Privacy Policy
Kred. Privacy Policy and Terms of Service · Version 1.0 · Effective 24 May 2025 · Last reviewed 24 May 2026
A1. Who We Are and How to Contact Us
Kred. (the ‘Platform’) is operated by Cherrug Holdings, LLC (‘Cherrug’, ‘we’, ‘us’, or ‘our’), a limited liability company registered in the State of Wyoming, United States of America.
| Registered Entity | Cherrug Holdings, LLC — State of Wyoming, USA |
|---|---|
| Platform Name | Kred. — UAE SME Capital Intelligence |
| Website | kred.world |
| Privacy Contact | Contact our legal team |
| Data Requests | Submit a data request |
Kred. serves users primarily located in the United Arab Emirates and the broader Gulf Cooperation Council (GCC) region. Where applicable, we comply with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the ‘UAE PDPL’), and where services are accessed by individuals in the European Economic Area or United Kingdom, with the General Data Protection Regulation (GDPR) as applicable.
A2. What Data We Collect
We collect the following categories of data when you use the Platform:
A2.1 Data You Provide Directly
- Identity and contact: name, email address, phone number, WhatsApp number.
- Business profile: company name, trade licence number, free zone or mainland jurisdiction, sector, years in operation, number of employees.
- Financial information: revenue figures, gross and net margins, monthly operating costs, debt obligations, debtor days, creditor days, banking relationships, VAT registration number, accounts quality rating.
- Funding requirements: amount sought, purpose of funding, preferred tenor, DSCR capacity, collateral details, existing credit facilities.
- Trade profile (where applicable): trade corridors, buyer and supplier profiles, Incoterms preferences, letter of credit experience, commodity types, export revenue proportion.
- Finance preference: conventional or Sharia-compliant instruments, or both.
- AECB data (where provided): if you upload an AECB credit report PDF, we extract your bureau score and relevant credit indicators. We do not store the raw PDF after extraction unless you explicitly save it to your profile.
- Feedback and communications: messages submitted via the feedback form, WhatsApp conversations with Aya! or Zaid!, emails sent to us.
A2.2 Data Collected Automatically
- Device and browser: device type, operating system, browser type and version, screen resolution.
- Usage data: pages visited, steps completed in the onboarding flow, time spent per step, features used, language selected, advisor selected (Aya! or Zaid!), Sharia mode toggle state.
- Behavioural analytics: for the purpose of the Kred. Integrity Adjustment (see Section B6), we may collect anonymised signals such as time taken to complete assessment steps, round-number density in financial inputs, and field revision patterns. These signals are used only for scoring integrity purposes and are not shared externally.
- Cookies and similar technologies: see Section A8.
A2.3 Data from Third Parties
- AECB: where you authorise integration with Al Etihad Credit Bureau, we receive your business credit score, director credit scores, and payment history summaries.
- Accounting software integrations (e.g. Wafeq, Zoho Books): where you connect your accounting platform, we receive financial data necessary to populate your Kred. assessment. You control these connections and may disconnect at any time.
- WhatsApp (Meta): message content from WhatsApp conversations is processed by our AI advisory system. WhatsApp message metadata is subject to Meta’s own privacy policy in addition to ours.
A3. Why We Collect It — Legal Basis
We process your personal data on the following legal bases:
| Legal Basis | Applies To |
|---|---|
| Contract performance | Processing required to deliver your Kred. score, generate your documents, and operate your account. |
| Consent | Marketing communications; AECB integration; accounting software connections; WhatsApp opt-in; beta waitlist registration. |
| Legitimate interests | Platform security, fraud prevention, product improvement, anonymised analytics, Integrity Adjustment signals. |
| Legal obligation | Compliance with applicable US, UAE, and international law; responding to lawful regulatory requests. |
A4. How We Use Your Data
We use the data we collect to:
- Calculate and maintain your Kred. score across the four scoring layers (Financial Capacity, Statutory Compliance, Operational Signals, Relationship Quality) and the Integrity Adjustment.
- Generate lender-ready documents including the Kred. Assessment Report, Executive Summary / Lender Memo, Funding Pitch Deck, Submission Templates, and other deliverables you purchase.
- Personalise your experience — including language, AI advisor (Aya! or Zaid!), finance preference, and Sharia-mode settings.
- Deliver AI advisory services via the platform interface and WhatsApp, powered by our AI infrastructure (Anthropic Claude, ElevenLabs TTS, Gladia STT).
- Send you score improvement alerts, market intelligence, document submission reminders, and product updates where you have opted in to receive them.
- Process payments for documents and services.
- Detect and prevent fraud, manipulation of the scoring system, and misuse of the platform.
- Improve our scoring methodology, document templates, and platform features using aggregated, anonymised insights.
- Comply with applicable legal obligations.
We do not use your data for automated decision-making that produces legal or similarly significant effects without human review. The Kred. score is a tool to support your funding preparation — it is not a credit decision and has no direct legal effect.
A5. Sharing Your Data
A5.1 With Service Providers
We share data with third-party processors who help us operate the platform, strictly under data processing agreements:
- Supabase — database hosting and authentication.
- Anthropic (Claude) — AI advisory and document generation.
- ElevenLabs — text-to-speech for Aya! and Zaid! voice features.
- Gladia — speech-to-text for voice input.
- Pipedream — WhatsApp bot workflow automation.
- Stripe — payment processing.
- Analytics and monitoring providers (e.g. PostHog, Sentry) — product analytics and error tracking.
A5.2 With Lender Partners
The Kred. Score and your data are provided to lender partners only with your explicit consent at the point of submission.
A5.3 With Agency Partners
If you have been introduced to Kred. through a licensed agency partner (an accounting firm, financial advisor, or company formation consultant), that agency may have access to your assessment results and documents in connection with the services they are providing to you. You will be notified of any agency relationship at the time of onboarding.
A5.4 Legal Disclosures
We may disclose your data where required by law, court order, or regulatory authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Cherrug Holdings, our users, or the public.
A5.5 Business Transfers
In the event of a merger, acquisition, asset sale, or restructuring of Cherrug Holdings, LLC, your data may be transferred to a successor entity. We will notify you in advance of any such transfer and your data will remain subject to equivalent protections.
A6. Data Retention
We retain your data for as long as your account is active and for a period thereafter as set out below:
- Account data and Kred. score history: retained for the duration of your account plus 3 years following account closure, to allow for dispute resolution and regulatory compliance.
- Document data (assessment inputs used to generate your reports): retained for 5 years in line with standard financial document retention practices.
- Payment records: retained for 7 years in compliance with US financial record-keeping requirements.
- WhatsApp conversation logs: retained for 12 months and then permanently deleted, unless you have saved a conversation summary to your profile.
- Feedback and support communications: retained for 2 years.
- Anonymised, aggregated analytics data: retained indefinitely for product development purposes.
You may request deletion of your account and personal data at any time — submit a data deletion request. We will action your request within 30 days. Note that certain data may be retained where required by law or legitimate business necessity (e.g. payment records, fraud logs).
A7. Your Rights
Depending on your location and applicable law, you may have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Ask us to correct inaccurate or incomplete data. |
| Deletion | Ask us to delete your personal data, subject to legal retention obligations. |
| Portability | Receive your data in a structured, machine-readable format. |
| Restriction | Ask us to restrict processing of your data in certain circumstances. |
| Objection | Object to processing based on our legitimate interests. |
| Withdraw Consent | Withdraw consent for consent-based processing at any time, without affecting past processing. |
| Complaint | Lodge a complaint with a relevant data protection authority. |
To exercise any of these rights, contact our legal team. We will respond within 30 calendar days. We may need to verify your identity before actioning your request.
A8. Cookies and Tracking Technologies
Kred. uses cookies and similar technologies for the following purposes:
- Essential cookies: required for the platform to function (session management, authentication, security). These cannot be disabled.
- Analytics cookies: to understand how users interact with the platform (e.g. which steps are completed, which language is selected). We use PostHog for privacy-respecting analytics.
- Functional cookies: to remember your language preference, advisor choice, and Sharia mode setting.
You can manage cookie preferences through our consent banner on first visit or by contacting our legal team. Essential cookies cannot be refused as the platform cannot function without them.
We do not use advertising or tracking cookies. We do not allow third-party advertisers on the platform.
A9. Data Security
We implement industry-standard security measures to protect your data, including:
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted in Supabase’s managed database infrastructure.
- API keys and credentials are stored in secure environment variables — never in frontend code or public repositories.
- Access to production systems is restricted to authorised personnel only.
- Our AI advisory services (Aya! and Zaid!) route calls through server-side Edge Functions — your financial data is never sent directly from your browser to external AI APIs.
No system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant authorities as required by applicable law, within 72 hours of becoming aware.
A10. Children
The Kred. platform is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through the platform, contact our legal team and we will delete the data promptly.
A11. International Data Transfers
Cherrug Holdings, LLC is registered in Wyoming, USA. Your data may be processed by our service providers in the United States, European Economic Area, or other jurisdictions. Where data is transferred outside the UAE or EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) where required by GDPR.
- Data processing agreements with all third-party processors.
- Transfer to processors in countries with adequate data protection frameworks.
By using the platform, you acknowledge that your data may be transferred to and processed in countries other than your own. We take all reasonable steps to ensure your data receives equivalent protection wherever it is processed.
A12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the platform. When we make material changes, we will:
- Update the ‘Last Reviewed’ date at the top of this document.
- Notify registered users by email at least 14 days before the change takes effect.
- Display a notice on the platform.
Your continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree, you may close your account before the changes take effect.