Privacy Policy

Last Updated: January 17, 2026

The Short Version

We know privacy policies aren't exactly thrilling reading. Before diving into the details, here's what matters most:

We never sell your data. Our revenue comes from subscriptions, not from monetizing your information. Your financial data will never be sold to advertisers, data brokers, or any third party.
We never see your bank password. When you connect your accounts, your login credentials go directly to Plaid (our secure financial data partner), not to us. We cannot access your bank login information.
You're in control. You can view, export, or delete your data at any time. When you delete your account, we remove your data from our systems — no tricks, no hidden retention.
Bank-level security. Your data is protected with the same encryption standards used by major financial institutions (AES-256 encryption at rest, TLS 1.3 in transit).

Now, for the complete details...

About This Policy

CrediVitals ("we," "our," or "us") is operated by ILSA Industries LLC. We built this app to help you manage your credit cards smarter — track balances, view transaction history, gain expense insights, avoid interest, and never miss a payment.

This Privacy Policy explains in detail what information we collect, why we need it, how we use it, who we share it with, and how we protect it. This policy applies to our mobile application, website, and all related services (collectively, the "Service").

By using CrediVitals, you agree to the collection and use of information as described in this policy. If anything is unclear, reach out to us at privacy@credivitals.com — we're happy to explain.

Information We Collect

We only collect information that's necessary to provide and improve the Service. Here's a comprehensive breakdown:

1. Information You Provide Directly

Account Registration: When you create an account, we collect your email address and display name. Your email is used for account verification, password resets, payment reminders, and important service communications.
Authentication Credentials: If you use password-based login, your password is securely hashed using industry-standard algorithms (bcrypt) — we never store your actual password. If you use passkeys (WebAuthn), your biometric data stays on your device and is never transmitted to us.
Profile Information: Any optional profile details you choose to add, such as notification preferences or display settings.
Support Communications: When you contact us for help, we collect your messages, email address, and any information you choose to share to resolve your issue.
Feedback and Surveys: If you participate in surveys or provide feedback, we collect your responses to improve our Service.

2. Financial Information (via Plaid)

When you connect your financial accounts through Plaid, we receive:

Account Details: Account names, masked account numbers (only last 4 digits), account type (credit card, etc.), and institution name.
Balance Information: Current balance, available credit, credit limit, and utilization percentage.
APR and Interest Data: Annual percentage rates (purchase APR, balance transfer APR, cash advance APR) when available from your institution.
Payment Information: Minimum payment due, payment due dates, and last payment amount and date.
Transaction History: Individual transaction details including descriptions, amounts, dates, merchant names, and transaction categories. We use Plaid's Transactions product to retrieve this data, enabling comprehensive expense tracking, spending analysis, and personalized financial insights.

Important: Your bank login credentials (username and password) are transmitted directly to Plaid using bank-level encryption. We never see, receive, or store your banking passwords.

3. Information Collected Automatically

Device Information: Device type, model, operating system and version, unique device identifiers, and mobile network information.
App Usage Data: Features you use, screens you visit, actions you take within the app, time spent on features, and interaction patterns.
Performance Data: App launch times, load times, crash reports, error logs, and diagnostic information to help us fix bugs and improve performance.
Log Data: IP address, access times, referring URLs, and browser type when accessing our website.

How We Use Your Information

We use your information for the following purposes:

1. Providing Core Service Features

Display your credit card accounts, balances, and credit limits
Calculate and show your credit utilization across all cards
Display APR information and calculate estimated interest charges
Display your complete transaction history from linked accounts
Categorize transactions and analyze your spending patterns
Provide expense insights showing where your money goes by category, merchant, and time period
Send payment due date reminders and alerts
Provide personalized insights about your credit card usage and spending habits

2. Communications

Send transactional emails (account verification, password resets)
Deliver payment reminders and due date notifications
Respond to your support requests and inquiries
Send important service announcements and security alerts
With your permission, send product updates and tips

3. Service Improvement

Analyze usage patterns to improve features and user experience
Identify and fix bugs, crashes, and performance issues
Develop new features based on user needs
Conduct research and analytics (using aggregated, anonymized data)

4. Security and Legal

Protect against fraud, abuse, and unauthorized access
Verify your identity and authenticate your account
Comply with applicable laws, regulations, and legal processes
Enforce our Terms of Service and protect our rights

We Never Sell Your Data

Let's be crystal clear: we will never sell, rent, or trade your personal information or financial data to third parties. Period.

