Last updated: March 2026
CredLyr ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our credential verification and issuance platform.
When you create an account, we collect:
We automatically collect:
When you use our verification services, we process credential presentations on your behalf. This may include personal data about your end users. You are the data controller for this information; we act as a data processor.
We use collected information to:
We retain your account data for as long as your account is active. Verification and issuance records are retained according to your plan's evidence retention period (7 days to 7+ years depending on plan). You may request earlier deletion subject to legal retention requirements.
We may share your information with:
We do not sell your personal information to third parties.
We implement industry-leading security measures to protect your data:
All sensitive data is encrypted at rest using AES-256-GCM encryption. Data in transit is protected using TLS 1.3. Webhook signing secrets and API credentials are encrypted before storage.
In production environments, personal data from verified credentials is automatically masked. API responses return only the names of verified claims (e.g., "given_name", "birthdate") without exposing actual values. Full claim data is only available in sandbox environments for testing purposes.
CredLyr is designed with PCI DSS compliance in mind. We do not store, process, or transmit cardholder data. Payment processing is handled entirely by our PCI-compliant payment processor (Stripe). Our infrastructure follows PCI best practices for access control, monitoring, and security.
Enterprise plans offer additional security features including mTLS, dedicated infrastructure, IP allowlisting, request signing (HMAC), and custom security controls.
For customers processing personal data of EU residents, we offer a Data Processing Agreement (DPA) that complies with GDPR requirements. Enterprise customers may request custom DPAs.
Our primary infrastructure is located in the United States. Enterprise customers may select data residency in EU, US, or Canada regions. We use Standard Contractual Clauses for international data transfers where required.
Depending on your location, you may have the right to:
To exercise these rights, contact us at privacy@credlyr.com.
We use essential cookies for authentication and session management. We may use analytics cookies to understand how our platform is used. You can control cookie preferences through your browser settings.
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through our platform. Your continued use of our services after changes constitutes acceptance.
For questions about this Privacy Policy or our data practices, please contact:
California residents have additional rights under the CCPA, including the right to know what personal information we collect and how it's used, the right to delete personal information, and the right to opt-out of sales (we do not sell personal information).