Privacy Policy

Who We Are

CrediMax is a product of Hercules Holdings LLC, a Massachusetts limited liability company ("we," "us," or "our"). Our registered address is Ludlow, Massachusetts. You can reach us at privacy@credimax.app.

This Privacy Policy applies to the CrediMax iOS application, the website at credimax.app, and any related services (collectively, the "Service").

Information We Collect

Information you provide directly:

• Account credentials: email address and password (stored as a bcrypt hash — we never see your plaintext password)
• Phone number (optional, for verification)
• Full name (optional)
• Credit card portfolio details you manually add (card name, issuer, last four digits)
• Sign in with Apple identifier, if you choose that login method

Information collected automatically:

• Transaction data synced from your linked bank accounts via Plaid (merchant name, amount, date, category)
• Device location, when you grant permission, to provide location-based card recommendations
• IP address and user-agent string, logged for security and fraud prevention
• App usage events used to improve recommendation quality

Information we do NOT collect:

• Your bank username or password — these are handled exclusively by Plaid and never transmitted to us
• Full credit card numbers or CVV codes
• Social Security Number or government ID

How We Use Your Information

We use the information we collect to:

• Provide and operate the Service, including generating real-time card recommendations
• Personalize recommendations based on your spending history and card portfolio
• Communicate with you about your account, including security alerts and product updates
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Improve our AI recommendation models using aggregated, de-identified data

We do not use your data for advertising targeting, and we do not sell your personal information to third parties.

Financial Data & Plaid

CrediMax uses Plaid Technologies, Inc. to connect to your financial institution. When you link an account:

• You authenticate directly with your bank through Plaid's interface — your credentials are never sent to CrediMax servers
• Plaid provides us with an encrypted access token, which we store using AES-256 (Fernet) encryption in our database
• We retrieve transaction history and account balances through this token to power your recommendations
• Plaid's own privacy practices are governed by the Plaid Privacy Policy

Transaction data synced from Plaid is stored in our database to power historical analysis features. We do not share raw transaction data with any third party except as required to operate the Service.

How We Share Your Information

We share your information only in the following limited circumstances:

• Service Providers: We work with Plaid (financial data), AWS SES (transactional email), Railway (cloud infrastructure), and Anthropic (AI recommendations). These providers access only the minimum data necessary to perform their function and are contractually bound to protect it.
• Legal Requirements: We may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of CrediMax, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different privacy policy.
• With Your Consent: We may share information for any other purpose with your explicit consent.

We do not sell your personal information. We do not share your financial data with credit card issuers, affiliate partners, or advertisers.

Data Retention

We retain your account data for as long as your account is active. When you delete your account:

• Your personal identifiers (email, name, phone) are immediately anonymized in our database
• Plaid access tokens are revoked and deleted
• Transaction data associated with your account is deleted within 30 days
• Certain anonymized, aggregated data may be retained indefinitely for model improvement
• Security audit logs may be retained for up to 12 months for fraud prevention purposes

Your Rights & Choices

Depending on your location, you may have the following rights with respect to your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request that we correct inaccurate or incomplete data
• Deletion: Request deletion of your account and associated data (CCPA-compliant deletion is available directly in the app under Settings → Delete Account)
• Data Portability: Export a copy of your data from Settings → Export Data
• Opt-Out: You can disable location access, push notifications, and email communications at any time from your device settings or account preferences

To exercise any of these rights, contact us at privacy@credimax.app. We will respond within 30 days.

Security

We take security seriously and implement multiple layers of protection:

• All data is transmitted over TLS (HTTPS)
• Passwords are hashed using bcrypt with cost factor 12 — we cannot recover your password
• Plaid access tokens are encrypted at rest using AES-256 (Fernet)
• Authentication tokens expire after 30 minutes; refresh tokens after 7 days
• App credentials are stored in iOS Keychain with WhenUnlockedThisDeviceOnly protection
• All security-relevant events are logged in an audit trail
• Rate limiting is applied to all authentication endpoints

Despite these measures, no method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@credimax.app.

Children's Privacy

CrediMax is not intended for children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@credimax.app.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Send an email notification to your registered address
• Display an in-app notice

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@credimax.app
• Entity: Hercules Holdings LLC
• Location: Ludlow, Massachusetts