Privacy Policy

This Privacy Policy explains how Credegra Corporation ("Credegra," "we," "us") collects, uses, shares, and protects personal data when you use our websites, applications, and services that help project developers assess and improve alignment with carbon standards requirements (the "Service").

1. Contact information

2. Scope

This Policy applies to personal data we process when you:

• visit our website;
• create or use an account for the Service;
• upload project materials and receive analyses or reports;
• receive invoices or administer subscriptions; or
• communicate with us (including support).

The Service is intended for business users and is not directed to children.

Roles: For organizational accounts, Credegra processes Customer Data (Section 3) as a processor on behalf of your organization, which is the data controller for that Customer Data. Credegra acts as a controller for account and contact, service and technical, billing, and support data. You may exercise rights over controller-held data directly; requests relating to Customer Data should be directed through your organization. A Data Processing Addendum (DPA) is available upon request and, once executed, governs the processing of Customer Data.

3. Personal data we process

We process the following categories of personal data:

A. Account and contact data

Name, business email, company, role/title, and authentication identifiers (for example, via ASP.NET Identity).

B. Customer Data (project content)

Files, documents, and other information you or your organization upload to the Service. Note: Outputs generated by the Service (such as reports, findings, and recommendations) are addressed separately under our Software License Agreement, which governs ownership and permitted use of such Outputs. Customer Data may include commercially confidential information. Customer Data is processed solely to provide the Service and is not used for advertising or to train generalized AI models.

C. Service and technical data

Information about how you access and use the Service, such as device and browser information, IP address, timestamps, pages/screens viewed, feature usage, performance metrics, and error logs. This may include detailed product-usage and interaction data — the sequence and timing of in-product actions, navigation paths, the features and workflows you engage, and latency or success metrics for those actions — collected to understand, measure, and improve how the Service is used. We refer to this as "Service Usage Data." Service Usage Data may be personal data where it relates to an identifiable user; pseudonymization reduces identifiability but does not make the data anonymous. Wherever practicable we pseudonymize this data at collection, retain identifiable usage data only for a limited period, and then aggregate or de-identify it (see Sections 4, 9, and 10). We may also maintain audit and security logs.

D. Billing and invoicing data

Billing contacts, billing addresses, invoice records, and related communications.

E. Support communications

Information you provide when you contact us, including messages and attachments.

Sensitive data: We do not intentionally collect sensitive personal data (such as health data, biometric identifiers, or government IDs). Please do not upload sensitive personal data unless your organization has determined it is necessary and lawful.

4. How we use personal data

We use personal data to:

• Provide and operate the Service (account administration, authentication, processing uploads, generating outputs, and delivering reports).
• Security and reliability (monitoring, logging, detecting and preventing fraud/abuse, troubleshooting, and maintaining the integrity of the Service).
• Support and communications (responding to requests, providing customer support, and sending operational messages such as account, security, and service notices).
• Billing and recordkeeping (issuing invoices, administering subscriptions, and maintaining business records).
• Improve the Service and industry knowledge (improving functionality, accuracy, and performance using aggregated and/or de-identified data; creating and publicly distributing aggregated industry reports, research, blog posts, and presentations that do not identify your organization or specific projects).
• Product analytics (analyzing pseudonymized Service Usage Data described in Section 3 to measure engagement, diagnose usability issues, and prioritize improvements to the Service and our AI features), relying on our legitimate interests (Section 5) and using de-identified or aggregated data wherever it is sufficient.
• Marketing (where permitted) (you can opt out at any time).

De-identified or aggregated data means data processed so that it cannot reasonably be used to re-identify your organization, any individual, or any specific project. Where we treat data as "deidentified" under the CCPA/CPRA, we maintain and use it only in deidentified form, do not attempt to re-identify it (except to test the effectiveness of de-identification), and require recipients to comply with the same restrictions. We will not publicly distribute a metric that combines data across customers unless it reflects at least ten (10) distinct customer organizations, with reasonable suppression or generalization for outliers and small cohorts.

5. Legal bases (EEA/UK users)

If you are in the EEA or the UK, we process personal data under these legal bases, as applicable:

• Contract (to provide the Service)
• Legitimate interests (to secure, measure, analyze, and improve the Service — including pseudonymized product-usage analytics — to prevent fraud, and to support customers)
• Legal obligations (invoicing, tax, and compliance)
• Consent (certain marketing and non-essential cookies where required)

We rely on legitimate interests for pseudonymized Service Usage Data analytics only where we have assessed that the processing is necessary and that our interests are not overridden by individuals' rights and freedoms.

6. AI and model usage

The Service may use AI-enabled components to generate analyses and draft outputs.

A. Use of AI providers

We may send Customer Data (or excerpts) to third-party AI inference providers to generate outputs for you, subject to contractual and technical safeguards. We currently use third-party AI providers, including OpenAI, Google, and Anthropic, and may use additional providers over time (for example, xAI, or others). This list is non-exhaustive and may change as the Service evolves. Customer Data sent to third-party AI inference providers is used to provide the requested AI feature and is not used by those providers to train their general-purpose models, except where your organization expressly agrees otherwise. These providers may process personal data in the United States and other countries; for EEA/UK personal data, we rely on appropriate transfer mechanisms (adequacy decisions, EU Standard Contractual Clauses, and the UK International Data Transfer Addendum or IDTA, as applicable).

