Privacy Policy
Effective Date: February 12, 2026
1. Introduction
Welcome to Cred (“we,” “us,” “our”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our OAuth credential delegation platform, including our website at cred.ninja, developer portal, user portal, API services at api.cred.ninja, MCP server (@credninja/mcp), and SDK (@credninja/sdk) (collectively, the “Service”).
We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy should be read in conjunction with our Terms of Service.
By using our Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.
2. Information We Collect
2.1 Information You Provide
When you use our Service, we collect information that you provide directly to us:
- Account Information: Email address, password (hashed using bcrypt), and account preferences for both Developer and User accounts.
- OAuth Refresh Tokens: When you authorize OAuth connections to Third-Party Services (Google, GitHub, Slack, Notion, Salesforce), your refresh tokens are encrypted using AES-256-GCM with unique initialization vectors and stored in our vault. Refresh tokens never leave the vault. Only short-lived access tokens are issued to authorized Agents.
- OAuth Applications: Information about applications you register as a developer, including app names, descriptions, redirect URIs, and webhook endpoints.
- Support Communications: Information you provide when contacting us for support, including your messages and any attachments.
2.2 Information We Collect Automatically
When you use our Service, we automatically collect certain information:
- Usage Data: Information about your interactions with the Service, including delegation requests, token issuances, consent grants, and timing data.
- Log Information: Server logs that include IP addresses, browser type, operating system, referring/exit pages, date/time stamps, and clickstream data.
- Device Information: Information about the device you use to access our Service, including device type, operating system, and unique device identifiers.
- Session Data: Information stored in browser sessions to maintain your login state and preferences.
2.3 Information from Third Parties
We may receive information about you from third parties:
- OAuth Providers: If you use social login (Google), we may receive basic profile information like your email address and name.
- Third-Party Services: When you authorize OAuth connections, we receive tokens from the Third-Party Service. We store refresh tokens encrypted in our vault and use them to issue short-lived access tokens to authorized Agents.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide and Maintain the Service: To operate our credential delegation infrastructure, manage your encrypted token vault, handle OAuth authorization flows, issue delegated access tokens, and provide customer support.
- Security and Fraud Prevention: To detect and prevent unauthorized access, abuse, and fraudulent activity. This includes monitoring for unusual delegation patterns and potential security threats.
- Analytics and Improvement: To understand how our Service is used, improve functionality, and develop new features. This includes analyzing usage patterns and performance metrics.
- Communication: To send you important service announcements, security alerts, support responses, and updates about changes to our Service.
- Compliance: To comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of our users and the public.
- Rate Limiting and Abuse Prevention: To enforce rate limits and prevent abuse of our Service by monitoring usage patterns and implementing appropriate controls.
4. Data Sharing and Disclosure
4.1 We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
4.2 When We May Share Information
We may share your information in the following limited circumstances:
- Token Exchange with Third-Party Services: During OAuth authorization and token refresh, we exchange data with Third-Party Services (Google, GitHub, Slack, Notion, Salesforce) as required by the OAuth 2.0 protocol. We only share what’s necessary to obtain and refresh tokens.
- Delegated Access Tokens: When an authorized Agent requests delegation, we issue a short-lived access token. Refresh tokens are never shared with Agents or Developers.
- Service Providers: We may share information with trusted service providers who help us operate our Service, such as hosting providers, monitoring services, and payment processors. These providers are contractually bound to protect your information.
- Legal Requirements: We may disclose information if required by law, such as in response to a subpoena, court order, or law enforcement request.
- Safety and Security: We may share information to protect the rights, property, or safety of Cred, our users, or the public, including in cases of suspected fraud or security threats.
- Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy protections.
4.3 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, or business purposes.
5. Data Security
We implement comprehensive security measures to protect your information:
- Encryption: API keys are encrypted at rest using AES-256-GCM with unique initialization vectors. All data in transit is protected using HTTPS with TLS 1.2 or higher.
- Access Controls: We implement strict access controls and authentication mechanisms. Database access is restricted to authorized personnel and systems.
- Infrastructure Security: Our infrastructure includes firewalls, intrusion detection systems, and regular security monitoring. We use secure hosting providers with SOC 2 compliance.
- Code Security: We implement secure coding practices, including input validation, output encoding, and protection against common vulnerabilities like SQL injection and XSS.
- Regular Audits: We conduct regular security assessments and monitor for vulnerabilities. Critical security updates are applied promptly.
- Incident Response: We have procedures in place to detect, respond to, and notify users of security incidents in accordance with applicable laws.
While we implement strong security measures, no system is 100% secure. We encourage you to take steps to protect your account, such as using strong passwords and enabling two-factor authentication when available.
6. Data Retention
We retain your information for as long as necessary to provide our Service and comply with legal obligations:
- Account Data: Retained for the lifetime of your account and deleted within 30 days of account termination, unless we have a legal obligation to retain it longer.
- OAuth Refresh Tokens: Stored in encrypted form until you revoke the OAuth connection or terminate your account. Deleted immediately upon revocation.
- Audit Logs: Delegation request logs are retained for 30 days for security and debugging purposes, then automatically purged.
- OAuth Tokens: Access tokens expire after 1 hour. Refresh tokens are retained until revoked. Authorization codes expire after 10 minutes.
- Delegation Receipts: JWS/Ed25519 signed delegation receipts are retained for 30 days to provide a cryptographically verifiable audit trail.
- Support Communications: Retained for up to 3 years to provide ongoing support and resolve issues.
- Legal Hold: Information may be retained longer if required by law, legal proceedings, or investigations.
7. Your Rights and Choices
7.1 Access and Control
You have several rights regarding your personal information:
- Access: You can view and download your account information, OAuth connections, delegation grants, and activity history through your dashboard.
- Correction: You can update your account information and correct any inaccuracies through your account settings.
- Deletion: You can revoke OAuth connections or terminate your account at any time, which will result in the deletion of your data (subject to legal retention requirements).
- Portability: You can export your data through our API endpoints or by contacting us.
- Revocation: You can revoke delegation grants and OAuth connections at any time through your user dashboard at /user/authorizations.
7.2 Regional Privacy Rights
Depending on your location, you may have additional rights:
- European Economic Area (EEA), UK, and Switzerland: You may have rights under GDPR, including the right to object to processing, restrict processing, and file complaints with supervisory authorities.
- California: You may have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected and the right to non-discrimination.
- Other Jurisdictions: You may have additional rights under local data protection laws.
7.3 Exercising Your Rights
To exercise your privacy rights, you can:
- Use the controls in your account dashboard
- Contact us at kieran@kierans.net
- Use our API endpoints to export data
- Submit requests through our support channels
We will respond to your request within 30 days and may need to verify your identity before processing certain requests.
9. International Transfers
Our Service is operated from the United States. If you are located outside the United States, please be aware that information we collect will be transferred to and processed in the United States and other countries where we or our service providers operate.
If you are in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international transfers, including adequacy decisions, standard contractual clauses, or other legally recognized mechanisms.
10. Children's Privacy
Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at kieran@kierans.net.
If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
- Update the "Effective Date" at the top of this Privacy Policy
- Post the updated Privacy Policy on our website
- Notify you of material changes via email or through our Service
- For significant changes, provide advance notice and obtain consent where required by law
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Cred
Email: kieran@kierans.net
Website: https://cred.ninja
Subject Line: Privacy Policy Inquiry
We will respond to your inquiry as promptly as possible, typically within 30 days. For urgent privacy concerns, please indicate this in your subject line.