Privacy Policy

Credit Truth is a service operated by GIROUX SOVEREIGN Inc., a corporation incorporated under the laws of the State of Delaware, USA.

Registered office: 1111B S Governors Ave # 98689, Dover, DE 19904, USA. Phone: +1 (302) 251-6655. General contact: [email protected].

Our technical infrastructure (servers, databases) is located in the United States. Despite this jurisdiction, we voluntarily apply:

• The principles of the Act to modernize legislative provisions as regards the protection of personal information (commonly called "Law 25", Québec) when a Québec resident uses our service;
• The requirements of the Fair Credit Reporting Act (FCRA) and applicable state laws when a US consumer's information is processed;
• PIPEDA / LPRPDE (Canadian federal) and provincial privacy statutes (BC PIPA, Alberta PIPA, etc.) for Canadian residents outside Québec;
• GDPR when visitors from the EU interact with our service.

In accordance with Law 25 (art. 3.1) and FCRA compliance best practices, we publicly designate a Personal Information Officer:

Ian Giroux

Founder and CEO — Personal Information Officer

Dedicated email: [email protected]

Phone: +1 (302) 251-6655

Postal address: same as the registered office above.

Any question, request, complaint or incident notification regarding personal information must be addressed to [email protected]. We process requests within a maximum of 30 days (Law 25, PIPEDA, and FCRA comparable timelines).

This policy applies to all processing of personal information performed by Credit Truth and GIROUX SOVEREIGN Inc. via thecredittruth.com and its subdomains.

Note: Credit Truth is a forensic credit audit service. When you use our service, you are explicitly asking us to analyze credit report data — this entails processing of highly sensitive personal financial information. We treat this information with the care it deserves.

We collect different categories of information depending on your use of the service:

4.1 Account information

• Full name
• Email address
• Organization (if applicable)
• Hashed password (we never store plaintext)

4.2 Credit report data (core service)

When you request an audit, you voluntarily submit:

• Credit reports (uploaded or authorized via open banking / credit bureau API)
• Accounts, inquiries, collections, public records contained therein
• Social Security Number / Social Insurance Number — used only for identity matching when mandatory for a specific report format, never stored in plaintext and never reused

4.3 Technical metadata

• IP address at the time of submission (security, abuse prevention)
• Browser and device used (session integrity only)
• Access and audit logs

4.4 What we do NOT collect

• No advertising tracking cookies
• No third-party analytics (no Google Analytics, no Facebook Pixel, no remarketing)
• No biometric data
• No location tracking beyond approximate IP-level geolocation for security

In accordance with Law 25 art. 8 and FCRA § 604, we collect your information strictly for these specific purposes:

• Deliver the forensic credit audit you requested — core service
• Authenticate you and secure your account
• Produce an auditable report with cryptographic integrity (SHA-3 triple-lock, Merkle chain) admissible in court
• Respond to legal obligations (court orders, regulatory inquiries, anti-fraud)
• Improve our detection engine — ONLY using fully anonymized data (no link back to you)
• Security and abuse prevention

We do NOT reuse your information for purposes other than those specified above without your prior explicit consent (Law 25 art. 12).

Your consent is required for us to process your personal information. It is collected as follows:

• Manifest — you must actively check a consent box before submitting any form or uploading a credit report
• Free — you are never forced to provide us with information
• Informed — this policy is accessible from every form
• Granular — we ask for separate consent for distinct purposes (audit delivery vs. anonymized model improvement)

You can withdraw your consent at any time by writing to [email protected]. Withdrawal applies only to future processing — it does not retroactively cancel processing already performed in accordance with your initial consent. If you withdraw consent while an active audit is in progress, we will cease processing and inform you of what can still be legitimately retained (for example, audit integrity logs for legal admissibility).

In accordance with Law 25 art. 23 and FCRA § 619, we retain your information only for the time strictly necessary for the purposes it was collected.

• Uploaded credit reports: AES-256 encrypted in transit and at rest. Processed and purged within 48 hours of audit delivery unless you explicitly request we retain an archive for ongoing litigation
• Generated audit reports: retained with cryptographic seals for 7 years (standard business retention + FCRA admissibility window)
• Account information: for the duration of your account + 2 years after deletion (fraud prevention, tax records)
• Legal hold (ongoing litigation, regulatory investigation): until final resolution + applicable statute of limitations
• Anonymized model improvement data: indefinite (no link to you)

At the end of the retention period, personal information is securely destroyed or irreversibly anonymized.