B. Model training and improvement

We may use aggregated and de-identified signals derived from Customer Data (such as metadata, performance metrics, or abstracted patterns) to improve our systems, as permitted by our agreement with your organization. We do not use Customer Data or identifiable project documents to train or fine-tune generalized AI models, or in any way that would expose your confidential content to other customers or allow reconstruction of your specific project information. Your organization may contact us to discuss training controls and related safeguards. Examples of such signals include response ratings, latency and success metrics, and tool-usage statistics; they exclude the text of your documents and any named entities within them.

C. Human review

We may conduct human review of specific inputs/outputs for quality assurance, support, debugging, and security purposes. Access is restricted to authorized personnel on a need-to-know basis and subject to confidentiality obligations and access controls.

7. Sharing and service providers (subprocessors)

We share personal data with service providers that process data on our behalf under written agreements designed to protect personal data and limit use to providing services to Credegra. Categories may include:

• Cloud and application hosting: Microsoft Azure (including storage, compute, and related services)
• AI inference providers: as described in Section 6
• Email and business tooling: providers used to communicate with you and operate business systems
• Website services and analytics: tools used to operate, secure, and measure usage of our website and Service

Subprocessor list: A current list of Credegra's material subprocessors for the Service, including the third-party AI inference providers identified in Section 6, is available to current and prospective customers on request by contacting privacy@credegra.com. Where you have an applicable Data Processing Addendum (DPA), Credegra's use of subprocessors, prior notice of intended additions or replacements, and any objection rights are governed by that DPA.

We may also share information:

• to comply with law or lawful requests;
• to protect rights, safety, and security of Credegra, our customers, and users; or
• in connection with a corporate transaction (e.g., financing, acquisition, or restructuring), subject to appropriate safeguards.

8. International transfers and EU hosting option

Credegra is based in the United States. If we transfer personal data from the EEA/UK to other countries that may not provide the same level of protection, we use appropriate safeguards such as Standard Contractual Clauses and the UK Addendum, as applicable.

EU-hosted deployment on request: If your organization would like data processing and storage in the EU, you may contact us at privacy@credegra.com to discuss deploying your instance on EU-based Microsoft Azure servers, subject to availability and commercial terms. Depending on configuration and support needs, some limited cross-border access or transfers may still occur (for example, support and security operations).

9. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy.

• Customer Data: retained while your account is active. After account deletion or termination, we retain Customer Data for up to 60 days, after which it is deleted, subject to backup lifecycle processes.
• Service Usage Data and logs: raw identifiable analytics data is retained for a limited period (generally 90 days) and then pseudonymized or de-identified; pseudonymized analytics data is retained for 24 months; security and audit logs are retained as long as needed for operational, security, and legal purposes; and aggregated or de-identified data may be retained for longer to support analytics and industry research.
• Billing and invoicing records: retained as needed for business recordkeeping and legal compliance.

10. Your rights and choices

Depending on your location, you may have rights to request access, correction, deletion, restriction, portability, and to object to certain processing. You may also withdraw consent where processing is based on consent and opt out of marketing communications.

To exercise rights, contact privacy@credegra.com. We may verify your identity and, for organizational accounts, confirm authorization.

Objecting to usage analytics: Individuals in the EEA/UK may object, on grounds relating to their particular situation, to our processing of their pseudonymized Service Usage Data for product analytics based on legitimate interests by contacting privacy@credegra.com (or using in-product privacy controls, where available). We will stop that processing unless we demonstrate compelling legitimate grounds or need it for the establishment, exercise, or defense of legal claims.

11. California privacy disclosures (CPRA)

If you are a California resident, you may have rights under the California Consumer Privacy Act as amended by the CPRA ("CPRA"), including the right to request access to or deletion of certain personal information and the right to correct inaccurate personal information.

Notice of collection: Over the past 12 months, we may have collected the categories of personal information described in Section 3 (account/contact data, customer content, service/technical data, billing data, and support communications) for the purposes described in Section 4.

No sale or sharing for cross-context behavioral advertising: We do not sell personal information and do not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA.

You (or an authorized agent) may submit CPRA requests by contacting privacy@credegra.com. We will verify your request consistent with applicable law. If you use the Service through an organization, certain requests may need to be coordinated through your organization.

12. Cookies and similar technologies

We use cookies and similar technologies to operate our website and Service.

• Essential cookies: Required for core functionality, security, and session management.
• Analytics/performance cookies: Used to understand website and Service usage (for example, measuring clicks, page interactions, and feature usage) and to improve performance and user experience. We may use analytics providers and similar measurement tools over time.

Where required by law, we will request consent before placing non-essential cookies and provide a way to manage preferences. For users in the EEA and UK, we will not place non-essential analytics cookies or similar storage or access technologies without your prior consent, which you may grant or withdraw at any time through our cookie preference controls. You can also control cookies through your browser settings. Some features may not function properly without essential cookies.

13. Security

We implement administrative, technical, and organizational safeguards designed to protect personal data, such as access controls and encryption in transit. No method of transmission or storage is completely secure, but we work to maintain reasonable protections appropriate to the risk. If Credegra becomes aware of a personal data breach involving personal data for which Credegra is the controller, Credegra will notify affected individuals where required by applicable law, including Article 34 of the GDPR/UK GDPR. If a breach or security incident involves Customer Data that Credegra processes as a processor, Credegra will notify the Customer without undue delay and, unless a shorter period applies under an applicable Data Processing Addendum, no later than seventy-two (72) hours after becoming aware of it. The Customer is responsible for notices to supervisory authorities and affected individuals unless the DPA provides otherwise.

14. Changes

We may update this Policy from time to time. If we make material changes, we will post the updated Policy and update the "Last updated" date. Where appropriate, we may provide additional notice in-product or by email.