Privacy Policy
This Privacy Policy describes how Credit Decision API, LLC ("Company," "we," "us," or "our") collects, uses, stores, and discloses information about you when you use our website at creditdecisionapi.com and our REST API (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
Account Information
When you register for an account, we collect your name, email address, company name, and a bcrypt-hashed password. We never store your password in plaintext.
API Keys
We store your API key as a SHA-256 hash for authentication purposes and in AES-256-GCM encrypted form so it can be displayed in your dashboard. The plaintext key is only held in memory during the request in which it is generated or rotated and is never written to disk in plaintext.
Usage Data
We record the number of API calls made under your account, the endpoints called, and the timestamps of those calls. This data is used for billing and to display usage statistics on your dashboard.
Applicant Data You Submit
When you call the /api/v1/decision or /api/v1/score endpoints, you submit financial data about individuals (such as age, income, debt, and loan amount). We process this data solely to generate a credit decision response and return it to you. We do not store applicant-level data after the response is returned. We do not use applicant data for any purpose other than fulfilling your API request.
Billing Information
Payment processing is handled by Stripe, Inc. We do not store full card numbers or sensitive payment credentials on our servers. We store a Stripe customer ID and subscription identifiers to manage your billing relationship. Stripe's privacy policy governs how Stripe handles your payment data.
Session Data
We use an HTTP-only, SameSite-strict session cookie to maintain your authenticated session. The cookie contains a signed JWT and does not include sensitive personal data. It expires after 7 days.
Log Data
Our servers automatically collect standard web server logs, which may include your IP address, browser user agent, request path, and timestamp. These logs are used for debugging, security monitoring, and abuse prevention.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service;
- Authenticate your account and protect against unauthorized access;
- Process billing and manage your subscription through Stripe;
- Send transactional emails such as password reset links via SendGrid;
- Display usage statistics on your dashboard;
- Investigate abuse, enforce our Terms of Service, and comply with legal obligations;
- Improve the reliability and performance of the Service.
We do not sell your personal data. We do not use your data for advertising.
3. Data Retention
We retain account information for as long as your account is active. If you delete your account, we delete your user record, tenant record, and associated usage data from our active database. Residual data may persist in database backups for up to 30 days following deletion. Password reset tokens expire after 60 minutes and are purged on subsequent use of the reset flow. We do not retain applicant-level data submitted to the credit decision endpoints.
4. Third-Party Service Providers
We share data with third-party service providers solely to operate the Service. These providers fall into the following categories:
- Database hosting — stores account, tenant, and usage data on our behalf;
- Payment processing — handles billing and subscription management;
- Transactional email — delivers system emails such as password reset messages;
- Infrastructure and hosting — runs the application server and supporting services.
All providers are located in the United States and are contractually obligated to handle data only as directed by us and in accordance with applicable privacy laws.
5. Security
We implement industry-standard technical and organizational safeguards to protect your data against unauthorized access, disclosure, alteration, and destruction. All data is transmitted over encrypted connections. Passwords, API keys, and session credentials are protected using appropriate cryptographic controls. Access to production systems is restricted and monitored.
No security measure is perfect. In the event of a breach affecting your data, we will notify you as required by applicable law.
6. Your Rights and Choices
You may access, update, or delete your account information at any time through your account settings. You may delete your account, which will remove your personal data from our active systems. If you have questions about the data we hold about you or wish to exercise any applicable data rights (including rights under CCPA or GDPR if applicable to you), contact us at legal@creditdecisionapi.com.
7. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will delete it promptly.
8. International Transfers
Our Service is operated in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.
10. Contact
For privacy questions or requests, contact us at legal@creditdecisionapi.com.
Credit Decision API, LLC
State of Delaware, United States