Privacy Policy

This Privacy Policy explains how CreditRefresh.ai ("CreditRefresh," "we," "us," or "our") collects, uses, shares, and protects information about consumers who interact with our website at creditrefresh.ai and our authenticated software application (together, the "Service").

CreditRefresh is operated by Credit Refresh LLC, a Delaware single-member limited liability company.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, do not access or use the Service.

1. Introduction and Scope

This Privacy Policy applies to personal information that CreditRefresh collects from and about consumers in the United States who interact with the Service, including:

Visitors to our marketing website at creditrefresh.ai, including pre-login pages such as the homepage, pricing page, FAQ, support and help center, blog, and waitlist signup page.
Subscribers who create an account, complete identity verification, and use our authenticated application to monitor credit and generate dispute correspondence.

This Privacy Policy does not apply to information collected by third-party services that we do not own or control, even when those services are linked from or integrated with the Service. Where this policy describes information practices of our service providers, those descriptions are summaries provided for transparency, and the practices of those service providers are governed by their own privacy notices.

The Service is offered to consumers located in the United States only. The Service is not intended for, marketed to, or offered to individuals located outside the United States. We do not knowingly collect personal information from individuals outside the United States. See Section 17.

2. Information We Collect

We collect three categories of information: information you provide to us directly, information we collect automatically when you use the Service, and information we receive from third parties.

2.1 Information You Provide to Us

When you sign up for the Service, create an account, complete identity verification, communicate with us, or otherwise use the Service, you may provide the following categories of information:

Identity and contact information. Full legal name, mailing address, email address, telephone number, and date of birth.

Government identifiers. The last four digits of your Social Security Number, and in some cases your full Social Security Number, where required by our identity verification provider to confirm your identity and authorize a credit report pull. See Section 5 for information about how this data is shared with that provider.

Account credentials. Username, password (stored only in hashed form), security questions, and similar authentication information.

Communications and support content. The content of messages, support tickets, survey responses, and any documents or files you upload to the Service.

Payment information. Billing address, the last four digits of your payment card, payment card brand, and an internal customer identifier issued by our payment processor. Full payment card numbers are submitted directly to our payment processor and are not stored by CreditRefresh. See Section 5.

Marketing and waitlist information. Email address, phone number, and any other contact information you submit through our waitlist, lead capture forms, Instagram comment-to-DM automation, or other marketing channels.

2.2 Information We Collect Automatically

When you access or use the Service, certain information is collected automatically, including:

Device and connection data. Internet Protocol (IP) address, browser type and version, operating system, device identifiers, screen size, language preferences, and referral source.

Usage data. Pages and screens viewed, links clicked, search terms entered, time and date of access, time spent on pages, navigation paths, and error logs.

Cookies and similar technologies. See Section 8 for a description of the cookies and similar tracking technologies we use.

Session recording on marketing pages only. A third-party session recording and behavioral analytics tool is deployed on our pre-login marketing pages and records visitor sessions on those pages. The tool is explicitly disabled inside the authenticated application. See Section 7 for the full description of session recording scope, masking, and consent.

2.3 Information We Receive From Third Parties

After you sign up and authorize the Service to pull your credit information, we receive the following categories of information from third parties:

Credit report data from the consumer reporting agencies. Full consumer credit reports from Equifax, Experian, and TransUnion, including but not limited to: credit scores; tradeline-level account data such as creditor names, account numbers, balances, credit limits, payment history, account dates, and account status; public records including bankruptcies, judgments, and liens; collection accounts; and credit inquiries. This information is delivered to us by our credit data integration provider, after you complete identity verification and authorize the pull.

Identity verification results. Confirmation of identity and any flags or signals returned by the identity verification flow.

Payment status. Subscription status, recurring billing outcomes, refunds, chargebacks, and similar information from our payment processor and payment facilitator partner.

Marketing attribution data. Click identifiers, ad attribution signals, and conversion data from advertising and analytics platforms.

