Privacy Policy

This Privacy Policy explains how Credegra Corporation ("Credegra," "we," "us") collects, uses, shares, and protects personal data when you use our websites, applications, and services that help project developers assess and improve alignment with carbon standards requirements (the "Service").

1. Contact information

2. Scope

This Policy applies to personal data we process when you:

• visit our website;
• create or use an account for the Service;
• upload project materials and receive analyses or reports;
• receive invoices or administer subscriptions; or
• communicate with us (including support).

The Service is intended for business users and is not directed to children.

3. Personal data we process

We process the following categories of personal data:

A. Account and contact data

Name, business email, company, role/title, and authentication identifiers (for example, via ASP.NET Identity).

B. Customer Data (project content)

Files, documents, and other information you or your organization upload to the Service. Note: Outputs generated by the Service (such as reports, findings, and recommendations) are addressed separately under our Software License Agreement, which governs ownership and permitted use of such Outputs. Customer Data may include commercially confidential information. Customer Data is processed solely to provide the Service and is not used for advertising or to train generalized AI models.

C. Service and technical data

Information about how you access and use the Service, such as device and browser information, IP address, timestamps, pages/screens viewed, feature usage, performance metrics, and error logs. We may also maintain audit and security logs.

D. Billing and invoicing data

Billing contacts, billing addresses, invoice records, and related communications.

E. Support communications

Information you provide when you contact us, including messages and attachments.

Sensitive data: We do not intentionally collect sensitive personal data (such as health data, biometric identifiers, or government IDs). Please do not upload sensitive personal data unless your organization has determined it is necessary and lawful.

4. How we use personal data

We use personal data to:

• Provide and operate the Service (account administration, authentication, processing uploads, generating outputs, and delivering reports).
• Security and reliability (monitoring, logging, detecting and preventing fraud/abuse, troubleshooting, and maintaining the integrity of the Service).
• Support and communications (responding to requests, providing customer support, and sending operational messages such as account, security, and service notices).
• Billing and recordkeeping (issuing invoices, administering subscriptions, and maintaining business records).
• Improve the Service and industry knowledge (improving functionality, accuracy, and performance using aggregated and/or de-identified data; creating and publicly distributing aggregated industry reports, research, blog posts, and presentations that do not identify your organization or specific projects).
• Marketing (where permitted) (you can opt out at any time).

5. Legal bases (EEA/UK users)

If you are in the EEA or the UK, we process personal data under these legal bases, as applicable:

• Contract (to provide the Service)
• Legitimate interests (to secure and improve the Service, prevent fraud, and support customers)
• Legal obligations (invoicing, tax, and compliance)
• Consent (certain marketing and non-essential cookies where required)

6. AI and model usage

The Service may use AI-enabled components to generate analyses and draft outputs.

A. Use of AI providers

We may send Customer Data (or excerpts) to third-party AI inference providers to generate outputs for you, subject to contractual and technical safeguards. We currently use third-party AI providers, including OpenAI and Google, and may use additional providers over time (for example, Anthropic, xAI, or others). This list is non-exhaustive and may change as the Service evolves.

B. Model training and improvement

We may use aggregated and de-identified signals derived from Customer Data (such as metadata, performance metrics, or abstracted patterns) to improve our systems, as permitted by our agreement with your organization. We do not use Customer Data or identifiable project documents to train or fine-tune generalized AI models, or in any way that would expose your confidential content to other customers or allow reconstruction of your specific project information. Your organization may contact us to discuss training controls and related safeguards.

C. Human review

We may conduct human review of specific inputs/outputs for quality assurance, support, debugging, and security purposes. Access is restricted to authorized personnel on a need-to-know basis and subject to confidentiality obligations and access controls.

7. Sharing and service providers (subprocessors)

We share personal data with service providers that process data on our behalf under written agreements designed to protect personal data and limit use to providing services to Credegra. Categories may include:

• Cloud and application hosting: Microsoft Azure (including storage, compute, and related services)
• AI inference providers: as described in Section 6
• Email and business tooling: providers used to communicate with you and operate business systems
• Website services and analytics: tools used to operate, secure, and measure usage of our website and Service

Subprocessor list: A current list of subprocessors is available upon request by contacting privacy@credegra.com.

We may also share information:

• to comply with law or lawful requests;
• to protect rights, safety, and security of Credegra, our customers, and users; or
• in connection with a corporate transaction (e.g., financing, acquisition, or restructuring), subject to appropriate safeguards.

8. International transfers and EU hosting option

Credegra is based in the United States. If we transfer personal data from the EEA/UK to other countries that may not provide the same level of protection, we use appropriate safeguards such as Standard Contractual Clauses and the UK Addendum, as applicable.

EU-hosted deployment on request: If your organization would like data processing and storage in the EU, you may contact us at privacy@credegra.com to discuss deploying your instance on EU-based Microsoft Azure servers, subject to availability and commercial terms. Depending on configuration and support needs, some limited cross-border access or transfers may still occur (for example, support and security operations).

9. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy.

• Customer Data: retained while your account is active. After account deletion or termination, we retain Customer Data for up to 60 days, after which it is deleted, subject to backup lifecycle processes.
• Service and security logs: retained for operational and security needs and then deleted, aggregated, and/or de-identified.
• Billing and invoicing records: retained as needed for business recordkeeping and legal compliance.

10. Your rights and choices

Depending on your location, you may have rights to request access, correction, deletion, restriction, portability, and to object to certain processing. You may also withdraw consent where processing is based on consent and opt out of marketing communications.

To exercise rights, contact privacy@credegra.com. We may verify your identity and, for organizational accounts, confirm authorization.

11. California privacy disclosures (CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended by the CPRA ("CPRA"), including the right to request access to or deletion of certain personal information and the right to correct inaccurate personal information.

Notice of collection: Over the past 12 months, we may have collected the categories of personal information described in Section 3 (account/contact data, customer content, service/technical data, billing data, and support communications) for the purposes described in Section 4.

No sale or sharing for cross-context behavioral advertising: We do not sell personal information and do not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA.

You (or an authorized agent) may submit CPRA requests by contacting privacy@credegra.com. We will verify your request consistent with applicable law. If you use the Service through an organization, certain requests may need to be coordinated through your organization.

12. Cookies and similar technologies

We use cookies and similar technologies to operate our website and Service.

• Essential cookies: Required for core functionality, security, and session management.
• Analytics/performance cookies: Used to understand website and Service usage (for example, measuring clicks, page interactions, and feature usage) and to improve performance and user experience. We may use analytics providers and similar measurement tools over time.

Where required by law, we will request consent before placing non-essential cookies and provide a way to manage preferences. You can also control cookies through your browser settings. Some features may not function properly without essential cookies.

13. Security

We implement administrative, technical, and organizational safeguards designed to protect personal data, such as access controls and encryption in transit. No method of transmission or storage is completely secure, but we work to maintain reasonable protections appropriate to the risk.

14. Changes

We may update this Policy from time to time. If we make material changes, we will post the updated Policy and update the "Last updated" date. Where appropriate, we may provide additional notice in-product or by email.