Privacy Policy

Last updated: February 28, 2026

At Credris ("we," "us," or "our"), we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Credris platform (the "Service").

This policy applies to all users of the Service, including Organization owners, administrators, staff members, and training participants whose data is processed through the platform.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you:

Create an Account: Email address, password (stored as a salted hash, never in plain text), and organization details.
Set Up an Organization: Organization name, logo, subdomain, and configuration settings including sender name and reply-to email address.
Create Events: Event name, description, dates, timezone, and event-specific settings.
Add Participants: Participant names, email addresses, phone numbers, and any custom fields you configure.
Upload Content: Certificate templates (images, PDFs), organization logos, and custom branding materials.
Contact Us: Name, email, and message content when you reach out for support.

1.2 Information Generated Through Service Use

We automatically generate and store the following data as part of providing the Service:

Attendance Records: Check-in timestamps, attendance status, QR code scans, and device information used for check-in.
Certificates: Generated PDF certificates, verification codes, issuance dates, download status, and email delivery status.
Audit Logs: Records of administrative actions including who performed them, when, and what changed.

1.3 Information Collected Automatically

When you access the Service, we automatically collect:

Log Data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
Device Information: Screen resolution, device type, and language preferences.
Performance Data: API response times, error rates, and service availability metrics.
Cookies and Local Storage: Authentication tokens stored securely. We do not use third-party tracking cookies.

2. How We Use Your Information

2.1 To Provide and Maintain the Service

Authenticate your identity and manage your Account.
Process and store event, participant, and attendance data.
Generate, store, and deliver certificates.
Send transactional emails (certificates, invitations, password resets).
Enable certificate verification by third parties via unique verification codes.

2.2 To Improve the Service

Analyze usage patterns to improve features and performance.
Monitor service health and reliability.
Identify and fix bugs, errors, and security vulnerabilities.

2.3 To Communicate With You

Send service-related notifications (account changes, security alerts).
Respond to your support requests and inquiries.
Notify you of material changes to these policies or the Terms of Service.

2.4 To Ensure Security and Compliance

Enforce rate limits and prevent abuse.
Detect and prevent fraud, unauthorized access, and other harmful activities.
Maintain audit logs for accountability and compliance.
Comply with legal obligations and respond to lawful requests.

3. Data Controller and Processor Roles

3.1 Credris as Data Controller

Credris is the Data Controller for Account information (your email, password, account settings) and service usage data.

3.2 Organization as Data Controller

When an Organization uses Credris to manage Participant data, the Organization is the Data Controller. The Organization determines what Participant data to collect, how it is used, and is responsible for ensuring lawful processing.

3.3 Credris as Data Processor

Credris acts as a Data Processor for Participant data managed by Organizations. We process Participant data only as instructed by the Organization and in accordance with our Terms of Service.

4.1 We Do Not Sell Your Data

Credris does not sell, rent, or trade personal information to third parties. We do not share your data with advertisers or data brokers.

4.2 Service Providers

We share data with trusted third-party service providers under contractual obligations to protect your data:

Cloud Infrastructure: Hosting and database services in secure, access-controlled environments.
Email Delivery: Transactional email provider (Resend) for sending certificates and notifications. Only minimum necessary data is shared.
Error Tracking: Sentry for monitoring application errors. Reports never include passwords or sensitive personal data.
File Storage: Secure cloud storage for certificate PDFs, templates, and logos.
Queue Processing: Redis (BullMQ) for background job processing. Job data is transient and automatically purged.

4.3 Public Certificate Verification

When a certificate's verification code is queried, the following is made available: participant name, event name, organization name, issue date, and certificate validity status.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request.

5. Data Storage and Security

5.1 Storage Location

Your data is stored on secure servers with industry-standard encryption for data in transit (TLS 1.2+) and access controls for data at rest.

5.2 Security Measures

Authentication: JWT-based authentication with short-lived access tokens and secure refresh token rotation.
Password Security: Passwords hashed using bcrypt. We never store plain-text passwords.
Access Control: Role-based access control (Owner, Admin, Staff) with organization-level isolation.
Rate Limiting: Protection against brute-force attacks.
Security Headers: HTTP security headers, strict CORS policies, and XSS protection.
Input Validation: All API inputs validated to prevent injection attacks.
Monitoring: Real-time error tracking and API latency monitoring.