2.4 Sensitive Personal Information

Some of the information described above is considered "sensitive personal information" under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), and under similar provisions of other state privacy laws. This includes:

Social Security Number (in full or partial form).
Account log-in credentials in combination with any required password or security access code.
Precise financial information, including the contents of consumer reports and tradeline-level financial account information.
Date of birth.

We process sensitive personal information only for the purposes described in this Privacy Policy, including to provide the Service you have requested, to verify your identity, to comply with applicable law, and to detect and prevent fraud. See Section 12 for your right to limit the use of sensitive personal information.

3. How We Use Information

We use the information described in Section 2 for the following purposes:

Service delivery. To create and maintain your account, to authenticate you, to deliver the credit monitoring features of the Service, to pull your credit reports from the three nationwide consumer reporting agencies through our credit data integration provider, to display your credit information inside the application, and to provide the dispute generation tool bundled with your subscription.

Dispute letter generation. To analyze your credit reports for potential errors and potential Fair Credit Reporting Act violations using artificial intelligence, to draft dispute correspondence based on that analysis, and to make those draft letters available for your review and approval inside the application. The Service prepares correspondence on your behalf only after you review and approve each draft. See Section 6.

Customer support. To respond to support requests, troubleshoot issues, and communicate with you about the Service.

Payment processing and billing. To process subscription payments, manage subscription status, issue refunds, handle chargebacks, and address billing inquiries.

Fraud prevention and security. To verify your identity, to detect and prevent fraud, to investigate suspected misuse of the Service, to enforce our Terms of Service, and to protect the rights, property, and safety of CreditRefresh, our users, and others.

Marketing and promotional communications. To send you marketing emails about the Service, to deliver targeted advertising, to measure the effectiveness of our advertising campaigns, and to operate referral and waitlist programs. See Section 15.

Analytics and product improvement. To understand how visitors and users interact with the Service, to measure performance, to identify usability problems, and to improve the design and functionality of our marketing website and authenticated application. This includes session recording on our marketing pages as described in Section 7.

Legal compliance and recordkeeping. To comply with applicable laws and regulations, including the Fair Credit Reporting Act ("FCRA"), the Gramm-Leach-Bliley Act ("GLBA"), tax and accounting laws, anti-money-laundering requirements, and lawful requests from government authorities.

4. Legal Bases for Processing

We rely on the following grounds to process personal information:

Performance of a contract. We process information necessary to provide the Service you have purchased, including to create your account, pull and display your credit reports, and generate dispute correspondence on your instruction.

Consent. We process certain categories of information based on your consent, including consent provided through our cookie and tracking consent banner, consent to receive marketing communications, and consent to authorize a credit report pull. You may withdraw consent at any time as described in this policy.

Legitimate interests. We process information for our legitimate interests in operating, securing, and improving the Service, including for fraud prevention, security, analytics, and product improvement, provided those interests are not overridden by your rights.

Legal obligation. We process information where required to comply with applicable laws and regulations, including FCRA recordkeeping obligations and GLBA safeguards.

The General Data Protection Regulation ("GDPR") and the United Kingdom General Data Protection Regulation ("UK GDPR") do not apply to the Service. The legal-basis framework above is provided because several state privacy laws use similar concepts and because we believe transparency is appropriate.

We do not sell your personal information for monetary consideration. We share personal information only as described in this section.

5.1 Service Providers and Processors

We share information with service providers who perform services on our behalf and who are contractually limited to processing personal information for the purposes we specify. The categories of service providers we use include:

Credit data and identity verification provider. We use a third-party provider to integrate with the three nationwide consumer reporting agencies and to handle identity verification. We share with this provider the identifying information necessary to verify your identity and authorize the report pull, including your name, address, date of birth, and Social Security Number (in whole or in part), and we receive credit report data back from the provider.

Payment gateway. Subscription payments are processed through a third-party payment gateway. We share with this gateway the payment information necessary to process transactions, including payment card information that is submitted directly by you to the gateway and is not stored by CreditRefresh.

