Privacy Policy

1. Introduction

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, organization name, job title, and password when you create an account.
• Service Member Data: Names, Social Security Numbers (SSNs), dates of birth, and other identifying information necessary for SCRA verification.
• Case Information: Account numbers, loan details, property information, and other data related to SCRA compliance cases.
• Communications: Messages, support requests, and other communications you send to us.

2.2 Information Collected Automatically

When you use our platform, we automatically collect:

• Log Data: IP address, browser type, operating system, referring URLs, and access times.
• Usage Data: Pages viewed, features used, actions taken, and time spent on the platform.
• Device Information: Device identifiers, screen resolution, and browser settings.

2.3 Information from Third Parties

We receive information from the Defense Manpower Data Center (DMDC) regarding military service status as part of our SCRA verification services. This information is used solely for the purpose of determining SCRA eligibility.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our SCRA compliance services
• Verify military service status through authorized DMDC channels
• Process cases and generate compliance documentation
• Send notifications about case status, deadlines, and system updates
• Respond to your requests and provide customer support
• Monitor and analyze usage patterns to improve our platform
• Detect, prevent, and address security issues and fraud
• Comply with legal obligations and regulatory requirements

4. Data Security

We implement robust security measures to protect your information:

• Encryption: Social Security Numbers and other sensitive data are encrypted using AES-256-GCM encryption at rest and TLS 1.3 in transit.
• Access Controls: Role-based access controls ensure users only access data necessary for their function.
• Audit Logging: Comprehensive audit trails track all access to sensitive information.
• Data Minimization: SSNs are decrypted only at the moment of DMDC verification and immediately cleared from memory.
• Security Standards: SOC 2 Type II certification is on our 2026 roadmap. Our systems and processes are built to these standards today.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

• Service Providers: With third-party vendors who assist in operating our platform, subject to confidentiality agreements.
• DMDC Verification: With the Defense Manpower Data Center to verify military service status, as authorized by applicable law.
• Legal Requirements: When required by law, court order, or government regulation.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate protections.
• With Your Consent: When you have given explicit permission to share your information.

6. Data Retention

We retain information for as long as necessary to provide our services and comply with legal obligations:

• Active Cases: Data is retained throughout the case lifecycle and protection period.
• Closed Cases: Audit records are retained for seven (7) years following case closure to meet regulatory requirements.
• Account Information: Retained while your account is active and for a reasonable period thereafter.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Portability: Request your data in a portable format.
• Opt-Out: Opt out of certain data processing activities.

To exercise these rights, contact us at privacy@civrel.io.

8. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information.

9. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us.

10. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. By using our services, you consent to such transfer and processing.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our platform and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: