Privacy Policy

Last updated: April 12, 2026

Data Controller

ActiveCred is operated by ACTIVECRED.IT. For privacy inquiries, contact us at privacy@activecred.it.

What Data We Collect

We collect the minimum data necessary to provide the ActiveCred service:

  • Account information — email address, name, and password when you create an account.
  • Payment information — credit or debit card details for your subscription payment. This data is collected and processed entirely by Stripe, our payment processor. ActiveCred never stores your raw card numbers.
  • Linked card information — credit card details for the cards you want to keep active. These are tokenized and stored securely by Stripe via SetupIntents. ActiveCred only stores Stripe token references, never raw card data.
  • Usage data — activity charge history, subscription status, and service interactions.
  • Technical data — IP address, browser type, and device information collected automatically when you visit our site.

How We Use Your Data

We process your data under the following lawful bases (GDPR Article 6):

  • Contract performance — processing subscription payments and running activity charges on your linked cards, as agreed when you sign up.
  • Legitimate interest — improving our service, preventing fraud, and communicating service updates.
  • Consent — sending marketing communications (only with your explicit opt-in; you can withdraw at any time).
  • Legal obligation — retaining transaction records as required by tax and financial regulations.

Third-Party Data Processors

We share data with the following processors, each operating under a Data Processing Agreement (DPA):

  • Stripe — payment processing, card tokenization, and activity charges. Stripe acts as a data processor for payment information including name, email, and payment card details. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy.
  • Cloudflare — CDN, DNS, and site hosting. Cloudflare processes IP addresses and sets performance cookies. Cloudflare Privacy Policy.

International Data Transfers

Your data may be transferred to and processed in the United States, where Stripe and Cloudflare operate. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring your data receives equivalent protection regardless of where it is processed.

Data Retention

  • Account data — retained while your account is active. Deleted within 30 days of account closure, unless legally required to retain.
  • Payment and transaction records — retained for 7 years as required by financial regulations.
  • Linked card tokens — deleted immediately when you remove a card or close your account.
  • Technical/analytics data — retained for up to 12 months.

Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct any inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Restriction — limit how we process your data.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for any processing based on consent, at any time.

To exercise any of these rights, email privacy@activecred.it. We will respond within 30 days.

Security

All credit card data is handled by Stripe and never touches our servers. Data in transit is encrypted via TLS. We do not store raw card numbers, CVVs, or sensitive authentication data at any point.

Complaints

If you believe your data rights have been violated, you have the right to lodge a complaint with your local data protection authority.