Payment facilitator. A third-party payment processor and payment facilitator may sit between CreditRefresh and our payment gateway for the purposes of routing subscription payments and managing merchant-of-record functions. We share billing identifiers and transaction data with this partner as necessary to operate subscription billing.

Letter mailing payments. Where the Service offers paid physical mailing of approved dispute letters, payments for those one-off charges may be processed by a separate third-party payment processor. Where applicable, payment card information is submitted directly to that processor and is not stored by CreditRefresh.

Email and messaging providers. We use third-party providers to send transactional, account-related, security-related, and marketing communications by email and text message.

Web analytics provider. We share usage data with a third-party web analytics provider to measure marketing site and application performance.

Advertising and remarketing providers. We share online activity data with third-party advertising and remarketing providers to measure advertising performance and to deliver targeted advertising on third-party platforms.

Session recording and behavioral analytics provider. We share session data captured on our pre-login marketing pages with a third-party session recording and behavioral analytics provider, subject to the scope limitations and masking configuration described in Section 7.

Social media automation provider. We use a third-party automation provider to operate comment-to-direct-message automation on Instagram and to capture opt-ins for our waitlist and marketing communications.

Hosting and infrastructure providers. Our marketing site, application backend, and databases are hosted on infrastructure operated by third-party hosting and infrastructure providers.

Artificial intelligence model provider. Credit report content is processed through a third-party large language model provider for the purpose of drafting dispute correspondence. See Section 6.

5.2 Legal Disclosures

We may disclose personal information when we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, legal process, or governmental request, including subpoenas, court orders, and law enforcement requests.
Enforce our Terms of Service, including investigation of potential violations.
Detect, prevent, or otherwise address fraud, security, or technical issues.
Protect the rights, property, or safety of CreditRefresh, our users, or others.

5.3 Business Transfers

If CreditRefresh is involved in a merger, acquisition, reorganization, financing, sale of all or a portion of its assets, or similar transaction, personal information may be transferred as part of that transaction. We will notify you of any such transfer and any change in the applicable privacy practices through a notice on the Service or by email where required by applicable law.

5.4 With Your Direction

We share personal information with third parties when you direct us to do so, including when you approve the sending of a draft dispute letter to a consumer reporting agency.

5.5 No Sale of Personal Information

CreditRefresh does not sell personal information for monetary consideration. Certain disclosures to third-party advertising and analytics providers may constitute "sharing" of personal information for cross-context behavioral advertising under the CCPA. Residents of California and certain other states have the right to opt out of this sharing. See Section 11 and Section 12.

6. AI and Automated Processing

CreditRefresh uses artificial intelligence as part of the Service. We disclose the following about how AI is used:

What the AI does. After your credit reports are pulled from the three nationwide consumer reporting agencies through our credit data integration provider, the contents of those reports are processed by a large language model operated by a third-party AI model provider. The model analyzes the reports for potential errors, potential inaccuracies, and potential violations of the Fair Credit Reporting Act, and it drafts dispute correspondence based on that analysis.

What the AI does not do. The AI does not make any final decision that has a legal effect or similarly significant effect on you. The AI does not dispute information on your behalf and does not transmit correspondence to consumer reporting agencies without your action. The draft dispute correspondence prepared by the AI is presented to you inside the application for review, and no correspondence is sent until you review and approve it.

Your control. You retain full control over every dispute letter prepared by the Service. You may edit, reject, or decline to send any draft. Nothing in the Service is intended to substitute for your own judgment or for the advice of a licensed attorney.

Provider scope. The AI model provider processes credit report content only for the purpose of preparing draft correspondence for you. Under our agreement with the provider, your content is not used to train third-party general-purpose models, subject to the provider's own privacy and data-use practices.

Right to opt out of profiling. Under several state privacy laws, you have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Because CreditRefresh does not make such decisions about you using automated means, this right is not directly implicated by the Service. You may still exercise this right by contacting us as described in Section 11.

7. Session Recording and Behavioral Analytics

We provide a dedicated disclosure for session recording because the scope of the tool and the consent posture matter.

