CredClout

Privacy Policy

Last updated: June 24, 2026

1. Introduction

CredClout ("CredClout", "we", "us", or "our") operates the CredClout platform, including our website at credclout.com, our public API, and our Shopify application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Service.

This Privacy Policy applies to:

  • Users: individuals who create a CredClout account and connect social media profiles.
  • Merchants: Shopify store owners who install our Shopify app.
  • Shoppers: customers of participating Shopify merchants whose email addresses are queried against our verification system at checkout.

If you do not agree with this Privacy Policy, please do not use the Service.

2. Data Controller and Contact

The data controller responsible for your personal information is:

CredClout LLC
United States
Email: privacy@credclout.com

Data Protection Officer: We have not formally appointed a DPO as we are not currently required to do so under Article 37 GDPR. For privacy-related inquiries, contact privacy@credclout.com.

3. Information We Collect

3.1 Information you provide

  • Account information: name, email address, password (managed via Auth0), and authentication factors (e.g., MFA phone number or authenticator app).
  • Profile information: any optional profile fields you choose to complete.
  • Communications: the contents of messages you send to support, including any attachments.

3.2 Information collected from connected social media accounts

When you connect a social media account (YouTube, Instagram, TikTok, X/Twitter, Facebook), we collect, via the platform's official API and only with the OAuth scopes you grant:

  • public profile information (username, handle, profile picture, bio);
  • public follower count, following count, and engagement metrics;
  • the OAuth access and refresh tokens needed to refresh statistics on your behalf;
  • the date the account was connected and last refreshed.

We do not collect your direct messages, post drafts, follower lists, or private contacts.

3.3 Information from Merchants and Shoppers

  • Merchants: when a merchant installs our Shopify app, we receive store identifiers, the installing user's name and email, and configuration choices (e.g., discount tiers).
  • Shoppers: when a shopper begins checkout on a participating store, we receive a hashed and unhashed version of the shopper's email address solely to look up whether a CredClout profile exists. See Section 14 for details on how we handle Shopify Protected Customer Data.

3.4 Information collected automatically

When you use the Service, we automatically collect:

  • Device and connection data: IP address, browser type and version, operating system, device identifiers, and approximate location derived from IP.
  • Usage data: pages viewed, features used, referring URLs, timestamps, and interaction events.
  • Authentication logs: login times, login methods, MFA challenges, and failed login attempts (via Auth0).
  • Cookies and similar technologies: see Section 11.

3.5 Information from third parties

  • Authentication and identity signals from Auth0.
  • Public statistics from social platforms via their APIs.
  • Fraud-prevention signals from our infrastructure providers.

4. How We Use Information and Legal Bases

We process personal information for the purposes and on the legal bases described below (the legal bases apply to users in the EEA, UK, and Switzerland; users in other jurisdictions are subject to applicable local law).

PurposeLegal Basis (GDPR)
Creating and maintaining your account; authenticating youPerformance of a contract (Art. 6(1)(b))
Connecting and refreshing your social media statisticsPerformance of a contract; consent for OAuth scopes (Art. 6(1)(a), 6(1)(b))
Calculating CredClout influence scores and gradesPerformance of a contract; legitimate interest (Art. 6(1)(b), 6(1)(f))
Sharing statistics with merchants when you opt inConsent (Art. 6(1)(a))
Looking up shopper email addresses against our directoryLegitimate interest (Art. 6(1)(f))
Securing the Service, preventing fraud and abuseLegitimate interest (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Sending service announcementsPerformance of a contract; legitimate interest
Sending marketing communicationsConsent, where required; otherwise legitimate interest with opt-out
Complying with legal obligationsLegal obligation (Art. 6(1)(c))
Defending legal claimsLegitimate interest (Art. 6(1)(f))

5. Automated Decision-Making and Profiling

CredClout uses automated processes to:

  • calculate an aggregated influence score and grade tier from your connected social statistics;
  • determine whether your account meets a merchant's eligibility threshold for a given discount;
  • generate and validate "CredCode" identity tokens used to confirm your verified status at checkout.