Unlike many free apps that monetize by selling user data or showing targeted ads, CrediVitals is funded entirely by subscription revenue. This means:

Your financial data stays private and is never monetized
We don't share your information with advertisers
We don't sell your data to data brokers or marketing companies
We don't use your financial data to market products to you
We don't share your spending habits with anyone for commercial purposes

Your trust is our business model. When you pay for CrediVitals, you're the customer — not the product.

Who We Share Data With

We only share your information in limited circumstances with trusted partners who help us operate the Service:

1. Plaid Inc. (Financial Data Provider)

Plaid securely connects CrediVitals to your financial institutions. When you link an account, your bank credentials are transmitted directly to Plaid using bank-level encryption. Plaid is a leading financial technology company trusted by thousands of apps and banks. They are SOC 2 Type II certified and comply with strict security standards.

We use the following Plaid products:

Plaid Transactions: To retrieve your transaction history, including merchant names, amounts, dates, and categories for expense tracking and spending insights
Plaid Liabilities: To retrieve credit card account details including balances, credit limits, APR, minimum payments, and due dates
What they receive: Your bank login credentials (encrypted, not stored by us)
What we receive from them: Account balances, full transaction history, APR, due dates, and credit card details
Privacy Policy: https://plaid.com/legal/privacy-policy

2. Sentry (Error Monitoring)

Sentry helps us identify and fix crashes and errors in the app. They receive technical diagnostic information only — never your financial data, account details, or personal information.

What they receive: Crash reports, error logs, device info, app performance data
What they don't receive: Financial data, transactions, balances, personal info
Privacy Policy: https://sentry.io/privacy/

3. Amazon Web Services (AWS) - Cloud Infrastructure

Our application runs on AWS, which provides secure, enterprise-grade cloud infrastructure. AWS is SOC 2 compliant and meets the highest security standards.

Your data is stored in encrypted AWS databases in the United States
AWS provides the infrastructure but does not access your data
Privacy Policy: https://aws.amazon.com/privacy/

4. Legal and Safety Disclosures

We may disclose your information if required to:

Comply with applicable laws, regulations, or legal processes
Respond to lawful requests from government authorities
Protect the rights, property, or safety of CrediVitals, our users, or others
Enforce our Terms of Service or investigate potential violations
Detect, prevent, or address fraud, security, or technical issues

5. Business Transfers

If CrediVitals is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the app before your information becomes subject to a different privacy policy.

How We Protect Your Data

We implement comprehensive security measures to protect your information:

Encryption

In Transit: All data transmitted between your device, our servers, and third parties is encrypted using TLS 1.3, the latest and most secure transport protocol.
At Rest: All stored data is encrypted using AES-256, the same standard used by banks and government agencies for classified information.

Authentication Security

Passkeys (WebAuthn): We support passwordless authentication using biometrics (Face ID, Touch ID, fingerprint). Your biometric data never leaves your device — only a cryptographic key is used for verification.
Password Hashing: If you use a password, it's hashed using bcrypt with salt. We never store your actual password.
Session Management: Secure session tokens with automatic expiration and refresh mechanisms.

Infrastructure Security

AWS Security: Our infrastructure runs on Amazon Web Services with enterprise-grade security controls, including VPC isolation, security groups, and encrypted storage.
Database Security: PostgreSQL databases with encryption at rest, automated backups, and point-in-time recovery.
Access Controls: Strict role-based access controls limit who can access production systems. All access is logged and audited.

Operational Security

Regular security assessments and code reviews
Automated vulnerability scanning and dependency updates
Incident response procedures for potential security events
Employee security training and background checks

What We Don't Store

Your bank login credentials (handled directly by Plaid)
Full credit card numbers (only masked/last 4 digits)
Your biometric data (stays on your device)
Your actual password (only a secure hash)

Data Retention & Deletion

We retain your information only as long as necessary to provide the Service and fulfill the purposes described in this policy.

Retention Periods

Account Data: Retained while your account is active and for a reasonable period after to allow for reactivation.
Financial Data: Transaction history and account snapshots are retained while your account is active to provide historical tracking and insights.
Usage Analytics: Aggregated and anonymized analytics may be retained indefinitely for service improvement.
Support Communications: Retained for up to 3 years to provide context for future support requests.
Legal Requirements: Some data may be retained longer if required by law, regulation, or legal proceedings.

Account Deletion

You can delete your account at any time through Settings → Account → Delete Account, or by emailing privacy@credivitals.com. When you request deletion:

Immediate: Your account is deactivated and you lose access to the Service.
Within 24 hours: Your Plaid connections are revoked, stopping any further data syncing from your financial institutions.
Within 7 days: Your personal data and financial information are permanently deleted from our active databases.
Within 30 days: Your data is purged from all backup systems.

