CREDMINDER Privacy Policy

Last Updated: March 4, 2026 Version: 3.0

This Privacy Policy describes how Be Prepared Education LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects your information when you use the CredMinder service, which includes:

The CredMinder mobile application for iOS and Android
The CredMinder web application at https://www.credminder.app

These are collectively referred to as the "Service." The web application and mobile applications provide the same credential management experience, including account management, credential storage, image upload, notifications, and PDF export.

By using the Service on any platform, you agree to the collection and use of information in accordance with this Privacy Policy. We are committed to protecting your privacy and handling your data with transparency.

CredMinder is a credential management application that helps you securely store, track, and manage expiring licenses, certifications, insurance policies, and identification documents.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address — Used for authentication and account recovery.
Display name (first and last name) — Stored when you create your profile.
Authentication provider — Whether you signed in with email/password, Google, or Apple.

If you sign in with Google or Apple, we receive your name and email from those providers. We do not receive or store your password for third-party sign-in methods. We do not access your contacts, social media activity, or other data from these providers beyond what is necessary for authentication.

1.2 Credential Data

You choose what credential information to store in the app:

Title — Name of the credential (required).
Expiration date — When the credential expires (optional).
ID number — License or credential identifier (optional).
Notes — Free-text notes (optional).
Photos — Front and back images of the credential, captured through your device's camera or selected from your photo library (optional).

This data is stored in Google Firebase (Firestore database and Firebase Storage) under your authenticated user account. Only you can access your credential data.

1.3 Device and Usage Data

When you use the Service, certain information is collected automatically:

Device Information: Device type, operating system and version, unique device identifiers, and mobile network information.
Firebase Analytics: Screen views, feature usage events (e.g., credential created, search used, PDF exported), and app performance metrics. Events are anonymized and aggregated.
User Properties: Subscription tier (free/pro/unlimited), credential count bracket (0, 1-3, 4-10, 11+), and whether biometric lock is enabled. These are aggregate user properties, not personally identifiable.
Crash Reports: If the app crashes, Firebase Crashlytics may collect device model, OS version, and stack trace to help us diagnose issues.
Push Notification Tokens: Device tokens used to deliver push notifications through Firebase Cloud Messaging (FCM), if you have enabled notifications. This token identifies your device, not you personally.
Log Data: IP address, access times, and diagnostic data when you interact with our website.

1.4 Subscription Data

If you subscribe to a paid plan:

RevenueCat processes your subscription. RevenueCat receives your anonymous app user ID (your Firebase UID) and subscription status. RevenueCat does not receive your name, email, or credential data.
Payment processing is handled entirely by Apple (App Store), Google (Google Play), or through Apple Pay and Google Pay on the web. We never see or store your payment card details.

For more information, visit RevenueCat's privacy policy.

1.5 Notification Data

Local notifications — Expiration reminders are scheduled locally on your device and do not transmit data to any server.
Push notifications — If enabled, a Firebase Cloud Messaging token is stored to enable push notification delivery.

1.6 Biometric Data

If you enable biometric lock, your preference (enabled/disabled) is stored locally in encrypted secure storage on your device.

We never collect, store, or transmit your biometric data (fingerprint, face scan, etc.). Biometric authentication is processed entirely by your device's operating system.

1.7 Providing Your Data

Providing your email address is a contractual requirement necessary to create an account and use the Service. If you do not provide an email address, you will not be able to create an account or access the Service.

Providing your name, credential data, and photos is voluntary. If you choose not to provide optional information, certain features (such as credential tracking or photo storage) will not be available, but the core Service will remain functional.

No statutory or regulatory obligation requires you to provide personal data to use CredMinder.

2. How We Use Your Information

We use the information we collect for the following purposes. Where we rely on legitimate interests as a legal basis, we have described the specific interest below.

Data Type	Purpose	Legal Basis	Details
Email, name, auth provider	Account creation, authentication, and account recovery	Art. 6(1)(b) Contract	Necessary to provide the Service you signed up for.
Credential data and photos	Core app functionality — storing, displaying, and exporting your credentials	Art. 6(1)(b) Contract	Necessary to provide the core credential management service.
Analytics events, user properties	Understanding feature usage to improve the app	Art. 6(1)(f) Legitimate interests	Our legitimate interest in understanding how users interact with the app to improve functionality, identify popular features, and fix usability issues.
Crash reports, performance data	Diagnosing technical issues and maintaining app stability	Art. 6(1)(f) Legitimate interests	Our legitimate interest in maintaining app stability, diagnosing bugs, and ensuring a reliable user experience.
FCM token	Delivering push notification reminders	Art. 6(1)(a) Consent	You choose whether to enable push notifications. You can withdraw consent at any time via your device settings.
Subscription status	Determining your plan features (credential limit)	Art. 6(1)(b) Contract	Necessary to fulfill the subscription agreement and provide plan features.
Biometric preference	Enabling/disabling biometric lock on app launch	Art. 6(1)(a) Consent	You choose whether to enable biometric lock. Your preference is stored locally and can be changed at any time in Settings.
Log data (IP, access times)	Security, fraud detection, and unauthorized access prevention	Art. 6(1)(f) Legitimate interests	Our legitimate interest in protecting user accounts and data from unauthorized access and in maintaining the security of the Service.