7.1 Scope Limitation

We use a third-party session recording and behavioral analytics tool (the "tool") to record visitor sessions on our pre-login marketing pages only. These pages include the homepage, pricing page, FAQ page, support and help center, blog, waitlist signup page, and other pages that do not require authentication.

The tool is explicitly disabled inside the authenticated application. The tool does not record sessions on any page behind the login wall, including pages where credit report content is displayed, pages where dispute letters are drafted or reviewed, billing pages, account settings, or any other authenticated route.

This scope limitation is intentional. Authenticated content, including consumer credit report data, is not captured by session recording at any time.

7.2 What Is Captured on Marketing Pages

On the marketing pages where the tool is active, the tool captures:

Keystrokes entered into form fields, with sensitive fields masked as described in Section 7.3.
Mouse movement and cursor position.
Scroll behavior.
Click and tap events.
Page navigation and timing.
Rendered Document Object Model (DOM) content of the page, excluding masked elements.
Browser console messages and error events.

7.3 Masking Configuration

The tool is configured to mask personal information on the marketing pages where it operates:

Form inputs are masked by default through the tool's built-in input masking.
Additional masking is applied to user-provided content displayed in the rendered page through Cascading Style Sheet (CSS) selector rules and data-attribute rules.
IP addresses are anonymized by the tool in accordance with the tool's published configuration.

Where applicable law requires consent for session recording, we obtain that consent through our cookie and tracking consent banner, which is presented to visitors on the marketing pages. Continued use of the marketing pages after notice and after the opportunity to decline non-essential cookies constitutes consent for purposes of state laws that recognize implied consent through continued use following clear and conspicuous notice.

7.5 Opt-Out

You may opt out of session recording on the marketing pages by:

Declining non-essential cookies through our cookie and tracking consent banner.
Submitting an opt-out of sale or sharing request as described in Section 11 and Section 12.
Using a Global Privacy Control ("GPC") signal that is recognized by our marketing pages.

7.6 Retention

Recordings captured by the tool are retained in accordance with the tool's published retention policy. We do not extend the retention of these recordings beyond that policy.

8. Cookies and Tracking Technologies

We use cookies, pixels, software development kits (SDKs), local storage, and similar technologies on the Service. We use the following categories:

Strictly necessary cookies. Required for the Service to function, including for authentication, session management, security, and load balancing. These cookies cannot be disabled.

Functional cookies. Used to remember user preferences and to provide enhanced functionality.

Analytics cookies. Used to measure how visitors and users interact with the Service. Includes our web analytics provider and our session recording tool (marketing pages only).

Advertising cookies. Used to deliver targeted advertising and to measure the effectiveness of advertising campaigns. Includes our third-party advertising and remarketing tools.

We present a cookie and tracking consent banner on the marketing pages of the Service. You may use that banner to accept or decline non-essential cookies. You may also adjust your browser settings to block or delete cookies, although doing so may affect the functionality of the Service.

Some browsers transmit Do Not Track signals or Global Privacy Control signals. The Service treats a recognized Global Privacy Control signal received on the marketing pages as a valid opt-out of sale and sharing of personal information for cross-context behavioral advertising for the browser that sent the signal.

9. Data Retention

We retain personal information for as long as necessary to provide the Service, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Specific retention periods include the following:

Account data. Retained for the life of your account plus seven (7) years after account closure, subject to applicable legal hold and recordkeeping requirements.

Credit report data. Retained for the duration of your active subscription. After account closure, credit report data is retained for seven (7) years, consistent with FCRA and GLBA recordkeeping obligations and applicable financial recordkeeping standards, and is then deleted or de-identified.

Dispute correspondence and outcomes. Retained for seven (7) years following the resolution of the dispute or the closure of your account, whichever is later, to allow you to access your dispute history and to support our obligations.

Payment records. Retained for the period required by applicable tax, accounting, and anti-fraud laws, generally seven (7) years.