These determinations are automated and may affect your eligibility for discounts. You have the right to:

  • request a meaningful explanation of how a decision was reached;
  • contest a determination;
  • request human review of a decision that significantly affects you.

To exercise these rights, contact privacy@credclout.com.

6. How We Share Information

6.1 With participating Shopify merchants

If, and only if, you have enabled store visibility in your account settings, participating merchants whose stores you visit may see:

  • your CredClout grade tier;
  • your aggregated follower count;
  • the list of platforms you have connected (without account handles unless you opt in to share them).

Merchants do not receive raw OAuth tokens, full statistics, or your account credentials. You can disable store visibility at any time from your account settings.

6.2 With service providers (sub-processors)

We share personal information with vetted service providers under contracts that require them to process data only on our instructions and protect it appropriately. Current categories include:

  • Cloud infrastructure: Amazon Web Services (United States)
  • Authentication: Auth0 by Okta (United States)
  • Email delivery: SendGrid
  • Payment processing: Stripe

6.3 For legal and safety reasons

We may disclose information when we believe in good faith that disclosure is necessary to:

  • comply with a law, regulation, subpoena, court order, or governmental request;
  • enforce our Terms of Service or other agreements;
  • detect, prevent, or address fraud, security, or technical issues;
  • protect the rights, property, or safety of CredClout, our users, or the public.

6.4 Business transfers

If CredClout is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users and require any successor to honor this Privacy Policy or provide notice of material changes.

6.5 With your consent

We share information for any other purpose with your consent.

6.6 We do not sell your personal information

We do not sell or "share" your personal information as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), or comparable laws in other US states. We honor Global Privacy Control (GPC) signals as opt-out requests where applicable.

7. International Data Transfers

CredClout is headquartered in the United States, and we process personal information in the United States and in any country where our service providers operate. When we transfer personal information from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on:

  • the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, where applicable;
  • supplementary technical and organizational measures, including encryption in transit and at rest.

You can request a copy of the relevant transfer mechanism by contacting privacy@credclout.com.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Privacy Policy:

DataRetention period
Account dataUntil you delete your account; purged within 30 days of deletion
Connected social media statistics (cached)Refreshed continuously; deleted within 24 hours of disconnecting
OAuth tokensDeleted within 24 hours of account disconnection or deletion
Authentication logs90 days
Application and security logs90 days
Shopify shopper email lookupsHashed query logs retained for 30 days for fraud prevention
Billing and transaction records7 years (US tax and accounting requirements)
Support communications2 years after the last contact
BackupsUp to 35 days, after which residual copies are overwritten

We may retain limited information longer where required by law or to defend legal claims.

9. Your Rights

9.1 Rights for everyone

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and associated personal information.
  • Disconnect any social media account.
  • Disable store visibility so merchants cannot see your stats.

9.2 Additional rights for EEA, UK, and Swiss users

  • Restriction of processing in certain circumstances.
  • Objection to processing based on legitimate interests or for direct marketing.
  • Portability: receive a machine-readable copy of data you provided to us.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local supervisory authority.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 5).

9.3 Additional rights for US state residents

  • Right to know the categories and specific pieces of personal information we collect, sources, purposes, and recipients.
  • Right to delete personal information we have collected.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" (we do not sell or share, but the right is honored, including via GPC signals).
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.
  • Right to appeal a denial of a rights request.

9.4 How to exercise your rights

Email privacy@credclout.com or use the in-product controls in your account settings. We will respond within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA/CPRA, with extensions as permitted). We may need to verify your identity before fulfilling certain requests.

10. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

  • TLS/HTTPS encryption in transit;
  • AES-256 encryption at rest for OAuth tokens and other sensitive fields;
  • role-based access controls and least-privilege access for employees;
  • multi-factor authentication for internal systems;
  • logging, monitoring, and intrusion detection;
  • annual security reviews and penetration testing.