Note: We may retain anonymized, aggregated data that cannot be linked back to you. We may also retain data necessary to comply with legal obligations or resolve disputes.

Your Privacy Rights

You have significant control over your personal information. Depending on your location, you have the following rights:

Right to Access

You can request a copy of all personal data we hold about you. We'll provide this in a commonly used, machine-readable format (such as JSON or CSV) within 45 days.

Right to Correction

If any of your personal information is inaccurate or incomplete, you can request that we correct or update it. You can also update most information directly in the app settings.

Right to Deletion

You can request that we delete your personal data. We'll honor this request unless we need to retain certain data for legal compliance or legitimate business purposes.

Right to Data Portability

You can request your data in a portable, structured format that allows you to transfer it to another service.

Right to Opt-Out

Unsubscribe from marketing emails using the link in any email
Disable push notifications in your device settings
Disconnect financial accounts at any time in the app

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You won't receive different pricing, service quality, or treatment.

How to Exercise Your Rights

Email us at privacy@credivitals.com
Use the in-app settings for many self-service options
We respond to all requests within 45 days
We may verify your identity before processing requests

State-Specific Privacy Rights

Depending on where you live, you may have additional rights under state privacy laws:

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

Know what personal information we collect and why
Access your personal information
Request deletion of your personal information
Correct inaccurate personal information
Opt out of the sale or sharing of personal information (we don't sell data)
Limit use of sensitive personal information (we only use it to provide the Service)
Non-discrimination for exercising your rights

California residents may designate an authorized agent to make requests on their behalf. We do not sell personal information and have not done so in the past 12 months.

Virginia Residents (VCDPA)

Under the Virginia Consumer Data Protection Act, you have the right to access, correct, delete, and obtain a copy of your personal data. You can also opt out of targeted advertising (we don't do targeted advertising) and profiling.

Colorado Residents (CPA)

Under the Colorado Privacy Act, you have similar rights to access, correct, delete, and port your data. You can also opt out of targeted advertising and profiling.

Connecticut Residents (CTDPA)

Under the Connecticut Data Privacy Act, you have rights to access, correct, delete, and obtain your data, plus the right to opt out of targeted advertising and sales.

Utah Residents (UCPA)

Under the Utah Consumer Privacy Act, you have rights to access, delete, and port your data, and to opt out of targeted advertising and sales.

New York Residents

You may request information about data we share with third parties for direct marketing purposes. Since we don't share data for marketing, there is none to report.

Appeal Process

If we deny your privacy rights request, you can appeal by emailing privacy@credivitals.com with "Appeal" in the subject line. We'll review and respond within 60 days. If you're still unsatisfied, you may contact your state's Attorney General.

International Data Transfers

CrediVitals is based in the United States, and your data is stored and processed in the United States. If you're using the Service from outside the US, please be aware that your information will be transferred to and processed in the US, where data protection laws may differ from your country.

By using CrediVitals, you consent to this transfer. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

Children's Privacy

CrediVitals is designed for adults managing their own finances. The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at privacy@credivitals.com. We will promptly delete such information from our systems.

If we discover that we have collected personal information from a child under 18, we will delete that information as quickly as possible.

Third-Party Links and Services

The Service may contain links to third-party websites, apps, or services that are not operated by us. This includes links to your financial institutions and our service providers' websites.

We have no control over and assume no responsibility for the content, privacy policies, or practices of third-party sites or services. We encourage you to review the privacy policy of every site you visit.

Your interactions with third-party services are governed by their respective privacy policies, not this one.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We'll Notify You

We'll update the "Last Updated" date at the top of this policy
For material changes, we'll notify you via email
We may also display a notice within the app
For significant changes affecting your rights, we may ask for your consent

Your Continued Use

If you continue to use CrediVitals after we post changes to this policy, you accept the updated terms. If you don't agree with the changes, you should stop using the Service and delete your account.

We encourage you to periodically review this policy to stay informed about how we protect your information.

Contact Us

We're here to help with any questions or concerns about your privacy.

For Privacy Inquiries:

Email: privacy@credivitals.com

For General Support:

Email: support@credivitals.com

Business Address:

ILSA Industries LLC

New York, NY

United States

We aim to respond to all privacy-related inquiries within 2 business days and will address formal rights requests within 45 days as required by law.

← Back to HomeCrediVitals v1.0-beta