CREDIT SMACK.FAQ

Privacy Policy

Operator: Credit Smack · Site: creditsmack.app

Last updated: May 31, 2026

Who this covers

Credit Smack is software for credit-repair business owners ("Operators"), not for consumers directly. Two different data flows exist:

  1. The website + enrollment (creditsmack.app, /enroll): we collect information from Operators who are interested in the education product.
  2. The dispute tool (/app, /deposit-disputes): the Operator inputs their own clients' personal information to generate dispute letters. For that data, the Operator is the data controller; Credit Smack provides the processing tool.

The tool is stateless — no database. Client data submitted to generate letters is processed per-request and returned as PDFs; server-side temp files are written to per-request private (0700) directories and deleted after the response.

What we collect

From Operators (website/enrollment):

  • Email address, and optionally name and business name (via /enroll).
  • Standard server logs (IP address, timestamps) for security and rate-limiting.

Client data processed by the tool (controlled by the Operator):

  • Consumer name, address, SSN, date of birth, and credit-report / deposit-account data.
  • Uploaded identification documents (e.g. SSN card, driver's license) that the tool attaches to bureau/CRA letters.

Identification images are attached only to consumer-reporting-agency letters, never to creditor/furnisher letters. Generated packages may be saved to the Operator's own device.

How we use it

  • Operator data: to respond to enrollment, send the requested information, and (if you opt in) add you to our email list. We use Resend as our email provider.
  • Client data: solely to generate the dispute documents the Operator requested. We do not sell it and do not use it to train models.

Third parties / sub-processors

  • Anthropic (Claude API)IF the Operator enables AI letter generation, the letter prompts (which include the consumer data above, including SSN/DOB) are sent to Anthropic to draft letter text. If AI is not enabled, a local template engine is used and no client data leaves the server.
  • Resend — transactional email + the enrollment list (Operator emails only).
  • Hosting provider — serves the site/app.

No other third parties receive client PII. Letters are addressed to the credit bureaus / CRAs / creditors the Operator chooses to mail them to.

Retention

  • Operator enrollment data: kept until you ask us to delete it.
  • Client data in the tool: not retained server-side (stateless). Any saved letter packages live on the Operator's device under the Operator's control.

Your choices

  • Operators may request access to or deletion of their enrollment data at privacy@creditsmack.app.
  • Operators are responsible for honoring their own clients' privacy rights and for having a lawful basis to process their clients' data through the tool.

Security

Data in transit is encrypted (HTTPS). Server-side temp files holding PII are written to private per-request directories and deleted after use. The API key for the dispute endpoints gates programmatic access. No security is perfect; do not transmit data you are not authorized to process.

Children

Not directed to anyone under 18.

Contact

privacy@creditsmack.app

Privacy Policy — Credit Smack · Credit Smack