Privacy Policy

← Back to Home

1. Data Controller

The data controller responsible for your personal data is:

CreditBoosters USA, Inc.
4207 Ridgepoint Drive, Suite 140
Austin, TX 78731, United States
Email: privacy@creditboostersusa.com
Phone: +1 (512) 843-6291

Our designated Privacy Officer can be reached at privacy@creditboostersusa.com. We respond to all privacy-related inquiries within 30 calendar days.

2. Data We Collect

We collect personal data only when it is necessary to deliver, secure, and improve the Service. The categories of data we process include:

2.1 Account Data

Information you provide during registration or that your organization provides on your behalf: full name, email address, phone number (optional), job title, professional license number(s), jurisdiction(s), employer or organization name.

2.2 Usage Data

Information generated by your interaction with the platform: course enrollments, credit completion records, verification requests, dashboard activity, notification preferences, and login timestamps.

2.3 Technical Data

Data collected automatically for security and performance: IP address, browser type and version, operating system, device identifiers, referral URL, session duration, and pages visited. We do not use this data for advertising profiling.

2.4 Billing Data

For institutional clients: company billing address, payment method details (processed and stored exclusively by Stripe — we never store full card numbers), invoice history.

3. How We Use Data

We process personal data for the following purposes:

• Service delivery: managing your account, tracking CE credits, generating compliance reports, facilitating credential verifications.
• Transactional notifications: sending enrollment confirmations, credit completion receipts, deadline reminders, verification alerts, and account security messages via Mailgun (Sinch).
• Billing and invoicing: processing payments, issuing receipts, managing subscription status.
• Security: detecting unauthorized access, preventing fraud, enforcing our Acceptable Use Policy.
• Legal compliance: responding to lawful government requests, fulfilling regulatory obligations.
• Product improvement: analyzing aggregate, de-identified usage patterns to enhance platform features. We do not use your personal data for AI training without explicit consent.

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases:

• Performance of a contract: processing necessary to create and maintain your account, deliver the Service, and fulfill our contractual obligations to you or your institution.
• Legitimate interests: improving the Service, ensuring platform security, detecting abuse. We balance these interests against your fundamental rights and freedoms.
• Legal obligation: complying with applicable laws, regulations, and lawful government requests.
• Consent: where required, we ask for your explicit consent (e.g., optional analytics cookies, if ever introduced). You may withdraw consent at any time.

5. No Data Selling

CreditBoosters USA does not sell, rent, lease, or trade your personal data to any third party — for any reason, under any circumstances.

We do not participate in data brokerage, advertising exchanges, or any program that monetizes user information. This commitment applies to all categories of personal data we process.

6. Sub-Processors

We engage a limited number of third-party sub-processors to deliver the Service. Each is bound by strict data processing agreements:

• Amazon Web Services (AWS) — cloud infrastructure and hosting (us-east-1, N. Virginia). Provides compute, storage, and database services.
• Mailgun (Sinch) — transactional email delivery. Processes recipient email addresses and message content solely for the purpose of delivering platform notifications.
• Stripe — payment processing. Handles billing data for institutional clients. Stripe is PCI-DSS Level 1 certified.

We evaluate sub-processors for security practices, data handling policies, and compliance posture before engagement and periodically thereafter.

7. International Data Transfers

Our primary infrastructure is located in the United States. If you are located outside the US, your data may be transferred to and processed in the US. We safeguard international transfers through:

• Standard Contractual Clauses (SCCs): approved by the European Commission, incorporated into our agreements with sub-processors.
• EU-US Data Privacy Framework: we support and align with the framework's principles for transatlantic data flows.
• Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and regular security assessments.

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Account data: retained for the duration of your active account plus 30 days after deletion request.
• CE credit records: retained for 7 years after the last associated license renewal cycle, to support regulatory audits.
• Billing data: retained for 7 years as required by US tax and accounting regulations.
• Usage and technical data: retained for 24 months in identifiable form, then aggregated and anonymized.
• Email delivery logs: retained for 90 days, then permanently deleted.
• Access and security logs: retained for 12 months.
• Support correspondence: retained for 3 years after ticket resolution.

When data reaches the end of its retention period, it is permanently and irreversibly deleted or anonymized.

9. Your Rights — GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights with respect to your personal data:

• Right of access: obtain confirmation of whether we process your data and request a copy.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements.
• Right to restriction: limit how we process your data in certain circumstances.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the legality of prior processing.

To exercise any of these rights, email privacy@creditboostersusa.com. We respond within 30 calendar days. You also have the right to lodge a complaint with your local data protection authority.

10. Your Rights — CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and its amendments grant you the following rights:

• Right to know: request disclosure of the categories and specific pieces of personal information we've collected, the sources, the purposes, and the third parties with whom we've shared it.
• Right to delete: request deletion of personal information we've collected, subject to certain exceptions.
• Right to opt-out of sale: we do not sell personal information. Because we never sell your data, there is no need to opt out — but we honor any such requests as a matter of principle.
• Right to non-discrimination: we will not deny you services, charge different prices, or provide lesser quality based on exercising your rights.

California residents may submit requests by emailing privacy@creditboostersusa.com or calling +1 (512) 843-6291. We verify identity before processing requests and respond within 45 calendar days.

11. Cookies

We use strictly necessary cookies only:

• Session cookie: maintains your authenticated session while using the platform. Expires when you close your browser or after 24 hours of inactivity.
• CSRF token cookie: protects against cross-site request forgery attacks. Expires per session.

We do not use advertising cookies, analytics trackers, social media pixels, or any third-party tracking technology. There is nothing to opt out of — no behavioral profiling occurs on our platform.

12. Data Security

We implement comprehensive technical and organizational measures to protect your data:

• Encryption in transit: all connections secured with TLS 1.3.
• Encryption at rest: all stored data encrypted with AES-256.
• Access controls: role-based access (RBAC) with least-privilege principles. Multi-factor authentication (MFA) required for all staff accessing production systems.
• Network security: private VPC architecture, firewalls, intrusion detection systems.
• Vulnerability management: automated dependency scanning, quarterly penetration testing by an independent third party.
• Employee training: all staff complete security and privacy awareness training upon hire and annually thereafter.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service itself. When we make material changes:

• We provide at least 30 days' advance notice via email to the address associated with your account.
• Significant changes are announced via in-platform notification.
• The "Last Updated" date at the top of this page is revised.

Continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms.

14. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our Privacy Officer:

CreditBoosters USA, Inc.
Attn: Privacy Officer
4207 Ridgepoint Drive, Suite 140
Austin, TX 78731, United States
Email: privacy@creditboostersusa.com
Phone: +1 (512) 843-6291

For general support inquiries, visit our Contact & Support page.