Privacy Policy

1. Data We Collect

Account Information

• Email address (for login and communication)
• Full name and company name
• Persona type (business owner, advisor, DSA)
• Phone number (optional, only if you choose to share it)

Financial Documents

• Bank statements — used to extract transaction patterns, turnover, EMI outflows, and cash flow metrics.
• GSTIN / GST data — used to verify business identity, filing compliance, and credit intelligence signals.
• KYC documents (PAN, Aadhaar) — used only for name matching and validation. Not stored after processing.
• CIBIL self-reported data — approximate score range and credit history inputs you provide.

Usage Data

• Pages visited, features used, report downloads
• Device type, browser, and session identifiers
• Error logs for debugging and service improvement

2. How We Use Your Data

• Analysis only: Documents are parsed to generate your readiness score and lender match report.
• No sharing without consent: Your raw documents and parsed data are never shared with lenders, banks, or third parties without your explicit consent.
• Service improvement: Aggregated, anonymised usage patterns help us improve parsing accuracy and scoring models.
• Communication: We may send you transactional emails (reports, password resets). We will not send marketing emails without your opt-in.

3. Third-Party Services

• Google Gemini AI: Bank statement text and GST data may be sent to Google's Gemini API for parsing and analysis. Only document text content is shared — no personal identifiers are included in prompts. Google's data usage policies apply.
• IRIS GST API: Your GSTIN is sent to IRIS for fetching public GST filing data.
• Google OAuth: If you sign in with Google, we receive your name and email from Google. We do not access any other Google data.

4. Data Retention

• Uploaded documents: Stored on encrypted servers for up to 90 days to allow re-analysis and report regeneration. Deleted automatically after that.
• KYC documents (PAN, Aadhaar): Processed in memory for name matching and deleted immediately. Not stored on disk.
• Generated reports: Retained for 12 months or until you delete your account.
• Account data: Retained until you request deletion.

5. Cookies

We use essential cookies for session management (login state). We do not use third-party tracking cookies or advertising pixels. No cookie consent banner is needed as we use only strictly necessary cookies.

6. Security Measures

• All data transmitted over HTTPS (TLS 1.2+)
• Uploaded documents stored with server-side encryption
• Access controls and role-based permissions
• Password hashing using bcrypt
• Regular security reviews

7. Your Rights

Under the Information Technology Act 2000 and the Digital Personal Data Protection (DPDP) Act 2023, you have the right to:

• Access: Request a copy of all personal data we hold about you.
• Correction: Update or correct inaccurate data.
• Deletion: Request deletion of your account and all associated data.
• Portability: Request your data in a machine-readable format.
• Withdraw consent: Revoke consent for data processing at any time.
• Grievance redressal: File a complaint with our Grievance Officer or the Data Protection Board of India.

8. Children's Privacy

Credilo is not intended for individuals under 18 years of age. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users via email of any material changes. The updated policy will be posted on this page with a revised date.

10. Contact & Grievance Officer

For privacy-related questions or to exercise your rights:
Email: support@credilo.in
Grievance Officer: support@credilo.in
Web: credilo.in/contact

Last updated: May 2026