Privacy Policy
Last updated: May 26, 2026
1. Information We Collect
We collect your email address, hashed password, and the credential and provider data you enter or upload. CredVault is intended for provider credential metadata, not patient records, Social Security numbers, clinical notes, or Protected Health Information (PHI).
2. How We Use Your Information
We use your information to: provide the credential tracking service, send transactional emails (verification, password reset, expiration reminders), process payments, and improve the service. We do not use your data for advertising.
3. Data Sharing
We do not sell your data. We share data only with subprocessors necessary to operate the service: DigitalOcean (cloud hosting), Resend (email delivery), Twilio (SMS delivery), Stripe (payment processing), and an AI document parsing service (credential extraction from uploaded files). Each is bound by applicable data processing agreements. See our Trust & Security page for the full subprocessor list.
4. Data Security
All data is encrypted in transit using TLS. Passwords are hashed using bcrypt and never stored in plaintext. We regularly review access controls and security practices.
5. Data Retention
We retain your data while your account is active. You may request deletion by emailing privacy@credvault.io. Deleted accounts are purged within 30 days, except where retention is required by law.
6. Cookies
We use browser local storage to maintain your session (JWT token). We do not use third-party tracking cookies or analytics cookies.
7. HIPAA Notice
CredVault is built for healthcare practices. Credential data is encrypted, access-controlled, and audit-logged. The service is intended for credential metadata, not PHI. Business Associate Agreements are available on request for covered entities that require one; do not upload PHI or highly sensitive personal identifiers until a BAA is fully executed. Email hello@credvault.io to request a BAA.
8. Contact
Privacy questions: privacy@credvault.io