Compliance / Policies

Credible Finance — Legal Policies & Compliance Framework

Last Updated: May 2026

1. Terms of Service

1.1 Introduction

These Terms of Service (“Terms”) constitute a binding legal agreement between you (“you”, “Customer”, “User”) and Kiwimoney Inc, a Delaware corporation operating Credible Finance (“Credible”, “Company”, “we”, “our”, “us”). They govern your access to and use of credible.finance, the Credible APIs, the Credible dashboard, the partner platform, and every payment, settlement, treasury, custody-orchestration, checkout, payout, virtual-account, stablecoin-settlement, and AI-treasury Service that Credible makes available, including any beta, preview, or experimental feature (collectively, the “Services”).

By creating an account, signing an integration agreement, or transmitting data to or through the Services, you accept and agree to be bound by these Terms in full. If you are accepting these Terms on behalf of an organisation, you represent and warrant that you have legal authority to bind that organisation, and “you” refers to both you personally and that organisation.

These Terms may be supplemented by product-specific terms (such as Creddy Consumer Terms, Liquidity Pool Terms, or Merchant Acceptance Terms), Order Forms or Master Services Agreements executed between you and Credible, the Acceptable Use Policy in Section 4, and the API Terms in Section 11. In the event of conflict between these Terms and an executed Order Form or MSA, the Order Form or MSA shall prevail with respect to the subject matter it addresses.

If you do not agree with any part of these Terms, you may not access or use the Services.

1.2 Eligibility

You may use Credible only if you meet, and continue to meet, all of the following criteria:

Capacity. You are at least 18 years of age (or the age of majority in your jurisdiction, whichever is higher) and have full legal capacity to enter into binding contracts.
Entity status. Where you are acting on behalf of an organisation, that organisation is a duly incorporated and active legal entity in good standing in its jurisdiction of organisation.
Lawful operations. Your business activities and the activities for which you intend to use the Services are lawful in (a) your jurisdiction of organisation, (b) your operating jurisdictions, and (c) the jurisdictions of your end-customers.
No sanctions exposure. You are not located in, organised in, or ordinarily resident in any jurisdiction subject to comprehensive sanctions administered by OFAC, OFSI, the European Union, or the United Nations Security Council, and you are not included on any sanctions, denied-parties, or restricted-persons list maintained by any such authority.
No active enforcement. You are not the subject of a current enforcement action by any financial regulator or law enforcement agency relating to fraud, money laundering, financial crime, or sanctions evasion.
Onboarding cooperation. You complete and remain compliant with the onboarding, KYC/KYB, and periodic re-verification processes described in Sections 1.6 and 3.

Credible reserves the absolute and unilateral right to refuse onboarding, suspend Services, or terminate any account at any time and for any reason consistent with applicable law, including perceived risk, regulatory uncertainty, partner-imposed restrictions, or commercial considerations.

1.3 Services

Credible operates a portfolio of payments and stablecoin-settlement infrastructure products, including without limitation:

Payment orchestration — software-defined routing across PSPs, acquirers, local rails, card networks, and on-chain venues for inbound and outbound payments;
Checkout infrastructure — hosted and embedded checkout components for online and in-store acceptance, including UPI, Pix, SEPA, ACH, Faster Payments, AANI, NIBSS, GCash, M-Pesa, PayNow, PromptPay, and other alternative payment methods;
Fiat-to-stablecoin deposit flows — conversion of inbound fiat receipts to USDC, USDT, or other supported stablecoins via licensed partners;
Stablecoin-to-fiat withdrawals — conversion of on-chain balances to fiat for payout to bank accounts, cards, or wallets via licensed partners;
Treasury infrastructure — multi-currency, multi-chain treasury management with programmatic sweeps, hedging tools, and on-chain custody integration;
API infrastructure — REST and webhook APIs, SDKs, and developer tooling enabling programmatic access;
Merchant settlement — settlement to merchant accounts in their preferred currency and rail;
Global payouts — cross-border disbursements to bank accounts, e-wallets, cards, and on-chain addresses across 40+ markets;
Virtual account infrastructure — named US, EU, and UK accounts with ACH, SEPA, Fedwire, and Faster Payments connectivity;
Stablecoin settlement systems — end-to-end stablecoin-rail settlement including liquidity pools, FX engines, and on-chain confirmation primitives;
AI-powered treasury and reconciliation — machine-learning-driven transaction reconciliation, fraud scoring, FX prediction, and treasury optimisation;
Creddy (in roll-out) — a consumer-facing universal stablecoin payment method offering 0%-fee C2B and C2C payments across markets.

