Trust Center

What we collect

To give you a personalized coaching experience, we collect the following:

• Account data — email address, password stored as a bcrypt hash, display name.
• Profile data — your self-reported persona type, primary credit goal, situation context like number of cards and whether you rent.
• Self-reported credit data — score history you log, credit card limits and balances you enter (never actual card numbers), payment history you mark as completed in the dashboard.
• Usage analytics — which pages you visit, which features you click, aggregate behavior patterns processed through PostHog with consent gating for EU and California visitors.
• Communication — email opens and clicks for transactional emails we send you.

What we don't collect

Just as important as what we collect — here's what we never do:

• No Social Security Number at any point in the signup or onboarding flow.
• No credit pulls of any kind (hard or soft) on you.
• No access to your credit reports at Experian, Equifax, or TransUnion — we never read your bureau files.
• No bank account credentials, no checking account access, no balance lookups.
• No actual credit card numbers — only the limits and balances you choose to enter.
• No selling, renting, or sharing of your personal data with third-party data brokers, marketers, or aggregators.
• No data shared with credit bureaus, credit reporting agencies, or credit repair companies.

Infrastructure partners

We use a small set of vetted partners to operate the service. Here's what each one handles and what their security posture is.

Stripe — handles subscription payments and gift purchases. PCI DSS Level 1 certified (see docs.stripe.com/security); we never see or store your full credit card number — Stripe handles it directly.

Supabase — database and authentication. SOC 2 Type II certified (see supabase.com/security); your data is isolated by row-level security policies so other users can never read your profile or credit data.

Resend — transactional email delivery for welcome emails, trial-ending notices, gift redemption emails, and dispute-letter delivery. See resend.com/security.

PostHog — product analytics measuring aggregate usage patterns; consent-gated for visitors in the EU and California. See posthog.com/handbook/company/security.

Anthropic — powers the AI Coach inference; receives your question and a snapshot of your roadmap context, not your full credit history or bureau files. See trust.anthropic.com.

Vercel — web hosting and edge serving. SOC 2 Type II certified (see vercel.com/security).

GitHub Actions — continuous integration runs tests on code changes; no production user data is involved. See github.com/security.

Encryption and data handling

Data at rest is encrypted in Supabase using industry-standard AES-256. Data in transit between your browser and our servers, and between our servers and our infrastructure partners, is encrypted via TLS. Row-level security policies on every user-data table ensure that one user's data is never accessible to another user, even at the database level.

Your rights

Account deletion. To delete your account and all associated data, email [email protected] from the email address on your account. We confirm receipt within two business days and complete deletion within 30 days. Deletion removes your profile, score history, goals, dispute letters, and account access; some records required by law (payment records for tax compliance, anti-fraud logs) may be retained for the statutory minimum period and then deleted.

Data export. To request a copy of all data we hold about you, email [email protected] from your account email. We deliver the export as a JSON file within 30 days.

EU residents have the rights described in the GDPR (access, rectification, erasure, portability, restriction, objection). California residents have the rights described in the CCPA (know, delete, opt-out of sale, non-discrimination). See the Privacy Policy for the formal text of how to exercise these rights.

Responsible disclosure

If you've found a security vulnerability or have a concern about data handling, please email [email protected] with "Security" in the subject line. We acknowledge receipt within two business days and respond with next steps within five business days. We don't currently run a paid bug bounty, but we publicly credit responsible researchers in our changelog (with your permission) and we don't pursue legal action against good-faith security research.

What we'd tell a regulator

BuildCreditAI is not a credit repair organization. We do not file disputes or send letters on behalf of users — our dispute guidance tool generates template letters that users send themselves. We don't promise specific credit score outcomes; we explain credit concepts and help users build a plan based on their situation. We're not a financial advisor, an attorney, or a credit counselor. For legal questions, tax questions, bankruptcy advice, or formal credit counseling, we redirect users to the appropriate professionals.