Marketing data. Retained until you opt out, after which we retain a suppression record indefinitely to honor your opt-out.

Session recordings. Retained in accordance with the session recording tool's published retention policy.

Support communications. Retained for seven (7) years following resolution of the matter.

We may retain information for longer where required by law, where necessary to enforce our rights, or where retention is otherwise permitted.

10. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Our safeguards include:

Encryption of personal information in transit using industry-standard transport-layer security.
Encryption of personal information at rest in the production database environment.
Access controls that limit access to personal information to personnel with a legitimate business need.
Role-based authentication and multi-factor authentication for administrative access.
Logging and monitoring of access to systems that store personal information.
Vendor due diligence and contractual obligations on service providers who process personal information on our behalf.
A written information security program informed by the GLBA Safeguards Rule.

CreditRefresh is working toward a System and Organization Controls 2 (SOC 2) Type 2 audit. As of the effective date of this policy, no SOC 2 audit has been completed. We do not represent that we hold SOC 2 Type 2, ISO 27001, or PCI DSS Level 1 certification.

Payment card information is submitted directly to our payment processor and payment facilitator partner and is not stored on CreditRefresh systems. Our payment partners are responsible for maintaining their own PCI DSS compliance posture.

No method of transmission or storage is completely secure. We cannot guarantee absolute security, and you should take steps to protect your own account, including by selecting a strong password, enabling multi-factor authentication where offered, and notifying us promptly if you suspect unauthorized access.

11. Your Rights and Choices

Subject to applicable law and to identity verification, you may have the following rights with respect to your personal information.

11.1 Consolidated Rights

Right to know or access. You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it.

Right to delete. You may request that we delete personal information we have collected from you, subject to legal and operational exceptions.

Right to correct. You may request that we correct inaccurate personal information about you.

Right to portability. You may request a copy of certain personal information in a portable, readily usable format where required by applicable law.

Right to opt out of targeted advertising. You may opt out of the processing of personal information for the purpose of targeted advertising, including the use of third-party advertising and remarketing tools for cross-context behavioral advertising.

Right to opt out of sale or sharing. You may opt out of any sale or sharing of personal information.

Right to opt out of profiling. You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. As described in Section 6, CreditRefresh does not make such decisions about you using automated means.

Right to limit use of sensitive personal information. Residents of California have the right to limit the use and disclosure of sensitive personal information to certain purposes. See Section 12.

Right to non-discrimination. We will not deny you the Service, charge you a different price, or provide a different level of service because you exercised a right under applicable privacy law.

Right to appeal. Where required by state law, you have the right to appeal our decision on a privacy request.

11.2 How to Submit a Request

You may submit a privacy request by:

Emailing privacy@creditrefresh.ai.
Sending a written request to 8 The Green, Suite A, Dover, DE 19901, Attn: Privacy.
Using any opt-out mechanism made available on our marketing pages, including the cookie and tracking consent banner.

11.3 Verification

To protect your information, we will take reasonable steps to verify your identity before processing a request. The verification standard will be proportional to the sensitivity of the data requested. We may require you to provide information that allows us to reasonably match your request with information we maintain.

11.4 Authorized Agents

You may authorize an agent to submit a request on your behalf. We may require written authorization from you and verification of the agent's identity.

11.5 Response Timelines

We will respond to verified requests within the timeframes required by applicable law, generally within 45 days of receipt, with one extension of up to 45 additional days where reasonably necessary and where notice of the extension is provided to you.

11.6 Appeals

If we deny your request and your state of residence provides an appeal right, you may appeal our decision by emailing privacy@creditrefresh.ai with the subject line "Privacy Appeal." We will respond to appeals within the timeframes required by applicable law, generally within 60 days. If your appeal is denied, you may contact your state attorney general.

12. California-Specific Disclosures

This section provides disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"). It applies to California residents.

