Privacy Policy
Effective Date: April 8, 2026 | Last Updated: April 8, 2026
1. Who We Are
CredPilot is operated by CredPilot Technologies LLC ("CredPilot," "we," "us," or "our"), a company that provides a credentialing workflow platform for healthcare billing specialists, credentialing coordinators, and healthcare administrators. Our primary website is getcredpilot.com.
For privacy inquiries, contact us at: [email protected]
2. What Data We Collect
We collect the following categories of data:
Account Data
Name and email address collected at sign-up. CredPilot supports two authentication methods: Google OAuth (name and email are provided by Google) and email/password sign-in (your password is stored as a one-way bcrypt hash — we never store it in plain text and cannot read it).
Provider Credential Data
Professional information you enter into provider profiles, including names, NPI numbers, DEA registration numbers, state license numbers, malpractice insurance details, board certifications, practice addresses, and other credentialing data. This data is entered by you and used solely to autofill credentialing forms on your behalf.
Uploaded Documents
PDF files and credential documents (DEA certificates, malpractice certificates, board certifications, W-9s, etc.) that you upload for AI extraction or storage. These are stored in encrypted cloud storage (Amazon S3).
Usage Data
Information about how you use the platform, including pages visited, features used, and PDF fill job activity. We use Umami Analytics, a privacy-preserving analytics tool that does not use cookies and does not collect personally identifiable information.
Billing Data
Subscription and payment information is processed by Stripe. We store only your Stripe Customer ID and Subscription ID. We do not store full card numbers, CVV codes, or other raw payment data.
Chrome Extension Data
The CredPilot Chrome extension reads form fields on web pages you visit when you click "Fill This Page" or "Fill CAQH ProView." It does not passively monitor your browsing. It stores an authentication token in your browser's local extension storage (chrome.storage.local) to keep you logged in. The extension also temporarily caches your active provider profile in local extension storage to enable instant form filling without a network request on every page. This cached data never leaves your device and is cleared when you sign out. The extension may display browser notifications to confirm when a form has been successfully filled or to alert you if required profile data is missing from your profile before filling begins.
3. How We Use Your Data
- To provide and operate the CredPilot platform and Chrome extension
- To autofill credentialing PDFs and web forms using your saved provider profile data
- To extract credential information from uploaded documents using AI
- To track credential expiration dates and send reminder notifications
- To process subscription payments through Stripe
- To send transactional emails (welcome emails, trial expiry reminders) via Resend
- To monitor platform health and usage patterns (via Umami Analytics)
- To respond to support requests
We do not sell your data. We do not use your provider credential data for advertising. We do not share your data with third parties except as described in Section 4.
4. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Google OAuth (optional) | Authentication | Name, email |
| Stripe | Payment processing | Name, email, billing info |
| Amazon S3 | Document storage | Uploaded files |
| Resend | Transactional email | Name, email |
| Umami Analytics | Anonymous usage analytics | No PII — anonymous page views only |
| AI Provider (LLM) | PDF field extraction and smart import | PDF content and pasted credential text submitted for processing |
5. Cookies and Tracking
CredPilot uses a single session cookie to keep you logged in. This cookie is set by our server and is required for authentication. It is not used for advertising or cross-site tracking.
We use Umami Analytics, which is a cookie-free, GDPR-compliant analytics tool. Umami does not use cookies and does not collect personally identifiable information. No cookie consent banner is required for Umami.
We do not use Google Analytics, Facebook Pixel, or other advertising trackers.
6. Data Retention
We retain your account data and provider profiles for as long as your account is active. If you delete your account, we will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (such as billing records).
Uploaded documents stored in Amazon S3 are deleted when you delete them from the platform or when your account is deleted.
7. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and all associated data
- Portability: Export your provider profile data as JSON or Excel at any time from within the platform
- Objection: Object to certain processing activities
To exercise any of these rights, email us at [email protected]. You can also delete your account directly from the Account Settings page within the platform.
8. Security
We use industry-standard security measures including HTTPS encryption in transit, encrypted storage for documents, and secure session cookies (HttpOnly, Secure, SameSite=None). Access controls restrict each user to their own data. CredPilot supports two sign-in methods: Google OAuth and email/password. For email/password accounts, passwords are hashed using bcrypt (a one-way cryptographic function) before storage — we never store or transmit passwords in plain text.
9. Children's Privacy
CredPilot is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the platform after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy or how we handle your data, contact us at: