AltFiScore
Draft·These policies are drafts pending legal counsel review and finalization. Last revised: May 15, 2026.

Privacy Policy

Effective Date: May 15, 2026 · Last Revised: May 15, 2026 · Version 1.0 (Draft)

Who this Policy applies to

This Privacy Policy describes how AltFiScore AI Inc. ("AltFiScore", "we", "us", or "our") collects, uses, shares, and protects personal information. It applies to information collected through our website, APIs, lender portal, consumer-facing verification flows, and any other AltFiScore services (collectively, the "Services"). Different sections apply depending on your jurisdiction — please see the relevant regional sections below.

1. Overview

AltFiScore provides credit decisioning infrastructure to licensed lenders ("Customers") who use our APIs to make lending decisions about their applicants ("Consumers"). We act in two distinct capacities depending on the context:

  • As service provider / data processor to our Customers — processing Consumer personal information on their behalf under their instruction to produce credit decisions.
  • As data controller for our own business operations — including managing Customer relationships, processing inquiries from this website, and administering our Services.

2. Information We Collect

2.1 Information Customers provide about Consumers

When our Customers use our APIs to request credit decisions, they submit information about Consumers, which may include:

  • Identifiers: full name, date of birth, last four digits of SSN, email address, phone number, mailing address.
  • Financial information: bank account data accessed via authorized integrations (e.g., Plaid), income and employment data (e.g., Argyle), credit and payment history.
  • Transaction information: amount, merchant, product description, and category of the transaction being financed.
  • Verification information: identity verification artifacts from KYC providers when applicable.

2.2 Information collected through this website

  • Information you provide: contact form submissions (name, business email, company, role, message), demo signups, and email correspondence.
  • Automatically collected: IP address, browser type, referring URL, pages visited, timestamps, and approximate geographic location.
  • Cookies and similar technologies: see our Cookie Policy.

2.3 Information collected automatically when Customers use our APIs

  • API request and response logs (with PII redacted for security).
  • API key identifiers, IP addresses originating requests, request timestamps and rate metrics.
  • Aggregated performance metrics for service reliability and capacity planning.

3. How We Use Information

We use the information described above to:

  • Provide our credit decisioning Services to Customers, including running scoring and decision algorithms on Consumer data submitted via APIs.
  • Generate compliance artifacts including TILA disclosures and FCRA-compliant adverse action codes for Customers to deliver to Consumers.
  • Operate, maintain, secure, and improve our Services.
  • Monitor for fraud, abuse, security incidents, and unauthorized use of Services.
  • Respond to inquiries, support requests, and legal process.
  • Comply with legal obligations including FCRA, ECOA, GLBA Safeguards Rule, BSA/AML, and applicable state laws.
  • Communicate with Customers about service updates, security advisories, and contractual matters.

4. Legal Basis for Processing (EU and UK Residents)

If you are located in the European Economic Area, United Kingdom, or Switzerland, our legal basis for processing your personal information depends on the specific information and the context. We typically rely on:

  • Performance of a contract (Art. 6(1)(b) GDPR): processing Consumer data per Customer instructions to fulfill the lending decision contract.
  • Legitimate interests (Art. 6(1)(f) GDPR): operating our Services, preventing fraud, ensuring information security, and engaging in business communications with Customers.
  • Legal obligation (Art. 6(1)(c) GDPR): complying with applicable financial-services and tax law.
  • Consent (Art. 6(1)(a) GDPR): where required, such as non-essential cookies — see our Cookie Policy.

5. How We Share Information

We share personal information only as follows:

  • With our Customers: credit decisions and supporting artifacts are returned to the Customer that requested them. We do not share one Customer's data with another Customer.
  • With sub-processors: vetted vendors who help us deliver Services (e.g., cloud infrastructure, data partners, identity verification providers). Sub-processors are bound by contractual confidentiality and data-protection obligations.
  • For legal compliance: in response to lawful subpoenas, court orders, regulatory examinations, or to comply with applicable law.
  • For corporate transactions: in connection with a merger, acquisition, financing, or sale of business assets, subject to confidentiality and reasonable notice.
  • With your consent: in any other case where you direct or consent to such sharing.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use Consumer data submitted via the API for any purpose other than producing the requested decision and improving service reliability.

6. International Data Transfers

AltFiScore is headquartered in the United States. When we transfer personal information from the EEA, UK, or Switzerland to the US or other jurisdictions, we use one or more of the following safeguards:

  • EU Standard Contractual Clauses (SCCs) issued by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
  • Such other safeguards as the relevant regulator may approve from time to time.