No system is perfectly secure. If we become aware of a personal data breach that affects you, we will notify you and applicable supervisory authorities as required by law (within 72 hours of awareness for GDPR-covered breaches likely to result in a risk to your rights, and consistent with US state breach notification laws).

11. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service. Categories include:

  • Strictly necessary cookies: authentication, session management, security. These cannot be disabled.
  • Functional cookies: remember your preferences (e.g., store visibility setting).
  • Analytics cookies: help us understand how the Service is used.

Where required by law (such as in the EEA and UK), we obtain consent for non-essential cookies via our cookie banner. You can also block cookies in your browser, but parts of the Service may not function properly.

12. Children's Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact privacy@credclout.com and we will delete it.

13. Marketing Communications

We may send you marketing emails about new features, tips, and CredClout news. You can opt out at any time by clicking "unsubscribe" in any marketing email or by adjusting your email preferences in your account settings. Even if you opt out of marketing, we will still send transactional and service-related messages (e.g., billing, security, policy changes).

14. Shopify Protected Customer Data

When a Shopify merchant installs our app, our handling of Shopify customer data is designed to comply with Shopify's Protected Customer Data Requirements:

  • Data minimization: we request and access only the customer email address field necessary to perform the verification lookup.
  • Purpose limitation: customer email addresses received from Shopify are used solely to determine whether a CredClout profile exists, and are not used for marketing, profiling, or any secondary purpose.
  • Storage: we do not persist Shopify customer email addresses beyond the time needed to perform the lookup. Hashed query logs are retained for 30 days for fraud prevention.
  • Consent: merchants are responsible for obtaining any consent required from their shoppers under applicable law for sharing customer data with CredClout.
  • Customer rights: shoppers may exercise their privacy rights either through the merchant or directly with CredClout via privacy@credclout.com.
  • Staff access: access to Shopify customer data is restricted to a limited number of authorized engineers under role-based access controls and is logged.
  • Encryption: Shopify customer data is encrypted in transit (TLS) and at rest (AES-256).
  • Breach notification: we will notify affected merchants and Shopify within 72 hours of becoming aware of any breach involving Protected Customer Data.

15. Third-Party Services

The Service integrates with third-party services that are subject to their own privacy policies, including:

  • Auth0 by Okta
  • YouTube Data API / Google
  • Instagram / Meta
  • TikTok
  • X (Twitter)
  • Facebook / Meta
  • Shopify
  • Amazon Web Services

CredClout is not responsible for the privacy practices of these third parties.

When you use the YouTube features of the Service, you are also subject to the YouTube Terms of Service (youtube.com/t/terms) and the Google Privacy Policy (policies.google.com/privacy). You may revoke CredClout's access to your Google account at any time at security.google.com/settings/security/permissions. See Section 16 (Google User Data: Limited Use) for our specific commitments regarding data from your Google and YouTube account.

16. Google User Data: Limited Use

CredClout's use and transfer of information received from Google APIs (including the YouTube Data API Services) adheres to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Data obtained from your Google or YouTube account is used only to provide and improve the user-facing features described in this policy: verifying that you own your channel and displaying your own audience statistics. We do not:

  • use it to serve targeted or personalized advertising;
  • sell or transfer it to data brokers or information resellers;
  • use it to develop, train, or improve generalized or artificial-intelligence / machine-learning models;
  • use it to determine creditworthiness or for any lending purpose (your CredClout influence score reflects social reach only and is not a financial credit score); or
  • use, transfer, or disclose it for any purpose other than providing or improving the Service's features.

Humans do not access this data except with your consent, to comply with law, for security, or as necessary to operate the Service. You can revoke CredClout's access to your Google account at any time at myaccount.google.com/permissions.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect, where required by law. The "Last updated" date at the top of this policy reflects the most recent version. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

18. Contact Us

For privacy questions, requests, or complaints, contact:

CredClout LLC
Email: privacy@credclout.com