Privacy Policy

Effective date: May 28, 2026. Crediva LLC ("we", "our", or "us"), operating under the product brand "Cima — Monitoreo de Crédito Inteligente" ("Cima"), respects your privacy. This Privacy Policy explains what information we collect when you use our credit monitoring service, how we use it, who we share it with, and the rights you have over your data.

1. Information we collect

• Identity data: full name, date of birth, last four of Social Security Number (full SSN is collected only when required by the credit bureaus to verify your identity through Knowledge-Based Authentication, "KBA").
• Contact data: mailing address, current and former residential addresses, email, mobile phone number.
• Financial data: credit report data from Experian, Equifax, and TransUnion, including account details, balances, payment history, public records, and credit inquiries. Payment method data is tokenized — we never store full card numbers.
• Identity protection data: dark-web monitoring alerts, SSN monitoring, address monitoring, data broker removal records.
• Communication data: support requests and in-app activity logs.
• Technical data: IP address, device type, browser information.
• Consent records: the exact text of any electronic consent you provide (FCRA permissible purpose, communications opt-in) along with timestamp and IP address, kept for audit purposes.

2. How we use your information

• To provide the credit monitoring service: pulling your tri-bureau consumer reports, monitoring for changes, and delivering alerts and insights to your Cima dashboard.
• To verify your identity through Array.com's KBA process before any consumer report is pulled, as required by the Fair Credit Reporting Act (FCRA).
• To send you in-app, email, and (with opt-in) SMS or WhatsApp notifications about changes in your credit profile and identity-theft alerts.
• To process payments for your subscription.
• To comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, FCRA, FDCPA to the extent it applies, and applicable state privacy and financial-services laws.
• To maintain an audit log of pulls, alerts, and consent for compliance purposes.

3. Permissible purpose under FCRA

We pull consumer reports on your behalf only after you have provided written instructions to do so, in accordance with FCRA §604(a)(2) [15 U.S.C. §1681b(a)(2)]. Your electronic acceptance of our Terms of Service — recorded with timestamp, IP address, and the exact text of the consent presented — constitutes a "written instruction" under the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act), 15 U.S.C. §§7001 et seq., and Wyoming's Uniform Electronic Transactions Act, Wyo. Stat. §§40-21-101 et seq. Each consumer report pull is logged with the timestamp and the version of the consent text you accepted.

You may revoke your written instructions at any time by cancelling your subscription. Once revoked, we will not pull additional consumer reports for you. Reports already pulled remain stored as described in Section 7 and Section 6.1 below.

4. How we share your information

We share your information only as required to deliver the service you signed up for, and never for third-party marketing.

• Array US, Inc. ("Array") — our credit data provider. Array queries Equifax, Experian, and TransUnion on our behalf under their permissible-purpose agreements with each bureau and returns the consumer report data to your Cima account.
• Credit reporting agencies (Equifax, Experian, TransUnion) and their affiliates — for the purpose of pulling consumer reports under FCRA on your written instructions.
• Service providers: Vercel (hosting), Turso (encrypted database hosting), Resend (transactional email delivery), Stripe / NMI (payment processing). Each provider is contractually limited to the specific task we hire them for.
• Identity protection partners — providers that help us deliver dark-web monitoring, SSN monitoring, and data-broker removal features.
• Print Hub LLC d/b/a Club de Crédito is an affiliate of Crediva LLC under common ownership. We disclose this affiliate relationship as required by Section 503 of the Gramm-Leach-Bliley Act and FCRA §603(d)(2)(A)(iii). Notwithstanding this affiliation, Crediva does not share your consumer reports, scores, or any other nonpublic personal information with Club de Crédito except where you have provided a separate, specific, contemporaneous written authorization identifying the records to be shared. You may opt out of any future affiliate sharing at any time by emailing privacy@cima.credit.

We do not sell, rent, or lease your personal information to any third party.

5. AI and machine-learning data restrictions

Cima uses AI-powered features to summarize your credit profile, classify alerts, and produce educational insights. We comply with the following restrictions on AI processing of your data:

• No model training. We do not allow Array data — including consumer reports, scores, or any data derived from Array services — to be used to train, improve, or otherwise enhance any third-party AI or machine-learning model.
• Limited AI access. AI systems we operate process your data only for the specific operational purpose described to you.
• Time-limited retention. Data processed by AI systems is securely deleted within thirty (30) days of that processing, unless you explicitly request continued access.
• Documentation. Internal documentation of AI consent and processing is maintained for audit purposes and is available to Array upon reasonable request.

