Privacy Policy

CredaFi, Inc. (“CredaFi,” “we,” “us,” or “our”) is a Delaware-incorporated company building settlement intelligence infrastructure for B2B travel payments. We operate the websites credafi.ai and credafi.xyz (together, the “Sites”), and will operate the CredaFi settlement platform (the “Platform”) when it becomes available.

This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our Sites, use our Platform, or otherwise interact with us. It applies to visitors, prospective customers, design partners, and users of our services.

If you have questions, contact us at privacy@credafi.ai or hello@credafi.ai.

2.1 Information you provide directly

• Contact information. Name, company name, and work email address when you submit the pilot request form or assessment calculator on our Sites.
• Settlement assessment inputs. When you use our interactive assessment tool, you may provide approximate settlement volume, number of corridors, settlement cycle frequency, FX handling method, and reconciliation hours. These inputs are used to generate your personalized estimate and are not linked to your identity unless you subsequently provide your contact details.
• Communications. Information you include when you email us, respond to a survey, or otherwise communicate with us.
• Platform data (future).When our Platform becomes available, customers and design partners may upload or transmit settlement files, treasury data, payment instructions, and related business records. This data is processed solely to deliver our settlement intelligence services and is governed by a separate Data Processing Agreement (“DPA”) with each customer.

2.2 Information collected automatically

• Analytics data. We use Vercel Analytics to collect aggregated, anonymized usage data including page views, referral source, country, device type, and browser. Vercel Analytics does not use cookies and does not collect personal identifiers. See Vercel’s Analytics privacy policy.
• Server logs. Our hosting infrastructure automatically records standard server log data, including IP address, request URL, timestamp, and HTTP status code. This data is retained for security and debugging purposes and is deleted within 30 days.

2.3 Information from third parties

We may receive business contact information from publicly available sources, industry events, or referrals from our network. If we receive your information this way, we will use it only to contact you about our services and will honor any opt-out request promptly.

We use personal information for the following purposes:

• To respond to inquiries. Processing pilot requests, assessment results, and other communications you initiate.
• To provide our services. Operating the Platform, processing settlement data, generating analytics, and delivering settlement intelligence to customers under their DPA.
• To improve our Sites and services. Understanding how visitors use our Sites through anonymized analytics, identifying technical issues, and improving the user experience.
• To communicate with you. Sending updates about our services, responding to your requests, and providing information you have asked for.
• To comply with legal obligations. Meeting regulatory requirements, responding to legal process, and protecting our rights.
• To protect security. Detecting and preventing fraud, abuse, and security incidents on our Sites and Platform.

We do not sell your personal information. We do not use your personal information for automated decision-making that produces legal or similarly significant effects.

4.1 US visitors and customers

We process your personal information based on: (a) your consent, such as when you submit a form or assessment; (b) our legitimate business interests, such as improving our services and communicating with business contacts; (c) performance of a contract, when processing settlement data under a customer agreement; and (d) compliance with legal obligations. Where required by applicable state law, we obtain your consent before collecting or processing sensitive personal information.

4.2 UK and EEA visitors

If you are located in the United Kingdom or European Economic Area, we process your personal data under the following legal bases under UK GDPR / EU GDPR:

• Consent. When you voluntarily submit the contact form or assessment calculator. You may withdraw consent at any time by emailing privacy@credafi.ai.
• Legitimate interests. Analyzing anonymized site usage, improving our services, and communicating with business contacts about our services, where our interests do not override your rights and freedoms.
• Contractual necessity. Processing settlement data and treasury information as necessary to perform our obligations under a customer agreement and DPA.
• Legal obligation. Where processing is required to comply with applicable law, regulation, or legal process.

We do not sell, rent, or trade your personal information. We may share your information in these limited circumstances:

• Service providers. We use third-party services to host our Sites (Vercel), deliver email, and operate our Platform. These providers process data only on our instructions and under appropriate contractual safeguards.
• Settlement rail partners (Platform). When processing settlement transactions, we transmit necessary payment instructions and settlement data to partner rail providers (e.g., stablecoin infrastructure providers, card networks). We share only the data required to execute the settlement instruction. CredaFi does not take custody of customer funds.
• Legal requirements. We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers. If CredaFi is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
• With your consent. In any other circumstance, we will ask for your consent before sharing your information.