5.3 Incident Response

In the event of a data breach, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach.

6. Data Retention

6.1 Active Account Data

We retain your data for as long as your Account is active and as needed to provide the Service.

6.2 Deleted Data

Individual Records: Permanently removed from active systems within 30 days.
Organization Deletion: All associated data permanently removed within 30 days.
Account Deletion: Personal data removed. Sole owners must transfer ownership or delete the Organization first.
Backups: Deleted data may persist in encrypted backups for up to 90 days.

6.3 Audit Logs

Administrative audit logs are retained for 12 months for security and compliance purposes.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 Right of Access

You may request a copy of the personal data we hold about you. Organization members can access their data through the Service dashboard.

7.2 Right to Rectification

You can update your Account information at any time through Settings.

7.3 Right to Erasure

You can delete your data through the Service, or contact us at privacy@credris.com.

7.4 Right to Data Portability

You can export your data in standard formats (CSV, PDF) through the Service dashboard.

7.5 Right to Object

You may object to processing in certain circumstances. Contact privacy@credris.com to exercise this right.

7.6 Right to Restrict Processing

You may request that we restrict processing while we verify accuracy or assess our grounds for processing.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use strictly necessary cookies and local storage to maintain your authentication session. These cannot be disabled.

8.2 Analytics

We use Google Analytics to understand Service usage. Analytics cookies are only activated after you provide consent. We do not use advertising cookies or social media tracking pixels.

8.3 Error Monitoring

Sentry collects technical information when errors occur, used solely for debugging and improving the Service.

9. Children's Privacy

Credris is not directed at children under 16. We do not knowingly collect personal information from children. Organizations managing programs with minors are responsible for obtaining appropriate consent.

10. International Data Transfers

When we transfer data internationally, we ensure adequate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Contractual obligations with service providers to protect data.
Compliance with applicable data transfer frameworks.

11.1 Legal Bases for Processing

Contractual Necessity: Processing necessary to perform our contract with you.
Legitimate Interest: Processing for service improvement, security, and fraud prevention.
Legal Obligation: Processing required to comply with applicable laws.
Consent: Where we rely on consent, you may withdraw it at any time.

11.2 Data Protection Officer

Contact our DPO at dpo@credris.com.

11.3 Supervisory Authority

EEA users have the right to lodge a complaint with their local data protection supervisory authority.

12. CCPA Compliance (California Residents)

Right to Know: Request disclosure of personal information we have collected.
Right to Delete: Request deletion of your personal information.
Right to Non-Discrimination: We will not discriminate for exercising your rights.
No Sale of Personal Information: We do not sell personal information.

To exercise your CCPA rights, contact privacy@credris.com.

13. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of material changes by email and by updating the "Last updated" date on this page.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy:

Privacy Inquiries: privacy@credris.com
Data Protection Officer: dpo@credris.com
General Support: hello@credris.com

We will respond to privacy-related requests within 30 days.

Privacy Policy

Last updated: February 28, 2026

This policy applies to all users of the Service, including Organization owners, administrators, staff members, and training participants whose data is processed through the platform.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you:

Create an Account: Email address, password (stored as a salted hash, never in plain text), and organization details.
Set Up an Organization: Organization name, logo, subdomain, and configuration settings including sender name and reply-to email address.
Create Events: Event name, description, dates, timezone, and event-specific settings.
Add Participants: Participant names, email addresses, phone numbers, and any custom fields you configure.
Upload Content: Certificate templates (images, PDFs), organization logos, and custom branding materials.
Contact Us: Name, email, and message content when you reach out for support.

1.2 Information Generated Through Service Use

We automatically generate and store the following data as part of providing the Service:

Attendance Records: Check-in timestamps, attendance status, QR code scans, and device information used for check-in.
Certificates: Generated PDF certificates, verification codes, issuance dates, download status, and email delivery status.
Audit Logs: Records of administrative actions including who performed them, when, and what changed.

