Privacy Policy

Last updated: April 2026

1. Introduction

Credo ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our background screening services (the "Service").

This Privacy Policy is divided into two parts. The first applies to individuals whose names are submitted for screening by our business customers ("Customers"). The second applies to our Customers and visitors to our website.

Please read this Privacy Policy carefully. By using our Services, you consent to the data practices described in this policy.

2. Privacy Policy for Individuals Being Screened

Our Customers use Credo to screen individuals against watchlists as part of their compliance obligations (AML, KYC, sanctions screening). When a screening is performed:

  • Data collected: Name, date of birth, nationality, and optionally address and identification numbers, as provided by the Customer
  • How it's used: Matched against publicly available government and international watchlist databases to determine if a match exists
  • Data retention: Screening records are retained for 7 years to comply with AML/KYC regulatory requirements
  • Data sharing: Screening results are returned to the Customer who initiated the request. We do not share your data with any other third party

Credo acts as a data processor on behalf of our Customers. The Customer is the data controller and is responsible for ensuring they have a lawful basis to submit your information for screening.

3. Privacy Policy for Customers and Website Visitors

Information We Collect

Account Information: When you register, we collect your name, email address, company name, and phone number (optional). This information is used to create your account, provide customer support, and communicate service updates.

Screening Data: When you perform a screening, we process the names and identifiers you submit. This data is used solely to match against our watchlist databases and return results to you.

Usage Data: We automatically collect information about how you use our service, including IP addresses, browser type, pages visited, API usage metrics, and screening volumes.

Payment Information: If you subscribe to a paid plan, payment information is processed by our third-party payment processor. We do not store credit card numbers on our servers.

4. How We Use Your Information

  • Provide and maintain the screening service
  • Process screening requests and return results
  • Manage your account and API access
  • Send transactional emails (account confirmation, screening alerts, usage notifications)
  • Enforce rate limits and usage quotas
  • Improve our matching algorithms and service quality
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

5. Data Retention

  • Screening records: Retained for 7 years (AML/KYC regulatory compliance)
  • Account information: Retained for as long as your account is active
  • Webhook delivery logs: Retained for 90 days
  • Usage logs: Retained for 12 months

You may request account deletion by contacting us at support@credoscreening.com. Note that screening records may be retained as required by law even after account deletion.

6. Data Security

We implement industry-standard security measures to protect your data:

  • All data transmitted over HTTPS/TLS encryption
  • API keys stored with cryptographic hashing
  • Webhook payloads signed with HMAC-SHA256 for authenticity verification
  • Database encryption at rest on Google Cloud Platform
  • Access controls, audit logging, and principle of least privilege
  • Regular security assessments and monitoring

7. Data Sharing

We do not sell your personal information. We may share data with:

  • Service providers: Google Cloud Platform (hosting), Neon (database), Resend (email delivery), Vercel (website hosting)
  • Legal requirements: When required by law, regulation, subpoena, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate notice

8. Watchlist Data Sources

The screening data we match against is sourced from publicly available government and international organization databases. Our primary data source is OpenSanctions, which aggregates data from OFAC, EU, UN, UK, and 80+ other official sources.

We do not create or maintain proprietary watchlists. All screening data originates from official government publications and is updated automatically on a regular schedule.

9. Your Rights

Depending on your jurisdiction (GDPR, CCPA, PIPEDA), you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Objection: Object to or restrict certain types of processing
  • Portability: Request your data in a machine-readable format
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise these rights, contact support@credoscreening.com. We will respond within 30 days.

10. Cookies and Local Storage

We use essential cookies for authentication and session management. We use browser localStorage to track free-tier screening usage (daily limit counter) and authentication state. We do not use third-party advertising or tracking cookies.

11. Children's Privacy

Our Service is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children.

12. International Data Transfers

Our services are hosted on Google Cloud Platform in North America. If you access the Service from outside North America, your data may be transferred to and processed in Canada or the United States. We ensure appropriate safeguards are in place for international data transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or by posting a notice on our website at least 30 days before they take effect. Your continued use of the Service after changes constitutes acceptance.

14. Contact Information

If you have any questions about this Privacy Policy, please contact us at:

Email: support@credoscreening.com
Website: credoscreening.com
Address: Toronto, Ontario, Canada

Credo is a sister company of TrustCredo (Identity Verification).