12.1 Categories of Personal Information Collected

In the preceding twelve months, we have collected the following categories of personal information defined in California Civil Code Section 1798.140:

Identifiers (name, email, postal address, telephone number, IP address, account name, online identifier, government identifiers including Social Security Number).
Categories of personal information described in California Civil Code Section 1798.80 (signature, address, telephone number, financial information).
Commercial information (transaction history, subscription status).
Internet or other network activity (browsing history, search history, interactions with the Service).
Geolocation data (general location inferred from IP address).
Inferences drawn from the above (preferences, characteristics, behavior).
Sensitive personal information (Social Security Number, account credentials, contents of consumer reports, precise financial information, date of birth).

12.2 Sources of Personal Information

We collect personal information from the sources described in Section 2.

12.3 Purposes of Collection

We use personal information for the purposes described in Section 3.

12.4 Categories of Third Parties

We disclose personal information to the categories of recipients described in Section 5.

CreditRefresh does not sell personal information for monetary consideration. Certain disclosures to third-party advertising and analytics providers may constitute "sharing" for cross-context behavioral advertising under the CCPA. You have the right to opt out of this sharing.

To opt out of sharing, you may:

Use the cookie and tracking consent banner on the marketing pages of the Service.
Send a request to privacy@creditrefresh.ai.
Transmit a Global Privacy Control signal, which we recognize as a valid opt-out for the browser that sent the signal.

12.6 Right to Limit Use of Sensitive Personal Information

You have the right to direct us to limit the use of sensitive personal information to those purposes specified in California Civil Code Section 1798.121, including for purposes necessary to provide the Service you have requested. To exercise this right, email privacy@creditrefresh.ai with the subject line "Limit Sensitive PI."

12.7 Retention Periods

We retain each category of personal information for the periods described in Section 9.

12.8 Shine the Light

California Civil Code Section 1798.83 allows California residents to request information about the disclosure of personal information to third parties for those third parties' direct marketing purposes. CreditRefresh does not disclose personal information to third parties for those third parties' own direct marketing purposes.

12.9 California Minors

The Service is not directed to individuals under 13, and we do not knowingly collect personal information from individuals under 13. The Service is also not directed to individuals under 18. We do not knowingly sell or share the personal information of individuals under 16.

12.10 No Discrimination

We will not discriminate against you for exercising any of your CCPA rights.

13. Other State-Specific Disclosures

This section provides additional disclosures and rights for residents of other states with comprehensive privacy laws.

13.1 States Covered

The rights described in Section 11 are available to residents of the following states, subject to each state's specific definitions and thresholds:

Virginia (Virginia Consumer Data Protection Act)
Colorado (Colorado Privacy Act)
Connecticut (Connecticut Data Privacy Act)
Utah (Utah Consumer Privacy Act)
Texas (Texas Data Privacy and Security Act)
Oregon (Oregon Consumer Privacy Act)
Montana (Montana Consumer Data Privacy Act)
Iowa (Iowa Consumer Data Protection Act)
Tennessee (Tennessee Information Protection Act)
Delaware (Delaware Personal Data Privacy Act)
New Jersey (New Jersey Data Privacy Act)
New Hampshire (New Hampshire Data Privacy Act)
Nebraska (Nebraska Data Privacy Act)
Minnesota (Minnesota Consumer Data Privacy Act)
Maryland (Maryland Online Data Privacy Act)
Indiana (Indiana Consumer Data Protection Act)
Kentucky (Kentucky Consumer Data Protection Act)
Rhode Island (Rhode Island Data Transparency and Privacy Protection Act)

13.2 Rights Common to These States

Residents of the listed states generally have the rights to know or access, to delete, to correct, to data portability, to opt out of targeted advertising, to opt out of sale, and to opt out of profiling that produces legal or similarly significant effects. Residents of Colorado, Connecticut, Virginia, and certain other states also have the right to appeal denials of privacy requests.

13.3 State-Specific Variations

Texas. The Texas Data Privacy and Security Act requires us to provide a clear and conspicuous notice if we sell sensitive personal data or biometric data. We do not sell sensitive personal data or biometric data.

Oregon. Oregon residents have the right to obtain a list of specific third parties to which we have disclosed their personal data, subject to applicable thresholds and exclusions.

