Privacy Policy
Last updated: February 16, 2026
1. Introduction
CredI ("we," "our," or "us") operates the CredI mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We take your privacy seriously. Because CredI handles financial data, we hold ourselves to a higher standard of transparency and security. If you have questions about this policy, contact us at privacy@crediapp.app.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and any profile information you provide. Authentication is handled by Clerk, a third-party authentication provider.
2.2 Financial Data (via Plaid)
When you connect a bank account, we use Plaid Inc. to securely access your financial information. We never see or store your bank login credentials. Plaid handles that connection directly.
Through Plaid, we access the following data:
- Transaction history — merchant name, amount, date, category, and merchant category code (MCC)
- Account metadata — account name, type (e.g., checking, credit), and last four digits of the account number
We do not access:
- Full account numbers or routing numbers
- Your bank login credentials
- Your Social Security number or government ID
- Account balances (unless you explicitly enable this feature)
- Identity verification data (name, address, phone from your bank)
By connecting your bank account, you authorize Plaid to access this information on our behalf. Plaid's handling of your data is governed by the Plaid End User Privacy Policy.
2.3 Credit Card Selections
You may select credit cards from our database to receive reward optimization recommendations. We store which cards you have selected — not your card numbers, expiration dates, CVVs, or any payment credentials.
2.4 Goals and Preferences
If you create savings or rewards goals, we store the goal details (title, target amount, target date, category) and track your progress. We also store your notification preferences and any category corrections you make to transactions.
2.5 Usage and Analytics Data
We collect anonymized usage data to improve the Service, including which features you use, app opens, and general interaction patterns. This data is collected via PostHog and does not include your financial data. You can opt out of analytics tracking in the app settings.
2.6 Error and Crash Data
We use Sentry to monitor application errors and crashes. Crash reports may include device type, operating system version, and application state at the time of the error. These reports do not contain your financial data.
2.7 Device Information
We may collect device identifiers, operating system version, and push notification tokens (if you enable notifications). This is used solely to deliver the Service and send you notifications you have opted into.
3. How We Use Your Information
We use your information exclusively to:
- Provide reward optimization — analyze your transactions and recommend the best credit card for each purchase category
- Calculate missed rewards — show you how much more you could have earned with optimal card usage
- Track your goals — monitor progress toward your savings and rewards goals
- Send notifications — alert you to optimization opportunities, goal milestones, and weekly summaries (if enabled)
- Improve the Service — understand usage patterns to build better features
- Fix bugs and maintain security — diagnose issues and protect your data
We do not use your financial data to:
- Sell or rent your data to third parties
- Display advertising or target ads
- Make credit decisions or assess creditworthiness
- Share with data brokers or marketing companies
- Train machine learning models on your personal financial data
4. How We Protect Your Information
Security is foundational to CredI. We implement the following safeguards:
- Encryption at rest — Plaid access tokens are encrypted using AES-256-GCM before storage. Your financial data is stored in an encrypted PostgreSQL database.
- Encryption in transit — all communication between the app, our servers, and third-party services uses HTTPS/TLS.
- No client-side secrets — sensitive tokens and credentials are never stored on your device. Authentication sessions are managed via secure, short-lived tokens.
- Authenticated API access — every API request requires a valid, authenticated session. No anonymous access to financial data.
- Minimal data access — we only request the Plaid data products we need (Transactions). We do not request Auth, Identity, Assets, Income, or other data products.
5. Third-Party Services
We use the following third-party services to operate CredI:
| Service | Purpose | Data Shared |
|---|---|---|
| Plaid | Bank account connection | Bank credentials (handled by Plaid directly, not by us) |
| Clerk | Authentication | Email address, session data |
| PostHog | Analytics | Anonymized usage events (no financial data) |
| Sentry | Error monitoring | Crash reports, device info (no financial data) |
| Neon | Database hosting | All stored data (encrypted at rest) |
| Vercel | Application hosting | API requests, server logs |
We do not sell, rent, or share your personal or financial data with any parties beyond those listed above, and only to the extent necessary to provide the Service.
6. Data Retention
We retain your data for as long as your account is active. If you delete your account:
- Your financial data (transactions, Plaid connections, goals) is permanently deleted within 30 days
- Plaid access tokens are immediately revoked and deleted
- Anonymized analytics data may be retained (it cannot be linked back to you)
- Error logs containing your data are automatically purged after 90 days
7. Your Rights
You have the right to:
- Access your data — request a copy of all personal data we hold about you
- Delete your data — request deletion of your account and all associated data
- Disconnect your bank — revoke Plaid access at any time from within the app, which immediately stops data syncing
- Opt out of analytics — disable usage tracking in the app settings
- Control notifications — manage or disable all push notifications
- Export your data — request a machine-readable export of your data
To exercise any of these rights, contact us at privacy@crediapp.app or use the account settings within the app.
8. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect and how it is used
- The right to delete your personal information
- The right to opt out of the sale of personal information — we do not sell your personal information
- The right to non-discrimination for exercising your privacy rights
9. Children's Privacy
CredI is not intended for children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or email before the changes take effect. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
CredI
Email: privacy@crediapp.app