contact us at:

Creda Technologies, LLC
7901 4th St N, Suite 300
St. Petersburg, FL 33702
Tel: 561.741.3000
Email: privacy@credahq.com