We do not sell, rent, or exchange your personal information with third parties for commercial purposes.

We may communicate information only in the following circumstances:

8.1 Operational subcontractors

Bound by written contracts with confidentiality, data minimization and security obligations:

• Credit bureau APIs (Equifax, TransUnion, Experian) — when you authorize a direct pull of your report on your behalf. They only receive what is strictly needed for identity matching
• Cloud infrastructure (DigitalOcean, US region) — hosting and storage under our direct technical control
• Cryptographic services — identity verification and audit sealing
• Transactional email — to send you audit reports and legal notices

8.2 Authorized representatives

Lawyers or agents you explicitly authorize (written mandate on file) to receive your audit results.

8.3 Regulatory or judicial authorities

In response to a valid subpoena, court order, or regulatory mandate (CAI, CFPB, state AG, etc.).

8.4 Protection of rights

To protect our rights, property, safety, or that of others — under strictly necessary and proportional conditions.

8.5 With your prior explicit consent

For any purpose not listed above.

Important notice for Québec residents: Our servers are located in the United States. If you are a Québec resident using our service, your personal information will necessarily be transferred and processed outside Québec.

In accordance with Law 25 art. 17, we conducted a Privacy Impact Assessment (PIA) regarding these transfers. Key findings:

• Destination: United States (New York region) under our direct control
• Destination legal framework: US federal law (FCRA, Cloud Act, Patriot Act), Delaware state law
• Protection measures: AES-256 encryption at rest, TLS 1.3 in transit, restricted access, strict access controls, cryptographic audit trails
• Identified risk: US law does not offer protection formally equivalent to Law 25; certain US federal laws (Cloud Act in particular) may allow US government access to data under specific legal circumstances; however, credit audit data is unlikely to meet the specific legal criteria for such access
• Mitigation measures: data minimization, strong encryption, no tracking by third parties, destruction within the deadlines specified in section 7
• Compliance with equivalent Canadian frameworks: PIPEDA accountability principle, contractual clauses with subcontractors

By using our service, you explicitly consent to this transfer outside Québec under the conditions described. A detailed PIA is available on request at [email protected].

We implement the following security measures (Law 25 art. 10, FCRA § 628, PIPEDA Principle 7):

10.1 Technical measures

• Encryption at rest: AES-256 for all credit report data
• Encryption in transit: TLS 1.3 on all site/server/API communications (mandatory HTTPS, HSTS)
• Cryptographic audit trail: SHA-3 triple-lock and Merkle chain for audit integrity
• Access control: restricted to personnel with a legitimate need to know
• Strong authentication: SSH Ed25519 keys, two-factor authentication on administration systems
• Logging and audit: access traces retained and monitored

10.2 Organizational measures

• Written confidentiality agreement with any person having access to PI
• Mandatory Law 25 and FCRA training at hiring
• Annual review of security practices
• No third-party tracking tools (no Google Analytics, no Facebook Pixel, no advertising services)

10.3 Detected incidents

See section 16.

Depending on your jurisdiction, you have some or all of the following rights (Law 25 art. 27-41, FCRA § 609-611, PIPEDA Principle 9, GDPR art. 15-22):

• Right of access — obtain confirmation we process information about you and receive a copy
• Right of rectification — have inaccurate, incomplete or ambiguous information corrected
• Right of deletion — request that information be deleted (subject to legal retention obligations)
• Right to withdraw consent — at any time for future processing
• Right to portability (Law 25 art. 27, GDPR art. 20) — receive your information in a structured, commonly used format
• Right to deindexation (Law 25 art. 28.1) — request cessation of dissemination or deindexation of information likely to cause harm
• Right to be informed about automated decisions (Law 25 art. 12.1, GDPR art. 22) — including the factors and principles used
• Right to human review of an automated decision — see section 15 dedicated to automated processing

To exercise any of these rights, write to [email protected] with:

• Your full name
• The email used at collection (for identification)
• The right you wish to exercise
• Any useful details

We may request identity verification before acting. We respond within 30 days. If we cannot respond within this period, we will inform you of the reasons for the delay.

