How CredFlare collects, uses, and protects information about our customers, the people they verify, and visitors to our website.
This Privacy Policy explains how CredFlare ("we", "our", "the platform") handles personal information across three audiences: our customers (the institutions that use our verification services), verified individuals (the people whose identity, documents, or credentials are verified through our platform), and website visitors. Different sections apply to each audience, and where relevant we note which.
We are committed to GDPR, CCPA, Nigeria's NDPR, and the equivalent data-protection regimes in the jurisdictions we operate in. Where any local law grants you stronger rights than this policy, the local law applies.
When an institution uses CredFlare to verify a person's identity, document, or credential, we process the data they submit on behalf of that institution. This may include:
For verified individuals: the institution that initiated your verification is the data controller. CredFlare acts as the data processor, handling your information on the institution's instructions and under our Data Processing Addendum with them.
We use information for the following purposes:
We do not sell personal information. We do not use information for advertising profiling. We do not train identity-verification models on the personal data of verified individuals beyond what is strictly necessary for the verification they consented to.
We share information only as follows:
Verification records are retained for the period required by the customer's compliance profile and applicable regulation, typically five to seven years for KYC/AML purposes. Document images are encrypted at rest and may be deleted earlier at the customer's instruction.
Account and billing records for our customers are retained for the duration of the relationship plus the period required by tax and accounting law in the relevant jurisdiction.
Website analytics data is aggregated after 14 months. Marketing-list information is deleted on unsubscribe.
Depending on where you live, you may have the right to:
For verified individuals: many of these rights are best exercised through the institution that initiated your verification, since they are the data controller. We will assist them in responding to your request. You can also contact us directly at privacy@credflare.net and we will route appropriately.
We implement industry-standard security controls: encryption in transit and at rest, role-based access control with audit logging, regular penetration testing, and ongoing SOC 2 Type II compliance. We notify customers and affected individuals of any security incident affecting their data within the timelines required by applicable law.
CredFlare operates infrastructure in multiple regions. Where personal information is transferred across jurisdictions, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent legal mechanisms to ensure protection equivalent to the source jurisdiction.
Our website uses a small set of cookies for authentication, security, and basic analytics. We do not use third-party advertising cookies. You can disable non-essential cookies in your browser settings; the site will continue to function.
Our services are not directed at children under 16 and we do not knowingly collect personal information from them. Where a verification involves a minor (e.g. parental KYC for a youth account), it must be initiated by the parent or guardian and is governed by the customer institution's own policy.
We will update this policy as our services evolve and as the regulatory landscape changes. Material changes will be communicated to customers in advance and posted at the top of this page. The "Last updated" date above reflects the most recent revision.
Privacy questions, data subject requests, or complaints: privacy@credflare.net.
For our EU/EEA representative or our Data Protection Officer's contact details, please reach out and we will provide them.