Privacy Policy
How CredVault collects, uses, and protects your medical credential data. Your information is yours — we just hold it securely.
1. Information We Collect
Account Information
When you sign up for CredVault, you provide your name, email address, and a password. You may also add a phone number for two-factor authentication.
Medical Credential Data
CredVault stores the credential documents and information you upload, including:
- State medical licenses (number, issuing state, expiration date)
- DEA registration
- Board certifications
- Malpractice insurance certificates
- Immunization records and TB test results
- Background check authorizations
- Hospital privilege letters
- Other documents supporting your medical credentials
This is the data you control. We do not collect medical records, diagnosis information, or treatment history.
Shared Link Analytics
When you share a link to your credentials, we track the number of times the link was accessed and when it expires. We do not record who viewed your credentials beyond aggregate access counts.
Communication Data
If you contact us, we store your message and email address. We may also store notification preferences you configure in your account.
2. How We Use Your Data
Your data is used exclusively to power CredVault's credential management service:
- Credential storage: Securely store and organize your uploaded credentials
- Expiration alerts: Send you email reminders before credentials expire
- Share links: Generate time-limited, physician-controlled links for credential verification
- Account management: Authenticate you and manage your login
- Service improvements: Understand aggregate usage to improve the product (never at the expense of your privacy)
We never sell your data. We don't share it with advertisers, data brokers, or third parties for marketing purposes. Your credential data is used only to deliver the CredVault service you signed up for.
4. Data Security
Medical credential data is sensitive. CredVault uses the following security measures:
- AES-256 encryption at rest: All credential documents are encrypted before being stored
- TLS everywhere: All data in transit is encrypted using TLS 1.2 or higher
- Access controls: Credential data is only accessible via authenticated sessions with valid JWT tokens
- No public exposure: Your credentials are never indexed, searchable, or publicly visible
- Password hashing: Account passwords are hashed with scrypt before storage
Note: While CredVault is not a HIPAA "covered entity," we apply HIPAA-inspired security controls because your credential data is highly sensitive. We encourage organizations evaluating CredVault to conduct their own security review.
5. Data Retention & Deletion
Account Deletion
You can delete your account and all associated data at any time from your account settings, or by contacting us. Upon deletion:
- Your account is permanently removed
- All credential documents are deleted from storage
- All share links are invalidated immediately
- Your name and email are removed from our systems
Retention Period
If you do not log in to your account for 24 months, we will attempt to contact you before deleting inactive accounts and their data.
Audit Logs
Anonymous aggregate statistics about system usage (not linked to individual users) may be retained longer for product improvement purposes.
6. Third-Party Services
CredVault uses the following third-party services to deliver the platform:
- Render (Cloud Hosting): Hosts our application servers. Your data (application data) is stored on Render's infrastructure. Render Privacy Policy
- Neon (PostgreSQL Database): Manages our database. Credential data and account information are stored in Neon-hosted PostgreSQL. Neon Privacy Policy
- Postmark (Email Delivery): Sends expiration reminder emails and transactional messages. Your email address is used only to deliver CredVault communications. Postmark Privacy Policy
- Cloudflare (DNS & DDoS Protection): Handles DNS and provides DDoS protection. Cloudflare Privacy Policy
These providers are contractually bound to use your data only for the services they provide to CredVault.
7. HIPAA Considerations
CredVault is not a HIPAA covered entity. We do not handle treatment records, diagnosis data, or clinical information. However, because our customers are healthcare providers, we take security seriously:
- Credential data is stored with the same encryption standards used in healthcare applications
- Access logging and authentication controls are in place
- We do not disclose credential data to third parties without explicit physician consent
If your organization requires a formal Business Associate Agreement (BAA), contact us. We are happy to discuss standard BAAs with enterprise customers who need them for procurement compliance.
8. Your Rights
You have full control over your data at all times. Specifically, you can:
- Access: View all credentials stored in your vault at any time
- Export: Download your credential data (contact us for bulk export)
- Delete individual credentials: Remove any credential from your vault
- Delete your entire account: Permanently remove all data — account settings or email us
- Opt out of notifications: Disable expiration alerts from your settings page
- Revoke share links: Delete any share link instantly from your dashboard
To exercise any of these rights, log into your account or contact us at contact@mycredvault.com.
10. Contact Us
If you have questions about this privacy policy or how we handle your data, reach out:
We aim to respond to privacy inquiries within 5 business days.