1.3 Information Collected Automatically

When you access the Service, we automatically collect:

Log Data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps.
Device Information: Screen resolution, device type, and language preferences.
Performance Data: API response times, error rates, and service availability metrics.
Cookies and Local Storage: Authentication tokens stored securely. We do not use third-party tracking cookies.

2. How We Use Your Information

2.1 To Provide and Maintain the Service

Authenticate your identity and manage your Account.
Process and store event, participant, and attendance data.
Generate, store, and deliver certificates.
Send transactional emails (certificates, invitations, password resets).
Enable certificate verification by third parties via unique verification codes.

2.2 To Improve the Service

Analyze usage patterns to improve features and performance.
Monitor service health and reliability.
Identify and fix bugs, errors, and security vulnerabilities.

2.3 To Communicate With You

Send service-related notifications (account changes, security alerts).
Respond to your support requests and inquiries.
Notify you of material changes to these policies or the Terms of Service.

2.4 To Ensure Security and Compliance

Enforce rate limits and prevent abuse.
Detect and prevent fraud, unauthorized access, and other harmful activities.
Maintain audit logs for accountability and compliance.
Comply with legal obligations and respond to lawful requests.

3. Data Controller and Processor Roles

3.1 Credris as Data Controller

Credris is the Data Controller for Account information (your email, password, account settings) and service usage data.

3.2 Organization as Data Controller

3.3 Credris as Data Processor

Credris acts as a Data Processor for Participant data managed by Organizations. We process Participant data only as instructed by the Organization and in accordance with our Terms of Service.

4.1 We Do Not Sell Your Data

Credris does not sell, rent, or trade personal information to third parties. We do not share your data with advertisers or data brokers.

4.2 Service Providers

We share data with trusted third-party service providers under contractual obligations to protect your data:

Cloud Infrastructure: Hosting and database services in secure, access-controlled environments.
Email Delivery: Transactional email provider (Resend) for sending certificates and notifications. Only minimum necessary data is shared.
Error Tracking: Sentry for monitoring application errors. Reports never include passwords or sensitive personal data.
File Storage: Secure cloud storage for certificate PDFs, templates, and logos.
Queue Processing: Redis (BullMQ) for background job processing. Job data is transient and automatically purged.

4.3 Public Certificate Verification

When a certificate's verification code is queried, the following is made available: participant name, event name, organization name, issue date, and certificate validity status.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request.

5. Data Storage and Security

5.1 Storage Location

Your data is stored on secure servers with industry-standard encryption for data in transit (TLS 1.2+) and access controls for data at rest.

5.2 Security Measures

Authentication: JWT-based authentication with short-lived access tokens and secure refresh token rotation.
Password Security: Passwords hashed using bcrypt. We never store plain-text passwords.
Access Control: Role-based access control (Owner, Admin, Staff) with organization-level isolation.
Rate Limiting: Protection against brute-force attacks.
Security Headers: HTTP security headers, strict CORS policies, and XSS protection.
Input Validation: All API inputs validated to prevent injection attacks.
Monitoring: Real-time error tracking and API latency monitoring.

5.3 Incident Response

In the event of a data breach, we will notify affected users and relevant authorities within 72 hours of becoming aware of the breach.

6. Data Retention

6.1 Active Account Data

We retain your data for as long as your Account is active and as needed to provide the Service.

6.2 Deleted Data

Individual Records: Permanently removed from active systems within 30 days.
Organization Deletion: All associated data permanently removed within 30 days.
Account Deletion: Personal data removed. Sole owners must transfer ownership or delete the Organization first.
Backups: Deleted data may persist in encrypted backups for up to 90 days.

6.3 Audit Logs

Administrative audit logs are retained for 12 months for security and compliance purposes.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 Right of Access

You may request a copy of the personal data we hold about you. Organization members can access their data through the Service dashboard.

7.2 Right to Rectification

You can update your Account information at any time through Settings.

7.3 Right to Erasure

You can delete your data through the Service, or contact us at privacy@credris.com.