Credible reserves the right to add, modify, deprecate, suspend, or discontinue any Service at any time, with or without notice. Where commercially reasonable, advance notice of deprecation or material modification will be provided through the dashboard, by email, or via the developer changelog.

1.4 Settlement Disclaimer

Credible markets certain Services with target settlement times such as “T+0 settlement”, “instant settlement”, or “cross-border in seconds”. These targets represent the engineered performance of Credible’s orchestration layer under nominal conditions and are not contractual guarantees.

Actual settlement timing may vary materially due to:

Banking partner availability, maintenance windows, batch cut-offs, and intra-day liquidity;
Liquidity conditions in the relevant currency pair, market, or stablecoin;
Blockchain network conditions including congestion, validator outages, fork events, reorgs, and confirmation latency;
Mint, burn, redemption, or treasury operations by stablecoin issuers;
Performance of third-party acquirers, card networks, local-rail operators, and on/off-ramp partners;
Compliance reviews, sanctions-screening hits, transaction-monitoring alerts, and risk-driven holds;
Court orders, regulatory directives, asset freezes, or licence-conditioned holds;
Force majeure including acts of God, war, civil unrest, cyber-attack, and internet outage.

Credible does not guarantee uninterrupted, error-free, or any specific settlement time except where explicitly committed in a signed Order Form or SLA executed with a customer.

1.5 Stablecoin Risk Disclosure

Stablecoins are digital assets issued by third parties and designed to maintain a stable value relative to a reference asset (typically the US dollar). They are not legal tender, not bank deposits, and not insured by any deposit-insurance scheme.

By using the Services, you acknowledge and accept that stablecoins and the blockchain infrastructure they depend on may experience:

Depegging. Market value diverging from the peg, temporarily or permanently, resulting in loss of value relative to fiat;
Issuer risk. Issuer insolvency, loss of access to reserves, suspension of redemptions, freezing of addresses, or regulatory enforcement;
Smart-contract risk. Bugs or exploits in stablecoin contracts or supporting protocols;
Blockchain congestion. Delayed or failed transactions during periods of network load;
Network downtime. Outages, validator failures, or chain reorganisations that interrupt or reverse settlement;
Regulatory restrictions. Authorities imposing restrictions on issuance, holding, transfer, or redemption — with or without notice;
Counterparty failures. Custodian, market-maker, on/off-ramp, or liquidity-provider default;
Key-management and custody risk. Loss of private keys (self-custody) or counterparty risk to a custodian (custodial models).

You accept these risks in full. Credible does not insure, guarantee, or indemnify against loss arising from any of the above.

1.6 Compliance Obligations

You agree to:

Provide accurate, complete, and current KYC / KYB information at onboarding and to update it promptly when it changes;
Maintain lawful operations in all jurisdictions where you operate or where your end-customers are located;
Cooperate with periodic re-verification, audits, and information requests initiated by Credible or by our regulators and banking partners;
Provide documentary evidence of source of funds, source of wealth, beneficial ownership, transaction purpose, and other matters relevant to AML/CTF, sanctions, or tax compliance on request;
Respond to compliance enquiries within five (5) business days unless a shorter deadline is required by law;
Avoid restricted activities as set out in Sections 1.7 and 4;
Implement appropriate internal controls to prevent use of the Services for unlawful activity;
Comply with all tax-reporting and tax-withholding obligations relating to your transactions.

Credible may at any time, in its sole discretion, require enhanced due diligence (EDD), source-of-funds evidence, independent audit reports, transaction limits, or other risk-mitigation measures.

1.7 Restricted Activities

You may not use the Services, directly or indirectly, in connection with:

Illegal gambling under the laws of any applicable jurisdiction;
Terror financing or financing of designated terrorist organisations;
Fraud, including credit-card fraud, identity theft, account takeover, and synthetic-identity fraud;
Sanctions evasion, including for or on behalf of any sanctioned person, entity, or jurisdiction;
Money laundering — placement, layering, or integration of proceeds of crime;
Darknet markets, anonymising mixers, or similar services that obscure the origin of funds;
Child sexual-abuse material (CSAM) or any exploitation of minors;
Unregistered or unauthorised securities offerings;
Ponzi schemes, pyramid schemes, high-yield investment programs (HYIPs), and “guaranteed return” investment claims;
Deceptive or unfair business practices, including misrepresentation of goods or services, bait-and-switch schemes, and undisclosed billing;
High-risk activities specifically prohibited by applicable laws or by our banking and processing partners.

Credible may at any time, with or without notice, refuse, reverse, freeze, or report any transaction or account suspected of involvement in any restricted activity.