We also use your information to comply with legal obligations (Art. 6(1)(c)) and to send notifications about Service changes with your consent.

3. How We Store and Protect Your Data

3.1 Cloud Infrastructure

CredMinder uses Google Firebase as its backend infrastructure. Your data is stored and processed using the following Firebase services:

Firebase Authentication — Manages your account credentials and authentication tokens securely.
Cloud Firestore — Stores your credential data in a secure, cloud-hosted database.
Firebase Storage — Stores images of your credentials in secure cloud storage.
Firebase Cloud Messaging (FCM) — Delivers push notifications for expiration reminders.
Firebase Analytics — Collects anonymized usage data to help us understand how the Service is used.
Firebase Remote Config — Allows us to update app behavior and feature availability without requiring an app update.
Firebase Crashlytics — Collects crash reports and diagnostic data to help us identify and fix bugs.

Firebase is operated by Google and is subject to Google's security practices. For more information, visit Google's Privacy Policy.

3.2 Data Isolation

Your credential data is stored under your unique user account and is accessible only to you when authenticated. We enforce server-side security rules that prevent any user from accessing another user's data. Your credential images are stored in a user-specific path and are not publicly accessible.

3.3 On-Device Security

Sensitive data cached on your device is stored using platform-appropriate secure mechanisms:

iOS: Keychain for authentication tokens and secure credentials.
Android: EncryptedSharedPreferences for authentication tokens and secure credentials.
Web: Secure, HTTP-only cookies and browser-native session storage. No sensitive credential data is persisted in the browser beyond your active session.

On mobile platforms, credential images cached locally are stored in the app's private directory, which is not accessible to other applications.

CredMinder may offer an optional biometric lock feature on mobile (Face ID, Touch ID, or fingerprint authentication) that requires biometric verification when the app returns from the background. Biometric data is processed entirely on your device by the operating system and is never transmitted to or stored on our servers.

3.4 Security Measures

We implement commercially reasonable technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS/SSL) and at rest.
Server-side security rules that validate all data access requests.
Authentication requirements for all data operations.
Regular dependency audits and security reviews.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

4. Subscription and Payment Processing

CredMinder offers premium features through subscriptions. Payment processing varies by platform:

iOS: Subscriptions are processed through the Apple App Store and managed by our subscription partner RevenueCat.
Android: Subscriptions are processed through the Google Play Store and managed by RevenueCat.
Web: Payments are processed through Apple Pay and Google Pay. These services handle your payment information directly; we do not receive or store your payment card numbers or bank account details.

Across all platforms, we do not collect, store, or have access to your payment card numbers, bank account information, or other financial details.

For information on how Apple handles payment data, visit https://www.apple.com/legal/privacy.
For Google, visit https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following limited circumstances:

5.1 Service Providers

We use the following third-party service providers who process data on our behalf:

Service	Provider	Purpose	Privacy Policy
Firebase Auth	Google	User sign-in	Google Privacy Policy
Cloud Firestore	Google	Credential data storage	Google Privacy Policy
Firebase Storage	Google	Credential photo storage	Google Privacy Policy
Firebase Analytics	Google	Usage analytics	Google Privacy Policy
Firebase Crashlytics	Google	Crash reporting	Google Privacy Policy
Firebase Remote Config	Google	Feature flags	Google Privacy Policy
Firebase Cloud Messaging	Google	Push notifications	Google Privacy Policy
RevenueCat	RevenueCat Inc.	Subscription management	RevenueCat Privacy Policy
Google Sign-In	Google	OAuth authentication	Google Privacy Policy
Sign in with Apple	Apple	OAuth authentication	Apple Privacy Policy

These providers are contractually obligated to use your data only to perform services on our behalf and to protect your data in accordance with applicable law.

5.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good faith belief that such action is necessary to comply with a legal obligation, protect the rights or property of the Company, prevent wrongdoing, or protect the personal safety of users or the public.

5.3 Business Transfers

If the Company is involved in a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

6. Data Retention and Deletion

6.1 Retention Period

Account data is retained as long as your account is active.
Credential data is retained as long as your account exists. You can delete individual credentials at any time from within the app.
Analytics data is retained per Google's Firebase Analytics retention policies (typically 14 months for event data).
Crash logs are retained for 90 days per Firebase Crashlytics default retention.
Subscription data is retained by RevenueCat per their retention policy.

6.2 Account Deletion

You may delete your account and all associated data at any time:

In-app: Go to Settings > Delete Account. This permanently deletes your Firebase Authentication account, all credential documents, and all stored images.
By contacting us: If you are unable to access the app, you may request account and data deletion by contacting us at the information listed in the Contact Us section, or by visiting https://credminder.app/contact_us. We will process deletion requests within 30 days.

Upon account deletion:

Your credential data (names, expiration dates, ID numbers, notes) is permanently deleted from Cloud Firestore.
Your credential images are permanently deleted from Firebase Storage.
Your authentication account is removed from Firebase Authentication.
Your push notification tokens are invalidated.
RevenueCat subscription data is disassociated from your user ID.

Account deletion is permanent and cannot be undone. Certain anonymized, aggregated analytics data that cannot be linked back to you may be retained.

7. Your Privacy Rights

7.1 All Users

Regardless of your location, you have the right to:

Access the personal data we hold about you (available in-app — all your data is visible to you).
Correct inaccurate or incomplete personal data.
Delete your account and associated data (available in-app via Settings > Delete Account).
Export your credential data (available via PDF export for individual credentials).
Opt out of non-essential communications and push notifications through your device settings.

7.2 European Economic Area (EEA) and United Kingdom — GDPR

If you are located in the EEA or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing: The legal basis for each processing activity is detailed in the table in Section 2 above. In summary, we process your data based on: (a) your consent (e.g., enabling push notifications, enabling biometric lock); (b) performance of a contract (e.g., providing the credential management Service you signed up for); (c) our legitimate interests (e.g., analytics to improve the Service, crash reporting for stability, security monitoring to protect accounts); and (d) compliance with legal obligations.
Right to Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
Right to Object: You may object to processing based on legitimate interests. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: You may file a complaint with your local data protection authority, in particular in the Member State of your habitual residence or place of work. A list of EU/EEA data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, the relevant authority is the Information Commissioner's Office (ICO) at https://ico.org.uk.

For the purpose of the GDPR, Be Prepared Education LLC is the Data Controller. To exercise these rights, contact us using the information in the Contact Us section. We will respond within 30 days.

7.3 California Residents — CPRA

If you are a California resident, you have rights under the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete: You may request deletion of your personal information.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Sensitive Personal Information: CredMinder collects credential data (such as license numbers and identification documents) which may constitute sensitive personal information under CPRA. This data is used solely to provide the core Service functionality.

To exercise your rights, contact us at the information provided in the Contact Us section. We will verify your identity and respond within 45 days. You may designate an authorized agent to make requests on your behalf.

8. Advertising

CredMinder does not display advertisements and does not use advertising SDKs, tracking pixels, or any third-party advertising technology. We do not engage in cross-context behavioral advertising or sell your data to advertisers.

9. International Data Transfers

Your information may be transferred to and processed on servers located outside your country of residence, including in the United States, where our Firebase infrastructure is hosted. If you are accessing the Service from outside the United States, please be aware that data protection laws in the United States may differ from those in your jurisdiction.

Transfer Safeguards: Our primary service providers (Google/Firebase and RevenueCat) participate in the EU-US Data Privacy Framework (DPF), which has been recognized by the European Commission as providing an adequate level of data protection (adequacy decision of July 10, 2023). Where a service provider is not certified under the DPF, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the appropriate safeguard for the transfer of personal data. You may request a copy of the applicable safeguards by contacting us using the details in the Contact Us section.

For more information about the EU-US Data Privacy Framework, visit https://www.dataprivacyframework.gov.

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where our service providers operate. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy.

10. Children's Privacy

CredMinder is designed for adults and is not directed at children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately and we will take steps to delete such information from our systems.

11. Push Notifications

CredMinder uses Firebase Cloud Messaging (FCM) to send push notifications for credential expiration reminders. You can enable or disable push notifications at any time through the CredMinder app settings or your device's system notification settings.

Disabling push notifications will not affect other functionality of the Service, but you will no longer receive expiration reminders via push notification.

12. Cookies and Website Tracking

The CredMinder mobile applications (iOS and Android) do not use cookies. The CredMinder web application uses cookies as follows:

Essential Cookies: Required for authentication, session management, and core application functionality. These are necessary to use the web application.
Analytics Cookies: Used to understand how users interact with the web application, helping us improve the user experience. These are collected through Firebase Analytics.

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the web application. The CredMinder web application does not respond to "Do Not Track" browser signals.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy.
Notify you via email or a prominent notice within the app.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us:

By mail: Be Prepared Education LLC, P.O. Box 23, Sedley, VA 23878
Online: https://credminder.app/contact_us

This Privacy Policy is effective as of March 4, 2026 and applies to all users of the CredMinder application on iOS, Android, and the web.