Data compliance, by design.
How ChoiceIdentity handles the regulations that govern credit data and personal information — FCRA, GLBA, CCPA/CPRA, and the growing list of state privacy laws.
FCRA
We only pull consumer reports with a permissible purpose — in practice, that means you are always pulling your own report, with your explicit authorization at signup and at every Run Report click.
GLBA
Financial information handling follows GLBA safeguards: access controls, encryption, retention limits, and breach-response protocols are designed in, not added after the fact.
CCPA / CPRA
California residents can request access, correction, deletion, and data portability. We do not sell your personal information. Requests go through our support team and are processed within statutory timeframes.
State privacy laws
As new state-level privacy laws come online (VCDPA, CPA, CTDPA, UCPA), we extend the same access / correction / deletion processes to residents of those states. Our data handling is designed to meet the strictest applicable rule, not the loosest.
How this shows up in the product
Permissible purpose at every pull
Every time you click Run Report, your authorization is captured alongside the request. The request is recorded in our audit log with timestamp, IP, and the PaymentIntent that backed it. If the bureaus ever ask us to demonstrate permissible purpose, we can produce it per-record.
Consumer rights requests
Email support@choiceidentity.com with the subject line “Data Request” and tell us what you want — access, correction, deletion, or a data export. We verify the request against your account and respond within statutory timeframes (45 days for CCPA; similar windows for other state laws).
Dispute flow
Disputes on items in your credit report go through the bureaus themselves under FCRA — Experian, Equifax, and TransUnion each provide their own dispute portals. We surface negative items clearly in your report view and link you to the correct bureau for filing.
No sale of personal information
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. The only parties who see your data are the service providers we need to deliver the product: Stripe for payments, the licensed credit/identity API partner for reports, Supabase for hosted database and auth, and Resend for transactional email.
Retention limits
We keep your account data as long as your account is active, and for a limited retention period after you close it — long enough to satisfy legal hold requirements and no longer. Raw credit reports are never stored on our infrastructure; only reference tokens and short non-PII summaries live in the database.
Updates to our posture
As state-level privacy laws expand and the federal landscape evolves, we update our processes to match. Material updates are reflected in this page and the Privacy Policy.
Questions about your data?
Email us any time — we take privacy requests seriously and respond fast.