7.4 Right to Data Portability

You can export your data in standard formats (CSV, PDF) through the Service dashboard.

7.5 Right to Object

You may object to processing in certain circumstances. Contact privacy@credris.com to exercise this right.

7.6 Right to Restrict Processing

You may request that we restrict processing while we verify accuracy or assess our grounds for processing.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use strictly necessary cookies and local storage to maintain your authentication session. These cannot be disabled.

8.2 Analytics

We use Google Analytics to understand Service usage. Analytics cookies are only activated after you provide consent. We do not use advertising cookies or social media tracking pixels.

8.3 Error Monitoring

Sentry collects technical information when errors occur, used solely for debugging and improving the Service.

9. Children's Privacy

10. International Data Transfers

When we transfer data internationally, we ensure adequate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Contractual obligations with service providers to protect data.
Compliance with applicable data transfer frameworks.

11.1 Legal Bases for Processing

Contractual Necessity: Processing necessary to perform our contract with you.
Legitimate Interest: Processing for service improvement, security, and fraud prevention.
Legal Obligation: Processing required to comply with applicable laws.
Consent: Where we rely on consent, you may withdraw it at any time.

11.2 Data Protection Officer

Contact our DPO at dpo@credris.com.

11.3 Supervisory Authority

EEA users have the right to lodge a complaint with their local data protection supervisory authority.

12. CCPA Compliance (California Residents)

Right to Know: Request disclosure of personal information we have collected.
Right to Delete: Request deletion of your personal information.
Right to Non-Discrimination: We will not discriminate for exercising your rights.
No Sale of Personal Information: We do not sell personal information.

To exercise your CCPA rights, contact privacy@credris.com.

13. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you of material changes by email and by updating the "Last updated" date on this page.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy:

Privacy Inquiries: privacy@credris.com
Data Protection Officer: dpo@credris.com
General Support: hello@credris.com

We will respond to privacy-related requests within 30 days.

Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

1.2 Information Generated Through Service Use

1.3 Information Collected Automatically

2. How We Use Your Information

2.1 To Provide and Maintain the Service

2.2 To Improve the Service

2.3 To Communicate With You

2.4 To Ensure Security and Compliance

3. Data Controller and Processor Roles

3.1 Credris as Data Controller

3.2 Organization as Data Controller

3.3 Credris as Data Processor

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

4.2 Service Providers

4.3 Public Certificate Verification

4.4 Legal Requirements

5. Data Storage and Security

5.1 Storage Location

5.2 Security Measures

5.3 Incident Response

6. Data Retention

6.1 Active Account Data

6.2 Deleted Data

6.3 Audit Logs

7. Your Rights

7.1 Right of Access

7.2 Right to Rectification

7.3 Right to Erasure

7.4 Right to Data Portability

7.5 Right to Object

7.6 Right to Restrict Processing

8. Cookies and Tracking Technologies

8.1 Essential Cookies

8.2 Analytics

8.3 Error Monitoring

9. Children's Privacy

10. International Data Transfers

11. GDPR Compliance (EEA Users)

11.1 Legal Bases for Processing

11.2 Data Protection Officer

11.3 Supervisory Authority

12. CCPA Compliance (California Residents)

13. Changes to This Privacy Policy

14. Contact Us

Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

1.2 Information Generated Through Service Use

1.3 Information Collected Automatically

2. How We Use Your Information

2.1 To Provide and Maintain the Service

2.2 To Improve the Service

2.3 To Communicate With You

2.4 To Ensure Security and Compliance

3. Data Controller and Processor Roles

3.1 Credris as Data Controller

3.2 Organization as Data Controller

3.3 Credris as Data Processor

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

4.2 Service Providers

4.3 Public Certificate Verification

4.4 Legal Requirements

5. Data Storage and Security

5.1 Storage Location

5.2 Security Measures

5.3 Incident Response

6. Data Retention

6.1 Active Account Data

6.2 Deleted Data

6.3 Audit Logs

7. Your Rights

7.1 Right of Access

7.2 Right to Rectification

7.3 Right to Erasure

7.4 Right to Data Portability

7.5 Right to Object