Privacy Policy

1. Introduction

1.1 This Privacy Policy (“Policy”) describes how Creds Technologies Inc., a Delaware corporation (“Company,” “we,” “us,” or “our”), collects, uses, shares, and protects information in connection with the Creds platform, website, APIs, and all related services (collectively, the “Platform”).

1.2 By using the Platform, you acknowledge that you have read and understood this Policy and agree to the collection, use, and sharing of your information as described herein. This Policy is incorporated into and subject to our Terms of Service.

1.3 If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”), or California, please see Sections 8.2, 8.3, and 9 for additional rights and disclosures applicable to you.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: name, work email address, company name (derived from email domain), and password (stored only as a cryptographic hash)
• Wallet information: Ethereum wallet address
• Profile information: display name and optional avatar
• User content: predictions, signals, participation credits, comments, and other content you create on the Platform
• Communications: messages you send to us (e.g., support requests)

2.2 Information Collected Automatically

• Device information: browser type and version, operating system, device type
• Network information: IP address
• Usage information: pages visited, features used, timestamps of access, referring URLs
• Transaction information: on-chain transaction hashes for private beta users, CREDS balances, credit participation, and signal activity

2.3 Information from Third Parties

• Stripe: payment confirmation data, partial card information (last four digits), and transaction identifiers. We do not store full credit card numbers.
• Ethereum blockchain: publicly available on-chain data including wallet balances, transaction history, and smart contract interactions associated with your wallet address

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Platform: create and manage your account, process signals and participation credits, resolve predictions, and deliver core Platform functionality
• Verify your company domain: use your work email address to confirm your affiliation with a participating company
• Process payments: facilitate public credit purchases through Stripe
• Send transactional communications: account verification, prediction resolution notifications, invite confirmations, and other operational emails
• Resolve predictions: submit prediction text (without user personally identifiable information) to Anthropic for AI-powered resolution analysis
• Improve the Platform: analyze usage patterns, diagnose technical issues, and develop new features
• Prevent fraud and abuse: detect and prevent market manipulation, account fraud, and other prohibited conduct
• Comply with legal obligations: respond to legal process and enforce our Terms of Service

4. Anonymity Model

This section explains how we protect your identity on the Platform. Your privacy from your employer and other users is core to our design.

4.1 Your work email address is used only to verify that you are an employee of a particular company. It is not displayed to other users and is not used for any other purpose beyond account verification and transactional communications.

4.2 Your signals, participation credits, comments, and all other Platform activity are associated with your wallet address and display name — not your real name, email address, or employer. Other users see only the display name you choose.

4.3 Your employer cannot see your activity on Creds. We do not provide employers with any data about which employees have accounts, how they participate, what signals they make, or how they use credits. We do not offer any employer dashboard or employer-facing analytics that could identify individual employees.

4.4 We may de-anonymize your data and disclose your identity only in response to valid legal process, including court orders, subpoenas, or government investigative demands. We will make reasonable efforts to notify you before such disclosure, unless prohibited by law.

5. Data Sharing

5.1 We do not sell your personal data. We have never sold personal data and have no plans to do so.

5.2 We share your information only with the following categories of recipients, and only as necessary to operate the Platform:

• Stripe (payment processing): We share your name, email address, and payment information with Stripe to process public participation credit purchases. Stripe's handling of your data is governed by the Stripe Privacy Policy.
• Vercel (hosting infrastructure): Our Platform is hosted on Vercel. Server logs (including IP addresses and request metadata) are processed by Vercel as part of standard hosting operations.
• Anthropic (AI resolution): We submit prediction text to Anthropic for AI-powered resolution analysis. We do not share any user personally identifiable information with Anthropic. Only the prediction question text and publicly available context are submitted.
• Ethereum blockchain (on-chain data): Private token beta transactions involving CREDS tokens may be recorded on the Ethereum blockchain. Blockchain data — including wallet addresses, transaction amounts, and timestamps — is public by nature and cannot be deleted or modified.

5.3 We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government investigative demands.

5.4 We may share aggregated, de-identified data that cannot reasonably be used to identify you for analytics, research, or business purposes.

5.5 In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of such transaction. We will notify you via email or prominent notice on the Platform before your information becomes subject to a different privacy policy.

6. Cookies and Tracking

6.1 We use a single session cookie (creds-session) for authentication purposes. This cookie is essential for the Platform to function and cannot be opted out of.