You may request a copy of our SCCs by contacting legal@altfiscore.com.

7. Data Retention

We retain personal information for as long as needed for the purposes set out in this Policy and to comply with our legal, regulatory, and contractual obligations:

  • Credit decision records: minimum 7 years from the date of decision (FCRA / record-keeping requirements).
  • Raw upstream data (e.g., bank transactions, payroll data): retained per Customer-configured freshness windows, typically 30 days, then aggregated or deleted.
  • API logs with redacted PII: retained in active storage for 30 days, then archived to cold storage per Customer retention configuration.
  • Inquiries and Customer communications: retained for as long as needed to support the Customer relationship plus a reasonable archival period.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, alteration, disclosure, or destruction. Our security program is described in detail in our Security Policy.

No security system is impenetrable. We will notify affected parties and applicable regulators of any data breach as required by law.

9. Your Rights (United States)

9.1 California (CCPA / CPRA)

California residents have the following rights regarding their personal information collected by AltFiScore as a business under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know: request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we have shared it.
  • Right to delete: request deletion of personal information, subject to legal exceptions.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: AltFiScore does not sell or share personal information for cross-context behavioral advertising, so no opt-out is required, but you may submit a request.
  • Right to limit use of sensitive personal information: applicable where we use sensitive PI for purposes beyond providing the Service.
  • Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise these rights, email legal@altfiscore.com. We will verify your identity before responding, typically within 45 days.

9.2 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Tennessee, Iowa, Indiana, Delaware, and other states with comprehensive privacy laws have rights similar to those described above. AltFiScore honors all applicable state privacy rights through the same intake channel: legal@altfiscore.com.

9.3 Financial privacy (GLBA)

Where AltFiScore acts as a service provider to a financial institution Customer, we handle nonpublic personal information ("NPI") in accordance with the Gramm-Leach-Bliley Act and the Safeguards Rule (16 CFR Part 314). For information about NPI handling related to a specific lending product, please contact the financial institution that originated your credit application.

9.4 Fair Credit Reporting Act (FCRA)

AltFiScore is not itself a consumer reporting agency, and AltFiScore reports are not consumer reports under the FCRA. AltFiScore returns adverse action codes to Customers in formats compatible with FCRA-compliant notice generation; Customers (as the licensed lenders) are responsible for delivering adverse action notices to Consumers.

10. Your Rights (European Economic Area)

If you are located in the EEA, you have the following rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"):

  • Access (Art. 15): obtain confirmation of whether we process your personal data and request a copy.
  • Rectification (Art. 16): have inaccurate personal data corrected.
  • Erasure (Art. 17): have personal data deleted in defined circumstances ("right to be forgotten").
  • Restriction (Art. 18): restrict processing in defined circumstances.
  • Portability (Art. 20): receive your personal data in a structured, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw consent at any time.
  • Lodge a complaint: with your national supervisory authority. A list is maintained at edpb.europa.eu/about-edpb/members.

To exercise these rights, email legal@altfiscore.com. We will respond within one month (extendable by two further months for complex requests).

10.1 EU Representative

Where required by Article 27 of the GDPR, AltFiScore will appoint an EU Representative. Contact details will be published here once appointed. Until then, please direct EU-specific inquiries to legal@altfiscore.com.

11. Your Rights (United Kingdom)

If you are located in the UK, you have substantially the same rights described in Section 10 above, under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

  • Your supervisory authority is the Information Commissioner's Office (ICO).
  • You may lodge a complaint with the ICO if you believe we have not handled your personal data lawfully.
  • Where required by UK GDPR Article 27, AltFiScore will appoint a UK Representative. Contact details will be published here once appointed.

12. Automated Decision-Making

AltFiScore's Services include automated processing of personal data to produce credit decisions. Where this constitutes "solely automated decision-making" with legal or similarly significant effects under Art. 22 GDPR or UK GDPR:

  • The Customer (i.e., the licensed lender) is responsible for the final lending decision and for providing required disclosures.
  • Affected Consumers have the right to obtain human review, express their point of view, and contest the decision. These requests should be directed to the Customer that originated the decision.
  • Adverse action codes returned by AltFiScore are designed to support meaningful information about the logic involved, in compliance with applicable transparency requirements.

13. Children's Privacy

Our Services are not directed to children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact legal@altfiscore.com and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Revised" date at the top of this page reflects the most recent update. Material changes will be communicated via the website and, where appropriate, directly to Customers. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

15. Contact

For any questions, requests, or complaints regarding this Privacy Policy or our handling of personal information:

AltFiScore AI Inc.

Email: legal@altfiscore.com

Attn: Legal & Privacy