6. Data security

Sensitive data — including SSNs, dates of birth, and full credit reports — is stored encrypted at rest using AES-256-GCM. Access to client data is restricted to authorized staff acting under role-based access controls. Data transmission occurs over TLS 1.2+. Payment card numbers are tokenized by our PCI-compliant processor and never touch our application servers. We maintain a written GLBA Safeguards Rule program covering access controls, encryption, incident response, employee training, and vendor oversight.

Security incident notification. In the event of a security incident affecting your nonpublic personal information, we will notify you without unreasonable delay and in accordance with applicable state breach-notification laws and the FTC Safeguards Rule (16 C.F.R. §314.5). If a notification event affects 500 or more consumers, we will also report it to the FTC within 30 days as required by federal regulation.

6.1 GLBA Privacy Notice (Regulation P)

This Privacy Policy serves as your initial and annual privacy notice under the Gramm-Leach-Bliley Act ("GLBA") and 12 C.F.R. Part 1016 (Regulation P). It describes:

• What nonpublic personal information ("NPI") we collect — see Section 1 above.
• What NPI we disclose and to whom — see Section 4 above. We disclose NPI only (i) to nonaffiliated third parties that perform services for us or function on our behalf under written confidentiality agreements (Array US, Inc., the credit bureaus, payment processors, hosting providers, and email/SMS vendors); (ii) to our affiliate Print Hub LLC d/b/a Club de Crédito, only with your separate written consent as described in Section 4; and (iii) as permitted or required by law. We do not disclose NPI to nonaffiliated third parties for their own marketing purposes.
• Your right to limit sharing — because we do not share NPI with nonaffiliates for marketing purposes, no opt-out is required under GLBA §502. To the extent we share information with our affiliate Club de Crédito for any purpose other than transactions you have authorized, you may opt out by emailing privacy@cima.credit (see also Section 10 of our Terms of Service).
• How we protect your NPI — see Section 6 above.
• Former customers — we apply this Privacy Policy to former customers as well as current customers.

7. Data retention

We retain your credit monitoring data for the duration of our service relationship plus up to seven (7) years afterward, as required by applicable record-keeping laws. AI-processed data is deleted within thirty (30) days as described in Section 5. Consent records are retained for at least four (4) years. You may request earlier deletion at any time, subject to our legal retention obligations and pending dispute resolutions.

8. Your rights

• Access — request a copy of the data we hold about you.
• Correction — correct inaccurate data we hold. Note: to correct data on your credit reports themselves, you must dispute directly with the credit bureau or use a credit repair organization. Cima is not a credit repair organization.
• Deletion — request deletion of data not subject to legal retention.
• Opt-out — withdraw consent for email or SMS communications at any time.
• Portability — request your data in a machine-readable format.

To exercise any of these rights, email privacy@cima.credit.

8.1 California residents — additional disclosures (CCPA/CPRA)

This section applies to residents of California and supplements the rest of this Privacy Policy as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA"), Cal. Civ. Code §§1798.100– 1798.199.100, and the CPPA Regulations effective January 1, 2026.

GLBA exemption. Most of the data we process about California consumers — including consumer reports, credit scores, and the nonpublic personal information we collect to deliver the credit monitoring service — is collected, processed, and disclosed pursuant to the federal Gramm-Leach-Bliley Act and is therefore exempt from the CCPA/CPRA under Cal. Civ. Code §1798.145(e). This Section 8.1 addresses the personal information we collect that is not subject to that GLBA exemption (such as IP addresses, device data, marketing-context email and phone, and website usage data).

Categories of personal information collected in the preceding 12 months (non-GLBA scope):

• Identifiers (name, email, postal address, phone, IP address, device identifiers);
• Internet or other electronic network activity (page views, click events, referrer);
• Inferences drawn from the above to deliver and improve the Service.

Categories of sensitive personal information ("SPI") collected: Social Security Number (collected solely to verify your identity and pull your consumer reports through Array's KBA process — covered by the GLBA exemption). To the extent any other SPI is collected outside the GLBA scope, we use it solely as necessary to perform the services reasonably expected by an average consumer requesting credit monitoring, which is a purpose permitted by Cal. Civ. Code §1798.121(a) and CPPA Regulation §7027(m). We therefore do not offer a "Limit the Use of My Sensitive Personal Information" link.

Sale or sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined in Cal. Civ. Code §1798.140. Because we do not sell or share, we do not provide a "Do Not Sell or Share My Personal Information" link.

Retention (non-GLBA scope):

• Account-related identifiers: duration of the customer relationship plus seven (7) years;
• Marketing identifiers: until you unsubscribe, plus up to twenty-four (24) months;
• Website analytics data: up to twenty-six (26) months;
• Consent records: at least four (4) years (FCRA record-keeping).

