Our privacy commitments.

1Who This Privacy Policy Covers

CreditReportNow LLC ("CreditReportNow," "we," "us") is a consumer reporting agency reseller as defined in the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681a(u). This Privacy Policy explains how we collect, use, share, and protect personal information for two groups:

• Consumers — individuals who are the subject of a credit report we deliver, or who interact with us in a dispute, identity verification, or authorization context.
• End-Users — businesses (lenders, landlords, employers, etc.) that obtain consumer reports through our platform, and the individual employees who use our portal on their behalf.

Because we handle financial information, we are also a "financial institution" subject to the Gramm-Leach-Bliley Act (GLBA). This document also serves as our GLBA Privacy Notice to consumers.

2Information We Collect About Consumers

To verify a consumer's identity and deliver a report to an authorized end-user, we collect:

• Identifiers: full legal name, current and former addresses, date of birth, Social Security Number (collected only via secure channels and tokenized at rest), driver's license or government ID image when required.
• Contact information: email, phone, mailing address.
• Authorization records: the signed consumer authorization, time stamp, IP address, device fingerprint, and the identity-verification answers used to confirm it was the consumer who signed.
• Consumer report data: the credit report we obtained from the supplying bureau on the consumer's behalf.
• Dispute records: any disputes the consumer filed with us, including supporting documents.

We collect this information from the consumer directly (through our authorization portal), from the requesting end-user (limited to identifiers needed to match the consumer), and from the supplying consumer reporting agency (the report itself).

3Information We Collect About End-Users

To verify and credential end-user businesses we collect: legal entity name, EIN, business address, business phone, websites, business licenses, signed certifications of permissible purpose, principal officer information, and inspection records. From individual portal users we collect: name, work email, work phone, role, login credentials, MFA token, IP address, device, and audit logs of their activity in our system.

4How We Use Information

We use consumer and end-user information only to:

• Verify the consumer's identity before any report is pulled.
• Verify the end-user's permissible purpose for each request.
• Obtain the report from our supplying consumer reporting agency.
• Deliver the report to the authorized end-user.
• Maintain audit records as required by federal law and our reseller agreement.
• Investigate consumer disputes and forward them to the supplying bureau.
• Detect fraud, prevent unauthorized access, and protect our systems.
• Respond to subpoenas, court orders, and regulator requests.
• Communicate operational matters (account, security, dispute status).

5How We Share Information

We share consumer information only as follows:

• The authorized end-user. We deliver the consumer report to the specific end-user the consumer authorized for the certified permissible purpose.
• The supplying consumer reporting agency. We send the consumer's identifiers to obtain the report and forward disputes back to them under § 1681i(f).
• Service providers. Identity verification vendors, secure cloud hosts, payment processors (for end-user billing), email and SMS delivery providers, and audit-log storage. Each is bound by written contracts requiring FCRA-and GLBA-compliant handling and prohibiting further use or disclosure.
• Government and legal requests. In response to subpoenas, court orders, regulator requests, or to comply with the FCRA, GLBA, and other applicable law.
• Successors. If we are acquired or merged, the successor must agree to honor this Privacy Policy or provide notice and opt-out where required.

6Data Security

We maintain a written information security program meeting the FTC Safeguards Rule (16 CFR Part 314), including:

• TLS 1.3 encryption in transit; AES-256 encryption at rest; tokenization of SSNs and account numbers.
• Multi-factor authentication for all portal users and privileged staff.
• Role-based access controls, quarterly access reviews, and immutable audit logs.
• Annual independent security assessments and penetration testing.
• Personnel security: background checks, confidentiality agreements, and security training.
• Physical security: locked office space, locked file cabinets, cross-cut shredder, monitored alarm.
• Written incident response plan and breach notification procedures.

7How Long We Keep Information

We retain consumer authorization records, identity verification records, transaction logs, dispute records, and end-user certifications for at least five years as required by our reseller agreements and consistent with industry standard. Operational logs are kept at least one year. Information collected solely for identity verification (such as ID images) is securely deleted within 90 days unless retention is required for an open dispute or regulatory matter.

8Your Privacy Rights

Under the FCRA, GLBA, and various state laws, you may have the right to:

• Request a copy of any consumer report we delivered concerning you (free if requested within 60 days of an adverse action).
• Dispute information you believe is inaccurate (see our dispute procedures).
• Receive an annual GLBA privacy notice (you are reading it).
• Know what categories of personal information we have about you, the sources, and the categories of recipients.
• Request deletion of personal information not required for FCRA recordkeeping or legal compliance.
• Withdraw your authorization for any future report pull (does not undo past pulls).
• Opt out of any non-essential communications.

State-Specific Rights

If you live in California, Colorado, Connecticut, Virginia, Utah, Oregon, Texas, or another state with a comprehensive consumer privacy law, you may have additional rights, including the right to access, correct, delete, and opt out of certain processing. To exercise these rights, email privacy@creditreportnow.ai. We do not sell personal information and do not engage in cross-context behavioral advertising.

Note: Even where state law allows opt-out of "sale" or "sharing," GLBA and FCRA permit certain transfers (e.g., delivering a report to the end-user the consumer authorized) that are not "sales." Those transfers will continue as long as you authorize and use the service.

9Cookies and Online Tracking

Our website uses essential cookies for authentication, session management, and fraud prevention. We use a small number of analytics cookies to understand site usage in aggregate. We do not use advertising or behavioral tracking cookies on this site. You can manage cookies in your browser.

10Children

Our service is not directed to children. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, please contact us at privacy@creditreportnow.ai.

11Changes to This Policy

We may update this Privacy Policy. The "Last Updated" date at the top reflects the most recent change. Material changes will be communicated by email to active end-users and posted prominently on our website at least 30 days before taking effect, except where shorter notice is required by law.

12Contact Us

CreditReportNow LLC
Attn: Privacy Officer
1234 N. Central Avenue, Suite 500
Phoenix, Arizona 85004
Email: privacy@creditreportnow.ai
Phone: (602) 555-0100