Privacy Policy

KreditBuilder, Inc. ("KB," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and safeguard your personal information when you use our website at kreditbuilder.app (the "Site") and our credit-building membership service (the "Service").

This policy is designed to comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). By using the Site or Service, you agree to the practices described in this Privacy Policy.

We collect the following categories of personal information:

Information you provide directly

• Identity information: Full name, date of birth, and Social Security Number (for credit reporting and identity verification purposes)
• Contact information: Email address, phone number, and mailing address
• Account credentials: Email and password used to create and access your account
• Multi-factor authentication (MFA) information: If you enable MFA, we collect the phone number you provide for SMS verification. If you choose authenticator-app (TOTP) verification, we store an encrypted shared secret used to generate one-time codes. If you register a passkey, we store the credential public key and related device metadata. We also generate and store hashed backup recovery codes for your account.
• Payment information: Billing details processed securely through our third-party payment processor (we do not store full credit card numbers)

Information collected automatically

• Device and usage data: IP address, browser type, operating system, pages visited, referring URLs, and interaction timestamps
• Login session and device history: Each time you sign in, we automatically record your IP address, browser type and version, operating system, device type (e.g., desktop or mobile), the authentication method used (password, Google sign-in, or passkey), whether MFA was completed and which MFA method was used, and the date and time of the login attempt. This information is stored as part of your login history and is accessible to you in your account security settings.
• Cookies and similar technologies: We use essential cookies for site functionality and optional analytics and marketing cookies with your consent. See our Cookie Settings page for details.
• Analytics data: When you consent to analytics cookies, we use Google Analytics and Microsoft Clarity to collect information about how you use our Site. Google Analytics collects data such as pages visited, session duration, and traffic sources using cookies and similar technologies. Microsoft Clarity collects heatmap and session replay data, including mouse movements, clicks, and scrolling behavior, to help us understand user interaction patterns.
• Bot and fraud prevention data: We use Google reCAPTCHA on certain pages (such as sign-up, login, and password reset) to protect our Site from spam and abuse. reCAPTCHA collects hardware and software information, such as device and application data, and sends it to Google for analysis. Your use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.

We use the information we collect to:

• Provide and maintain the Service, including reporting your tradeline to Experian
• Verify your identity as required for credit reporting compliance
• Process your subscription payments and manage billing
• Communicate with you about your account, service updates, and support requests
• Improve our Site and Service through aggregated analytics (when consent is given), including via Google Analytics and Microsoft Clarity
• Protect our Site from spam, abuse, and automated bot traffic using Google reCAPTCHA
• Comply with legal obligations, including credit bureau reporting requirements
• Detect and prevent fraud, unauthorized access, or other security threats
• Authenticate your identity through multi-factor authentication (MFA) using SMS codes, authenticator apps, or passkeys
• Maintain a login history so you can review recent sign-in activity and identify any unauthorized access to your account

We do not sell your personal information. We may share your information with the following parties:

• Credit bureaus: We report your account and payment data to Experian as part of the Service
• Payment processors: Chargebee processes your subscription payments securely on our behalf
• Identity verification providers: We may share information with third-party services to verify your identity
• Analytics providers: Google (Google Analytics) and Microsoft (Clarity) receive usage data when you consent to analytics cookies. Google Analytics data is processed in accordance with Google's Privacy Policy. Microsoft Clarity data is processed in accordance with Microsoft's Privacy Statement
• Security and anti-fraud providers: Google receives device and interaction data through reCAPTCHA to detect bots and prevent abuse
• Other service providers: Hosting and email providers that help us operate the Site and Service, bound by confidentiality agreements
• Legal compliance: When required by law, court order, or governmental authority

If you are a California resident, you have the following rights under the CCPA and CPRA:

To exercise any of these rights, contact us at privacy@kreditbuilder.app. We will verify your identity before processing any request and respond within 45 days as required by law.

We retain your personal information for as long as your account is active or as needed to provide the Service. After account closure, we may retain certain data for the following purposes:

• Credit reporting records: Retained for up to 7 years as required by credit reporting regulations
• Payment and billing records: Retained for up to 7 years for tax and accounting compliance
• Account and identity records: Retained for up to 3 years after account closure for fraud prevention and legal compliance
• Login session and device history: Login records (including IP address, device, browser, and authentication method) are retained for up to 1 year for security monitoring and fraud prevention
• MFA credentials: MFA-related data (phone numbers for SMS, encrypted TOTP secrets, passkey credentials, and hashed backup codes) are retained for as long as the associated MFA method is active on your account and deleted when you remove the method or close your account
• Analytics data: Aggregated and anonymized data may be retained indefinitely

We implement industry-standard security measures to protect your personal information, including encryption of data in transit (TLS), secure password hashing, and access controls. Authenticator-app (TOTP) secrets are encrypted at rest using AES encryption, and MFA backup codes are stored only in hashed form. We also offer multi-factor authentication to help you secure your account against unauthorized access. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on our Site prior to the changes taking effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at: