Log In Pricing How It Works Why It Matters Strategy Blog Demo Contact

Privacy Policy

Last updated: April 17, 2026

Data Controller

ActiveCred is operated by an individual doing business as ActiveCred (statement descriptor ACTIVECRED.IT) under an assumed-name (DBA) filing in the State of Texas, United States. ActiveCred is a sole proprietorship; the sole proprietor is the sole data controller for the Service. For privacy inquiries, email privacy@activecred.it.

The Service is delivered across two related domains: activecred.it (marketing, blog, pricing, demo, and support pages) and activecred.app (your authenticated account, dashboard, settings, and checkout). Both are operated by the same data controller and form a single integrated service. References to "we", "us", "ActiveCred", or "the Service" in this Policy include both domains.

What Data We Collect

We collect the minimum data necessary to provide the ActiveCred service:

  • Account information — email address, name, phone number (optional), and password when you create an account. Passwords are stored only as a salted PBKDF2 hash; the raw password is never persisted.
  • Payment information — credit or debit card details for your subscription payment. This data is collected and processed entirely by Stripe, our payment processor. ActiveCred never stores your raw card numbers.
  • Linked card information — credit card details for the cards you want to run activity charges on. These are tokenized and stored securely by Stripe via SetupIntents. ActiveCred only stores Stripe token references, the last four digits, card brand, expiration month/year, and optional metadata you provide (nickname, icon, credit limit, account-opened date), never raw card data or CVV.
  • Step-up authentication data — if you enroll a passkey (WebAuthn), we store the public-key credential and its identifier. The corresponding private key never leaves your device. If you enable TOTP, we store an encrypted shared secret. For email-based verification, we store short-lived (15-minute) one-time codes hashed at rest.
  • Session and device data — randomly-generated session identifiers, "device trust" tokens (30-day), timezone preference, and last-activity timestamps used to enforce session inactivity limits.
  • Usage data — activity charge history, subscription status, pause/resume events, scheduling preferences, and service interactions.
  • Authorization records — evidence of your consent each time you authorize, re-authorize, or modify a recurring charge on a linked card, including the consent text you agreed to, timestamp, IP address, user agent, and session identifier.
  • Security event logs — records of security-relevant events (login success/failure, 2FA challenge results, password reset requests, card add/remove, step-up verifications) used for fraud detection and incident investigation.
  • Technical data — IP address, browser type, and device information collected automatically when you visit our site.
  • Analytics data — anonymous page view events including pages visited, referral source, and UTM campaign parameters. This data is linked to a randomly generated visitor identifier (not your personal information) and is used to understand how visitors engage with our service. We do not use Google Analytics. All analytics data is stored in our own Cloudflare D1 database and is not shared with third-party advertising networks.

How We Use Your Data

We process your data under the following lawful bases (GDPR Article 6):

  • Contract performance — processing subscription payments and running activity charges on your linked cards, as agreed when you sign up.
  • Legitimate interest — improving our service, preventing fraud, and communicating service updates.
  • Consent — sending marketing communications (only with your explicit opt-in; you can withdraw at any time).
  • Legal obligation — retaining transaction records as required by tax and financial regulations.

Third-Party Data Processors

We share data with the following processors, each operating under a Data Processing Agreement (DPA):

  • Stripe — payment processing, card tokenization, and activity charges. Stripe acts as a data processor for payment information including name, email, and payment card details. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy.
  • Cloudflare — CDN, DNS, and site hosting. Cloudflare processes IP addresses and sets performance cookies. Cloudflare Privacy Policy.
  • Brevo — transactional email delivery (account verification codes, welcome emails, weekly digests). Brevo processes your email address for the purpose of delivering service-related messages. Brevo Privacy Policy.

International Data Transfers

Your data may be transferred to and processed in the United States, where Stripe and Cloudflare operate. These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring your data receives equivalent protection regardless of where it is processed.

Data Retention

We retain data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Unless you specifically request deletion, data is retained as follows:

  • Account data — retained for the lifetime of your account and indefinitely thereafter, unless you request deletion. Account data may be retained after closure for legitimate business purposes including fraud prevention, dispute resolution, and regulatory compliance.
  • Payment and transaction records — retained indefinitely. Financial regulations (IRS, state tax authorities) require retention of transaction records for a minimum of 7 years, and we may retain them beyond that period for dispute resolution and audit purposes.
  • Linked card tokens — Stripe payment method tokens are detached when you remove a card or close your account. Card metadata (last four digits, brand, charge history) is retained as part of transaction records.
  • Authorization consent records — retained indefinitely. These records serve as evidence of cardholder consent for chargeback protection and are critical for dispute resolution under card network rules.
  • Security event logs — retained indefinitely for fraud detection, incident investigation, and compliance auditing.
  • Technical/analytics data — anonymous page view and event data retained for up to 12 months, then automatically purged.
  • Contact form submissions — retained for 90 days, then automatically purged unless the inquiry resulted in an ongoing support case.

You may request deletion of your personal data at any time by deleting your account in Settings or contacting support. Upon a verified deletion request, we will remove your personal data within 30 days, except where retention is required by law or necessary for legitimate business purposes as described above.

Your Rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access — request a copy of all personal data we hold about you. You can export your data at any time from the Settings page.
  • Rectification — correct any inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten"). You can delete your account from the Settings page, which removes your personal data except where retention is legally required.
  • Portability — receive your data in a machine-readable format (JSON). Available via the Settings page.
  • Restriction — limit how we process your data.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for any processing based on consent, at any time.

To exercise any of these rights, email privacy@activecred.it. We will respond within 30 days.

Security

All credit card data is handled by Stripe and never touches our servers. Data in transit is encrypted via TLS. We do not store raw card numbers, CVVs, or sensitive authentication data at any point.

Complaints

If you believe your data rights have been violated, you have the right to lodge a complaint with your local data protection authority.