Privacy Policy

1. Who we are

Credo ("Credo", "we", "us") is a software-as-a-service product operated from the European Union. We help small businesses monitor and respond to online reviews. You can contact us at any time at support@credoapp.it.com.

2. Information we collect

We collect only what we need to deliver the service:

• Account information. Your email address and password (hashed) when you sign up. Optional profile fields like business name, address, and phone number.
• Connected platform data. If you choose to connect Google Business Profile, we receive review content, ratings, reviewer display names, and an OAuth access token to refresh that data on your behalf.
• Customer details you upload. If you send review requests, we store the customer name, email, or phone number you provided so we can deliver and track the request.
• Usage data. Standard server logs (IP address, browser, page visited, timestamp) collected through our hosting provider Vercel for security and reliability.

3. How we use your information

• To provide, maintain, and improve Credo's features.
• To sync, display, and respond to your reviews from connected platforms.
• To send transactional emails such as new-review notifications, password resets, and account updates.
• To respond to support requests you send us.
• To detect and prevent abuse of the service.

We do not sell your personal information. We do not use your business's review data to train any third-party AI model.

4. AI-generated reply drafts

When you ask Credo to generate a reply to a review, the review text and your business name are sent to Anthropic's Claude API. Anthropic processes the request to produce a draft and does not retain the content for model training, per their commercial API terms. You can review or discard every draft before it is saved.

5. Where your data is stored

Account data and reviews are stored in Supabase (Postgres) hosted in the EU. Application servers run on Vercel. Transactional email is sent through Resend. We choose providers that publish security and privacy commitments compatible with GDPR.

6. Sharing with third parties

We share data with sub-processors only as required to operate the service:

• Supabase (database, authentication)
• Vercel (hosting, logging)
• Resend (transactional email delivery)
• Anthropic (AI reply drafting, on demand)
• Google (only the data you authorise via OAuth)

We do not share your data with advertisers or data brokers.

7. Your rights

You can access, export, correct, or delete your data at any time from the Settings page or by emailing us. We respond to verifiable requests within 30 days. If you are in the EU/UK you also have the right to lodge a complaint with your local data protection authority.

8. Data retention

We keep your account data for as long as your account is active. If you delete your account, we permanently remove your data within 30 days, except for limited records we are legally required to retain (for example billing records).

9. Cookies

Credo uses only the cookies needed to keep you signed in (a Supabase auth session cookie) and to remember your dark-mode preference. We do not use marketing or cross-site tracking cookies.

10. Children

Credo is intended for business owners and is not directed to anyone under 16. We do not knowingly collect personal information from children.

11. Changes to this policy

We may update this policy from time to time. If a change is material we will notify you by email or in-product before it takes effect. The "Last updated" date at the top of the page reflects the most recent revision.

12. Contact

Questions about this policy or your data? Email support@credoapp.it.com.