California rights. California residents have the right to: (i) know the personal information we collect; (ii) request deletion; (iii) request correction; (iv) data portability; (v) opt out of sale/sharing (n/a — we do not sell or share); (vi) limit use of SPI (n/a — see above); (vii) non-discrimination for exercising rights; (viii) appeal a denial. To exercise any of these rights, email privacy@cima.credit or write to the address in Section 12. We will respond within 45 days. You may also designate an authorized agent.

Shine the Light. California residents may request, once per year, information regarding any disclosures we have made to third parties for their direct marketing purposes during the preceding calendar year. Because we do not disclose personal information to third parties for their own direct marketing, the response will be: none.

8.2 Colorado, Connecticut, Virginia, Utah, Montana, Oregon, Texas, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, and other state privacy laws

Residents of states with comprehensive consumer privacy laws have, in addition to the rights described in Section 8, the following rights, to the extent the applicable state law applies to Crediva LLC:

• Right to opt out of targeted advertising. We do not engage in targeted advertising as defined by these laws.
• Right to opt out of the sale of personal data. We do not sell personal data.
• Right to opt out of profiling for decisions that produce legal or similarly significant effects. We do not conduct such profiling. AI-assisted summaries inside the Cima dashboard do not produce legal or similarly significant effects.
• Right to confirm processing, access, correct, delete, and obtain a portable copy of personal data — exercisable by emailing privacy@cima.credit.
• Right to appeal a denial of any of the above requests — by replying to our denial response or emailing legal@cima.credit. We will respond to appeals within sixty (60) days.
• Sensitive data consent. To the extent these laws apply, your subscription to Cima — which expressly authorizes us to collect your SSN and consumer reports for FCRA-permissible purposes — constitutes your consent to process sensitive data under Colo. Rev. Stat. §6-1-1308, Conn. Gen. Stat. §42-520, Va. Code §59.1-578, and analogous provisions of other state laws.
• Universal Opt-Out Mechanism. Where required (currently Colorado, Connecticut, California, Texas, and Oregon), we honor browser-level Global Privacy Control signals as opt-out requests for any sale/sharing of personal information — even though we do not currently engage in such sale/sharing.

We respond to verifiable consumer requests within 45 days, extendable by an additional 45 days where reasonably necessary, with notice to you.

Florida residents: the Florida Digital Bill of Rights (FDBR) applies to controllers with more than $1 billion in global annual revenue meeting specific additional criteria. Crediva LLC does not meet those thresholds, and Crediva is also a financial institution subject to the federal Gramm-Leach-Bliley Act, which is expressly exempt from the FDBR. You retain all rights under federal law, including the FCRA.

Texas residents: the Texas Data Privacy and Security Act ("TDPSA") generally applies to controllers that are not small businesses as defined by the U.S. Small Business Administration. Crediva LLC currently qualifies as a small business under SBA size standards and does not sell sensitive personal data, and is therefore not a "controller" subject to the TDPSA's full disclosure regime. Texas residents nonetheless retain all rights under federal law, including the FCRA and GLBA. If Crediva LLC's size changes such that the TDPSA applies, this Policy will be updated.

9. Children's privacy

Our services are intended for adults 18 years of age or older. We do not knowingly collect data from minors. If we learn we have collected data from a minor, we will delete it promptly.

10. International users

Cima is provided from the United States. If you access the service from outside the United States, you consent to the transfer and processing of your data in the United States, where data protection laws may differ from those in your country of origin. We do not knowingly offer services to residents of the European Union or the United Kingdom.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date, and we will notify active subscribers by email or in-app notification where required by law. Continued use of the service after the effective date of a material change constitutes acceptance of the updated Policy.

12. Contact us

Crediva LLC
A Wyoming limited liability company.
5830 E 2nd St, Ste 7000 #36122, Casper, Wyoming 82609, USA
Email: legal@cima.credit
Privacy contact: privacy@cima.credit

Resumen en español

Cima es un servicio de monitoreo de crédito operado por Crediva LLC (Wyoming). Cuando te suscribes, autorizas a Crediva LLC y a nuestro proveedor de datos Array US, Inc. a consultar tus reportes de crédito de Equifax, Experian y TransUnion bajo la ley federal FCRA. Tus datos están protegidos por la regla GLBA Safeguards: cifrado en reposo (AES-256), TLS en tránsito, y acceso restringido por roles. No vendemos ni alquilamos tus datos a terceros. La inteligencia artificial que usamos para resumir alertas no se entrena con tu data de crédito y borra los resultados procesados dentro de 30 días. Tienes derecho a pedir acceso, corrección, portabilidad y eliminación de tus datos cuando quieras. Si vives en California, Colorado, Connecticut, Texas, Virginia o Utah, tienes derechos adicionales bajo la ley estatal (ver Secciones 8.1 y 8.2). Para ejercerlos, escribe a privacy@cima.credit.