For FCRA-specific disputes (contesting an audit result with a US credit bureau), we can also provide the structured output format required by 15 U.S.C. § 1681i.

If you are not satisfied with our response, or if you believe we do not comply with our legal obligations, you can file a complaint with the competent authority for your jurisdiction:

For Québec residents

Commission d'accès à l'information (CAI)

525, boul. René-Lévesque Est, bureau 2.36

Québec (QC) G1R 5S9, Canada

Phone: 418 528-7741 / 1 888 528-7741

Email: [email protected]

Web: cai.gouv.qc.ca

For Canadian residents outside Québec

Office of the Privacy Commissioner of Canada (OPC)

30 Victoria Street, Gatineau (QC) K1A 1H3

Phone: 1 800 282-1376

Web: priv.gc.ca

For US consumers

Consumer Financial Protection Bureau (CFPB)

P.O. Box 27170, Washington, DC 20038

Web: consumerfinance.gov

Or your state Attorney General.

For EU visitors

The supervisory authority of your member state.

We do not use any tracking cookies, no tracking pixels, and no third-party analytics tools (no Google Analytics, no Meta/Facebook Pixel, no remarketing services, no automated CRM tracking your browsing).

Cookies possibly used are strictly technical cookies necessary for site functioning:

• Session cookie (authentication during your session)
• Language preference (EN/FR/ES)
• Security token (CSRF protection)

These cookies contain no personal identifier and are not shared with third parties.

Credit Truth uses automated processing (AI-based forensic detection engine) as part of its core service. This processing may produce outputs that influence decisions made about you by third parties (lenders, courts, employers if used in that context).

In accordance with Law 25 art. 12.1 and GDPR art. 22, you have the following rights regarding these automated processes:

• Right to be informed: We proactively inform you that our service uses automated processing and we indicate the main types of signals analyzed (calculation errors, chronological inconsistencies, missing reporting, formatting problems, etc.)
• Right to explanation: You can request the main factors and principles that led to a specific finding in your audit. We provide written explanation within 30 days
• Right to human review: You can request that an identified Credit Truth analyst review an automated finding before any decision based on it. Request at [email protected]
• Right to contest: You can contest a conclusion and submit elements for reevaluation
• Transparency on training: Our detection engine is trained only on fully anonymized data, and we never fine-tune on an individual user's file

Credit Truth output is a recommendation for further investigation or legal action; it never constitutes a definitive decision on you. Any decision made by a third party based on our output remains their responsibility and must respect their own regulatory obligations.

In accordance with Law 25 art. 3.5 and FCRA § 615, in case of a confidentiality incident presenting a risk of serious harm:

• We evaluate the situation within hours of detection
• We notify the CAI (Commission d'accès à l'information) and affected persons as soon as possible
• We notify other applicable regulatory authorities (FTC, state AG for US data subjects, competent provincial commissioners for Canadian subjects)
• We take reasonable measures to reduce the risk and prevent recurrence
• We maintain an incident register retained for at least 5 years, consultable by the CAI upon request

To report a suspected incident, write immediately to [email protected] with the subject "CONFIDENTIALITY INCIDENT".

In accordance with Law 25 art. 3.2, we have adopted an internal governance policy on personal information. Public elements:

• Roles and responsibilities: Ian Giroux is sole responsible for PI protection; any person with access to PI is bound by confidentiality agreement
• Training: anyone with access to PI receives mandatory Law 25 + FCRA + PIPEDA training at hiring, and annual refresher
• Complaints handling: any complaint is registered, analyzed and receives written response within 30 days
• Revision: this policy and internal practices are revised at least annually
• Audit: external security audit of our infrastructure at least every 2 years

This policy may be updated to reflect legal, regulatory or operational changes. Any update will be published on this page with the date of update.

Last updated: April 2026 Version: 2.0 (Law 25 + FCRA + PIPEDA compliant refresh)

Privacy questions, rights exercise, complaints, incidents

→ [email protected]

>

General communication

→ [email protected]

>

GIROUX SOVEREIGN Inc. — Credit Truth

1111B S Governors Ave # 98689

Dover, DE 19904, USA

+1 (302) 251-6655