Privacy Policy
Document Ref: CV-PP-2026-V3
Effective Date: January 1, 2026
Last Updated: May 2026
01 Who We Are
CredVault Technologies is a technology company that provides a cloud database platform, developer tools, and infrastructure services. We are incorporated and operate under the laws of the Republic of Kenya.
For the purposes of applicable data protection law:
- CredVault acts as the Data Controller for personal information collected during account registration, billing, and platform usage.
- CredVault acts as a Data Processor for Customer Data that you store within the Services. In this capacity, we process your data only on your instructions and in accordance with our Terms of Service.
All legal notices, data subject requests, and regulatory correspondence should be submitted through the legal contact mechanism available within the platform's support section. CredVault does not publish direct contact details in this document to prevent misuse; all formal requests are handled through verified, authenticated channels.
02 Information We Collect
We collect only the information necessary to provide and operate the Services. This includes:
A. Account & Identity Information
Your name, email address, and password (stored as a one-way cryptographic hash — we cannot read your password). If you register via a third-party provider (Google, GitHub), we receive only the profile information that provider shares with us.
B. Usage & Technical Data
API request volume, feature usage patterns, query counts, session duration, and platform activity logs. This data is used to operate the platform, enforce plan limits, and detect abuse. It is not sold or shared with third parties for marketing purposes.
C. Security & Access Logs
IP addresses, browser type, operating system, and timestamps of login events. This data is retained for security monitoring, fraud detection, and incident response. It is not used for advertising or profiling.
D. Billing Information
Billing address, subscription plan, and transaction history. Payment card details are processed exclusively by our third-party payment processor and are never stored on CredVault's systems. CredVault does not have access to your full card number.
E. Customer Data
All data you store within the Services (databases, collections, files, configurations). This data belongs entirely to you. CredVault processes it only to provide the Services and does not access, analyze, or use it for any other purpose.
F. Desktop Application Data
If you use the CredVault IDE (desktop application), we collect session authentication tokens stored locally on your device, and basic connectivity data required to authenticate with the platform. The desktop application does not collect keystrokes, screen content, or local file system data beyond what you explicitly submit to the Services.
03 How We Use Your Information
We use the information we collect for the following purposes:
- To provide the Services: Authenticating your account, processing transactions, enforcing plan limits, and operating the platform infrastructure.
- To maintain security: Detecting unauthorized access, preventing fraud, investigating abuse, and protecting the integrity of the platform and other customers.
- To communicate with you: Sending transactional notifications related to your account (billing alerts, security notices, service status updates). We do not send unsolicited marketing communications without your consent.
- To improve the platform: Analyzing aggregated, anonymized usage patterns to understand how the platform is used and to improve its features. Individual Customer Data is never used for this purpose.
- To comply with legal obligations: Responding to valid legal orders, court orders, or regulatory requirements from competent authorities.
04 Third-Party Service Providers (Sub-processors)
To operate the Services, CredVault engages a limited number of third-party service providers who process data on our behalf. Each sub-processor is bound by contractual obligations to protect your data to a standard no less protective than this Privacy Policy.
| Provider | Purpose | Data Processed |
|---|---|---|
| MongoDB Atlas | Primary database storage | Account data, Customer Data, platform metadata |
| Amazon Web Services (AWS S3) | Backup storage and file storage | Encrypted backups of Customer Data |
| Brevo (Sendinblue) | Transactional email delivery | Email address, notification content |
| Payment Processor | Payment processing | Billing address, transaction data (card details not shared with CredVault) |
CredVault will update this list when sub-processors are added or removed. Material changes to sub-processors will be communicated through the platform.
05 Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law.
| Data Type | Retention Period |
|---|---|
| Account & profile data | Duration of active account + 30 days after deletion |
| Customer Data | Duration of active account + 30 days after termination |
| Security & access logs | 90 days |
| Billing & transaction records | 7 years (as required by financial regulations) |
| Encrypted backups | 90 days, then permanently deleted |
Upon account deletion or termination, CredVault will permanently delete your Customer Data within 30 days. Billing records are retained for the period required by applicable financial and tax law.
06 Security
CredVault implements industry-standard technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include:
- Passwords stored using one-way cryptographic hashing (bcrypt/Argon2).
- All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
- Session authentication tokens with defined expiry periods.
- Role-based access controls limiting internal access to Customer Data.
- Regular security monitoring and intrusion detection.
Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, CredVault will notify affected users within 72 hours of becoming aware of the breach, to the extent required by applicable law. Notification will be made through the platform and, where required, to the relevant supervisory authority.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
08 Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information. CredVault respects these rights regardless of where you are located:
- Right of AccessRequest a copy of the personal information we hold about you.
- Right to RectificationRequest correction of inaccurate or incomplete personal information.
- Right to ErasureRequest deletion of your personal information, subject to legal retention obligations.
- Right to Data PortabilityRequest your data in a structured, machine-readable format.
- Right to ObjectObject to processing of your personal information in certain circumstances.
- Right to Restrict ProcessingRequest that we limit how we use your personal information.
To exercise any of these rights, submit a verified request through the support section of your account dashboard. We will respond within 30 days. We may require identity verification before processing your request.
If you are located in the European Union or United Kingdom, you have the right to lodge a complaint with your local data protection supervisory authority. If you are located in Kenya, you may contact the Office of the Data Protection Commissioner (ODPC).
09 International Data Transfers
CredVault operates primarily from Kenya. Some of our sub-processors (listed in Section 04) may process data in other countries, including the United States and the European Union.
Where personal information is transferred outside of Kenya or the European Economic Area, CredVault ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Contractual obligations on sub-processors to maintain equivalent data protection standards.
- Compliance with the Kenya Data Protection Act, 2019.
10 Children's Privacy
The Services are not directed to individuals under the age of 18. CredVault does not knowingly collect personal information from minors. If we become aware that we have collected personal information from a person under 18 without verifiable parental consent, we will take steps to delete that information promptly.
If you believe a minor has provided us with personal information, please contact us through the platform's support section.
11 Legal Basis for Processing (GDPR)
For users in the European Union or United Kingdom, CredVault processes personal information on the following legal bases under the General Data Protection Regulation (GDPR):
- Contract performance: Processing necessary to provide the Services you have subscribed to.
- Legitimate interests: Security monitoring, fraud prevention, and platform improvement, where these interests are not overridden by your rights.
- Legal obligation: Processing required to comply with applicable law, including financial record-keeping and responding to valid legal orders.
- Consent: Where we rely on consent (e.g., optional communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.
12 Changes to This Policy
CredVault may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice by posting the updated policy on the platform and updating the "Last Updated" date at the top of this document.
Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree, you must stop using the Services and close your Account.