Our Sites currently use Vercel Analytics, which is a privacy-focused analytics service that does not use cookies and does not track individual users across sites.

We do not currently use advertising cookies, retargeting pixels, or third-party tracking scripts. If this changes in the future, we will update this policy and, where required by law, obtain your consent before deploying such technologies.

Our Sites use essential, functional elements (such as form state management) that rely on browser session storage. These do not track you and are cleared when you close your browser.

CredaFi is based in the United States. If you are visiting from the United Kingdom, European Economic Area, or another jurisdiction with data protection laws that differ from US law, please be aware that your information will be transferred to, stored, and processed in the United States.

For transfers of personal data from the UK or EEA to the United States, we rely on the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework, or Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner’s Office (ICO), as applicable.

If you are a Platform customer, data transfer mechanisms will be specified in your Data Processing Agreement.

• Contact form and assessment data. Retained for as long as necessary to respond to your inquiry and maintain the business relationship, or until you request deletion. If we do not have an ongoing relationship, we delete this data within 24 months of collection.
• Server logs. Retained for up to 30 days for security and debugging purposes.
• Analytics data.Vercel Analytics data is aggregated and anonymized. See Vercel’s retention policies.
• Platform data.Customer settlement data is retained in accordance with the customer’s DPA and applicable regulatory retention requirements. Upon termination of a customer agreement, data is deleted or returned within 90 days unless retention is required by law.

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS/HTTPS on all Sites and APIs)
• Encryption of data at rest for Platform data
• Access controls limiting data access to authorized personnel
• Regular review of security practices

No method of transmission or storage is completely secure. If you become aware of a security vulnerability or suspect unauthorized access to your data, please contact us immediately at security@credafi.ai.

Depending on where you are located, you may have some or all of the following rights regarding your personal information:

10.1 Maryland residents (Maryland Online Data Privacy Act)

CredaFi is based in Maryland. If you are a Maryland resident, you have the following rights under the Maryland Online Data Privacy Act (effective October 1, 2025):

• Right to confirm. Confirm whether we are processing your personal data.
• Right to access. Access the personal data we have collected about you.
• Right to correct. Correct inaccuracies in your personal data.
• Right to delete. Delete personal data you have provided or that we have obtained.
• Right to data portability. Obtain a copy of your personal data in a portable, readily usable format.
• Right to opt out. Opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

We do not sell personal data. We do not use personal data for targeted advertising or profiling that produces legal or similarly significant effects. We will respond to your request within 45 days.

10.2 California residents (CCPA/CPRA)

• Right to know. Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete. Request deletion of your personal information.
• Right to correct. Request correction of inaccurate personal information.
• Right to opt out. Opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Right to non-discrimination. We will not discriminate against you for exercising any of your rights.

We will respond to verifiable consumer requests within 45 days. If we need additional time, we will notify you within the initial 45-day period.

10.3 Other US state residents

If you reside in a US state with comprehensive privacy legislation (including Virginia, Colorado, Connecticut, Indiana, Kentucky, and others), you may have similar rights to access, correct, delete, and opt out of certain processing. Contact us at privacy@credafi.ai to exercise your rights under applicable state law.

10.4 UK and EEA residents (UK GDPR / EU GDPR)

• Access. Request a copy of the personal data we hold about you.
• Rectification. Request correction of inaccurate data.
• Erasure. Request deletion of your personal data (“right to be forgotten”).
• Restriction. Request that we restrict processing of your data.
• Portability. Request your data in a structured, machine-readable format.
• Objection. Object to processing based on legitimate interests.
• Withdraw consent. Where processing is based on consent, withdraw it at any time.
• Lodge a complaint. You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local EU supervisory authority.

We will respond to rights requests within 30 days. If we need additional time, we will notify you within the initial 30-day period.

10.5 How to exercise your rights

To exercise any of the rights described above, email privacy@credafi.ai with a description of your request. We may need to verify your identity before processing your request. We will never require you to create an account to exercise your rights.

Our Sites and Platform are directed to business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

Our Sites may contain links to third-party websites, including LinkedIn and partner websites. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. If the changes are significant, we will provide notice through our Sites or by email where we have your contact details.

We encourage you to review this page periodically for the latest information on our privacy practices.

If you have any questions about this Privacy Policy or our data practices, please contact us: