Last updated: 7 March 2026
Version: 1.1
The Service is operated by a private individual. This policy is drafted in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection laws.
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Ali Akbar Rahimi
Steindamm 80
25337 Elmshorn
Germany
Email: privacy@credio.online
General contact: contact@credio.online
Ali Akbar Rahimi operates the Credio Service as a private individual.
For customer accounts created by an owner, the respective owner acts as an independent data controller for the personal data they enter. In this context, Ali Akbar Rahimi processes such data on behalf of the respective owner in accordance with Article 28 GDPR.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.
The competent supervisory authority for the data controller is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany
Phone: +49 431 988-1200
Email: mail@datenschutzzentrum.de
Website: https://www.datenschutzzentrum.de
The following categories of personal data in connection with the Service are processed:
This data is required to create and manage user accounts.
This data is entered by users and stored solely for displaying and organizing personal notebook records.
Chat data is accessible only to the related account participants.
This data is processed to secure accounts and prevent unauthorized access.
When users interact with the Service, certain technical metadata may be processed automatically in order to ensure secure system operation and to document security-relevant account actions.
The IP address and user agent may be recorded specifically when a user submits an account data rectification request (for example when requesting a change of email address, phone number, or address). This information is stored together with the corresponding request record.
The purpose of this processing is to document the origin of account modification requests, detect potential misuse, investigate security incidents, and provide evidence in case of disputes related to account changes.
This processing is limited to what is necessary for secure operation, system integrity, abuse prevention, and dispute resolution.
Render, as hosting provider, may additionally process infrastructure-level logs as a data processor in accordance with its Data Processing Addendum.
When users send or receive emails through the Service, the following data are processed:
Outgoing emails are processed via Brevo.
Incoming email is handled by Google Workspace.
Backend application, database, and supporting infrastructure are hosted by Render Services, Inc., United States.
Render provides application hosting, managed database services, and infrastructure-level security monitoring. Production services are deployed in the Frankfurt (Germany) region.
Render acts as a data processor within the meaning of Art. 28 GDPR. A Data Processing Agreement (DPA) has been concluded.
As Render is a U.S.-based provider, personal data may be transferred to the United States. Such transfers are safeguarded by:
Render may engage authorized subprocessors to provide its services. An up-to-date list of subprocessors is available at:
This application uses Firebase Cloud Messaging (FCM), a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to send push notifications.
When the app is installed, a device-specific push token is generated by Firebase. This token is transmitted to the backend server and stored together with the corresponding user ID. The token is used solely to deliver notifications related to the functionality of the application.
No additional personal data is transmitted to Firebase for this purpose beyond what is technically required to deliver push notifications.
The legal basis for this processing is Article 6(1)(b) GDPR (performance of a contract), as push notifications are necessary for the proper operation of the user account within the app.
The push token is deleted when:
Users can disable push notifications at any time in the device settings.
Incoming emails to addresses under the domain credio.online (e.g., admin@, privacy@, contact@) are processed using Google Workspace, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Workspace is used solely for receiving and storing emails sent to the above addresses.
The legal basis for processing email communication is Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interest in handling inquiries and account-related communication).
Google acts as a data processor within the meaning of Art. 28 GDPR. The Cloud Data Processing Addendum (DPA) has been accepted.
As Google may process data outside the European Union, transfers are safeguarded by:
Emails are retained only as long as necessary to handle the respective request or fulfill legal obligations.
Outgoing transactional emails (e.g., account-related notifications) are sent using Brevo, provided by Sendinblue SAS (Brevo), 106 Boulevard Haussmann, 75008 Paris, France.
Brevo processes recipient email addresses and the content of transactional emails solely for the purpose of delivering such communications.
Brevo acts as a data processor within the meaning of Art. 28 GDPR. A Data Processing Agreement forms part of Brevo’s General Conditions of Use and applies automatically upon account usage.
Data is processed exclusively for the delivery of transactional communication and is not used for marketing purposes.
Personal data is processed solely for the following purposes and on the following legal bases pursuant to Article 6 GDPR:
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Communication data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Technical and security-related data is processed to:
Legal basis:
Article 6(1)(f) GDPR (legitimate interest).
The legitimate interest consists in ensuring the security, stability, and lawful operation of the Service.
Push tokens are processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract).
Users may disable push notifications at any time via device settings.
Personal data is processed to:
Legal basis:
Article 6(1)(b) GDPR (performance of a contract)
and
Article 6(1)(f) GDPR (legitimate interest in handling inquiries).
No marketing emails are sent.
Personal data is retained only for as long as necessary to fulfill the purposes of processing or to comply with statutory retention obligations.
Users can request deletion of their account directly within the mobile application.
Once a deletion request is submitted, the account will immediately lose access and the deletion process described below will begin.
Customers may request account deletion only if their account balance is zero.
Once a deletion request is submitted:
During this 30-day period, no access is possible for the customer.
After expiration of the 30-day grace period:
This anonymized data cannot be used to re-identify the former customer.
Owners may request account deletion only if no active customer accounts exist.
If active customers exist, account deletion is not possible.
Deletion requests are reviewed by a Super Admin.
Upon approval:
Technical and security-related metadata may be stored in connection with specific account actions, including account data rectification requests.
Where such requests are submitted, the associated IP address and user agent may be stored together with the request record in order to document the origin of the request and to support investigation of potential disputes or security incidents.
This information is retained only as long as the corresponding request record remains in the system and is automatically deleted when the related account and associated records are permanently removed.
Infrastructure-level logs processed by the hosting provider may be retained separately in accordance with the provider’s internal security policies.
Push notification tokens are stored only as long as the corresponding user account is active.
Tokens are deleted when:
Chat messages are stored for the duration of the respective account relationship.
If a customer account enters “pending deletion” status:
After expiration of the 30-day grace period:
If an owner account is permanently deleted, all associated chat data is permanently deleted together with the account.
Emails are retained only as long as necessary to:
Where statutory retention obligations apply (e.g., under German commercial or tax law), data will be retained for the legally prescribed period and subsequently deleted.
Credio uses automated processing for analytical and statistical purposes in connection with account management and financial reporting.
These automated processes are limited to aggregated calculations and internal analytics, including exposure summaries, transaction statistics, and risk concentration metrics.
No automated decision-making within the meaning of Article 22 GDPR takes place.
In particular:
All relevant decisions affecting user accounts require human involvement and are not based solely on automated processing.
Personal data is processed primarily within the European Union.
Where service providers are established outside the European Union or where data processing may involve access from third countries (in particular the United States), transfers are carried out in accordance with Chapter V GDPR.
Where applicable, transfers are safeguarded by one or more of the following mechanisms
The following providers may involve processing in the United States:
Transfers are carried out on the basis of legally recognized transfer mechanisms in accordance with Chapter V GDPR.
Where service providers are established within the European Union (e.g., Brevo, France), processing takes place within the EU unless subprocessors located in third countries are engaged under legally valid safeguards.
No transfers are carried out without an appropriate legal basis under Articles 44–49 GDPR.
Appropriate technical and organizational measures are implemented in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk.
These measures include in particular:
Access to personal data is restricted to what is necessary for the respective processing purpose.
This Privacy Policy may be updated where necessary to reflect:
The current version number and last update date are indicated at the beginning of this document.
Material changes will be communicated through the application where appropriate.
As a data subject under the General Data Protection Regulation (GDPR), you have the following rights, subject to statutory limitations:
Requests may be submitted to: privacy@credio.online