6.2 We do not use tracking cookies, advertising cookies, or analytics cookies.

6.3 We do not use Google Analytics, Facebook Pixel, or any similar third-party tracking or analytics services.

6.4 We do not engage in cross-site tracking, browser fingerprinting, or any other covert tracking techniques.

7. Data Retention

7.1 Account data (name, email, wallet address, display name) is retained while your account is active and for thirty (30) days after account deletion to allow for account recovery.

7.2 Transaction records (credit purchases, private beta cash-outs, credit participation, payouts) are retained for seven (7) years to comply with financial recordkeeping requirements.

7.3 Server logs (IP addresses, request metadata, error logs) are retained for thirty (30) days and then automatically deleted.

7.4 Blockchain data (on-chain transactions, wallet addresses) is immutable and cannot be deleted. This data is public by nature of the Ethereum blockchain.

7.5 You may request deletion of your account data at any time by contacting us at legal@creds.market. Upon receipt of a valid deletion request, we will delete your personal data within thirty (30) days, except where retention is required by law (see Section 7.2) or where data is immutable (see Section 7.4).

8. Your Rights

8.1 Rights for All Users

Regardless of your location, you have the right to:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete personal data
• Deletion: request deletion of your account and personal data, subject to legal retention requirements
• Data portability: request a machine-readable export of your personal data

8.2 Additional Rights for EEA/UK Users (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following additional rights under the General Data Protection Regulation (“GDPR”):

• Right to object: object to the processing of your personal data based on our legitimate interests
• Right to restrict processing: request that we restrict the processing of your personal data in certain circumstances
• Right to withdraw consent: withdraw any consent you have previously given, without affecting the lawfulness of processing based on consent before its withdrawal
• Right to lodge a complaint: lodge a complaint with your local data protection supervisory authority

Legal bases for processing (GDPR):

• Contract performance: processing necessary to provide your account and Platform services (Article 6(1)(b))
• Legitimate interest: fraud prevention, security, and Platform improvement (Article 6(1)(f))
• Legal obligation: compliance with applicable laws and regulations (Article 6(1)(c))
• Consent: where applicable, for optional communications and marketing (Article 6(1)(a))

8.3 Additional Rights for California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”):

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: request deletion of your personal information, subject to exceptions
• Right to opt-out of sale: we do not sell your personal information. If this changes, we will provide an opt-out mechanism.
• Right to non-discrimination: we will not discriminate against you for exercising your privacy rights

Categories of personal information collected (CCPA):

• Identifiers: name, email address, wallet address, IP address
• Commercial information: CREDS purchase, private beta cash-out records, and credit participation history
• Internet or electronic network activity: browsing history on the Platform, pages visited, features used
• Geolocation data: approximate location derived from IP address (city/region level only)

8.4 How to Exercise Your Rights

To exercise any of the rights described in this Section, contact us at legal@creds.market. We will respond to verifiable requests within thirty (30) days, or within the timeframe required by applicable law. We may ask you to verify your identity before processing your request.

9. International Data Transfers

9.1 Your personal data is processed and stored in the United States. If you are located outside of the United States, your information will be transferred to and processed in the United States.

9.2 For users in the EEA and UK, we rely on Standard Contractual Clauses (“SCCs”) approved by the European Commission as the legal mechanism for transferring your personal data to the United States. You may request a copy of the applicable SCCs by contacting us at legal@creds.market.

9.3 By using the Platform, you acknowledge and consent to the transfer, storage, and processing of your data in the United States, where data protection laws may differ from those in your jurisdiction.

10. Data Security

10.1 We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption at rest: AES-256 encryption for sensitive data and cryptographic keys
• Encryption in transit: TLS 1.3 for all data transmitted between your browser and our servers
• Password security: passwords are stored as cryptographic hashes; we never store plaintext passwords
• Access controls: role-based access controls limiting employee access to personal data on a need-to-know basis
• Regular security reviews: periodic reviews of our security practices and infrastructure

10.2 While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and wallet private keys.

11. Children

11.1 The Platform is not intended for users under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18 years of age.

11.2 If we become aware that we have collected personal data from a minor, we will take steps to delete such information promptly. If you believe we have inadvertently collected data from a minor, please contact us at legal@creds.market.

12. Changes to This Policy

12.1 We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

12.2 For material changes, we will provide notice at least thirty (30) days in advance by email to the address associated with your account or by a prominent notice on the Platform. Non-material changes may be made without advance notice.

12.3 Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must stop using the Platform and request deletion of your account.