Maryland. Maryland imposes a heightened standard on processing of sensitive personal data, and we process sensitive personal data only as reasonably necessary to provide the Service requested by the consumer.

Connecticut and Colorado. Beginning with the effective dates established by the applicable state authority, we recognize universal opt-out mechanisms, including the Global Privacy Control, for sale and targeted advertising opt-outs.

13.4 Submitting a Request

Residents of these states may submit privacy requests using the methods described in Section 11.2.

14. Children's Privacy

The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information as soon as reasonably practicable. If you believe we may have collected personal information from a child under 13, please contact us at privacy@creditrefresh.ai.

The Service is offered to consumers who are at least 18 years of age. Additional protections for individuals between 13 and 17 are described in Section 12.9 and in applicable state law.

15. Communications and Opt-Out

We communicate with you by email, by text message (where you have provided a telephone number), through the application, and in some cases through other channels you have opted into. This Section 15 explains the categories of communications we send and your opt-out rights.

Email. We send transactional and service emails as necessary to operate your account, including account confirmations, security notifications, billing notifications, dispute status updates, and similar messages. We also send marketing emails about the Service, including newsletters, product announcements, and promotional offers. You may opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email or by emailing privacy@creditrefresh.ai. Opting out of marketing emails does not stop transactional and service emails, which we will continue to send as necessary to operate your account. We comply with the federal CAN-SPAM Act in all commercial email we send.

Text messages (SMS). If you provide your telephone number to us, you may receive transactional, account-related, security-related, and service-related text messages from us. These may include, without limitation, messages about your account, your subscription, identity verification, security alerts, dispute status updates, bureau responses to disputes you have authorized, and other operational notifications about the Service. Marketing text messages are subject to your separate consent under the federal Telephone Consumer Protection Act ("TCPA"), 47 U.S.C. Section 227, and applicable state law, and your separate consent (or the absence of it) controls regardless of any general authorization in our Terms of Service. Message and data rates may apply. Message frequency varies based on your account activity. You may opt out of text messages at any time by replying STOP to a text message or by emailing privacy@creditrefresh.ai. If you opt out of text messages, we may be unable to send you certain account, security, or dispute-related notifications by text and will use email or in-application notifications to reach you.

Instagram comment-to-DM automation. We use a third-party automation tool to operate comment-to-direct-message automation on Instagram. If you have opted in through this channel, you may opt out by sending the word STOP through the channel or by emailing privacy@creditrefresh.ai.

In-application notifications. We may deliver notifications inside the authenticated application about your account, your subscription, dispute activity, bureau responses, and other operational matters. You may adjust in-application notification preferences in your account settings, where available, but certain notifications may be required for the Service to function and cannot be disabled.

16. Third-Party Links and Services

The Service may contain links to third-party websites, services, and resources, including links to the websites of consumer reporting agencies, the Consumer Financial Protection Bureau, and the Federal Trade Commission. We are not responsible for the privacy practices of third parties. We encourage you to read the privacy notices of any third-party services you access.

17. International Users

The Service is offered to consumers located in the United States only. CreditRefresh is based in the United States. The Service is not directed to, marketed to, or intended for use by individuals located outside the United States, and we do not knowingly collect personal information from individuals outside the United States.

This Privacy Policy does not address rights or obligations under the European Union General Data Protection Regulation, the United Kingdom General Data Protection Regulation, the Canadian Personal Information Protection and Electronic Documents Act, or other non-United States privacy laws.

If you are located outside the United States, do not use the Service.

18. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this policy indicates when this policy was most recently revised. If we make material changes, we will provide notice through the Service or by email to the address associated with your account, where required by applicable law, before the changes take effect.

Your continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the updated policy.

19. How to Contact Us

For privacy questions, requests, or complaints, contact us at:

Email: privacy@creditrefresh.ai

Mailing address:

Credit Refresh LLCAttn: Privacy8 The Green, Suite ADover, DE 19901