1.8 Limitation of Liability

To the maximum extent permitted by applicable law:

Liability cap. Credible’s aggregate liability in connection with the Services for any twelve-month period shall not exceed the fees actually paid by you to Credible in that period.
No indirect or consequential damages. Credible shall not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, including lost profits, lost revenue, lost data, business interruption, loss of goodwill, or cost of substitute services.
No liability for partner conduct. Credible shall not be liable for any act, omission, default, or insolvency of any banking partner, custodian, liquidity provider, blockchain network, stablecoin issuer, third-party processor, or other third party involved in the provision of Services.
Settlement and timing. Credible shall not be liable for failure to achieve any marketed settlement target where failure arises from the factors set out in Section 1.4.
Regulatory actions. Credible shall not be liable for loss arising from any regulatory action, freeze, sanction, or court order affecting your funds, transactions, or account.

Nothing in these Terms limits liability for (i) fraud or fraudulent misrepresentation, (ii) death or personal injury caused by negligence, or (iii) any other liability that cannot be excluded as a matter of applicable law.

1.9 Indemnification

You agree to defend, indemnify, and hold harmless Credible, its affiliates, and their respective directors, officers, employees, contractors, agents, partners, and licensors from and against any and all claims, liabilities, damages, penalties, fines, judgments, settlements, losses, costs, and expenses (including reasonable attorneys’ fees and court costs) arising out of or related to:

Your breach of these Terms, including Sections 1.6 and 1.7;
Your violation of any applicable law, regulation, or contractual obligation;
Your or your end-customers’ fraud, illegal activity, or misuse of the Services;
Any regulatory enforcement action, investigation, or claim arising from your business activities;
Third-party claims relating to content, data, or instructions submitted by you to the Services;
Tax assessments, withholding obligations, or reporting obligations relating to your transactions.

Credible reserves the right to assume the exclusive defence and control of any matter otherwise subject to indemnification, in which case you agree to cooperate.

1.10 Governing Law & Dispute Resolution

These Terms and any non-contractual obligations arising from them are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws provisions.

Arbitration. Any dispute, claim, or controversy arising out of or relating to these Terms or the Services shall be resolved by final and binding arbitration administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures. The seat of arbitration shall be Wilmington, Delaware, and the language of the arbitration shall be English. The arbitrator’s award shall be final and enforceable in any court of competent jurisdiction.

Class-action waiver. Disputes shall be resolved on an individual basis and not as a class, collective, or representative action.

Injunctive relief. Either party may seek injunctive or equitable relief in a court of competent jurisdiction to protect intellectual property rights or confidential information.

Severability. If any provision of these Terms is held invalid or unenforceable, it shall be enforced to the maximum extent permitted, and the remaining provisions shall remain in full force and effect.

2. Privacy Policy

2.1 Introduction & scope

Credible respects your privacy and is committed to protecting the personal and business information you entrust to us. This Privacy Policy explains the categories of information we collect, the sources of that information, the purposes for which we use it, the lawful bases on which we process it, with whom we share it, how long we retain it, the international transfers we perform, the security measures we apply, and the rights you have under applicable data-protection law.

This Privacy Policy applies to:

The credible.finance website and any sub-domains;
The Credible dashboards, partner platform, and Creddy consumer application (collectively, the “Services”);
Communications you receive from Credible (email, in-app, support);
Compliance, fraud-prevention, and security operations performed in connection with the Services.

This Privacy Policy does not apply to third-party websites, applications, or services that are linked from credible.finance but operated by other parties (banking partners, blockchain explorers, social platforms). Those operators publish their own privacy policies which you should review independently.

2.2 Data controller, EU/UK representative, and DPO

For the purposes of the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK General Data Protection Regulation as retained in UK law (“UK GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA / CPRA”), the Brazilian Lei Geral de Proteção de Dados Pessoais Law No. 13,709/2018 (“LGPD”), the Indian Digital Personal Data Protection Act, 2023 (“DPDP”), the South African Protection of Personal Information Act, 2013 (“POPIA”), and equivalent regimes, Kiwimoney Inc is the data controller (or equivalent term used in the relevant law) for personal data processed via the Services.

Registered address: Kiwimoney Inc, 1007 N Orange St, 4th Fl 1838, Wilmington, DE 19801, United States.

Data Protection Officer (DPO). Kiwimoney has appointed an internal Data Protection Officer responsible for overseeing this Privacy Policy and our compliance with applicable data-protection law. The DPO can be reached at [email protected].

EU / UK representative. Where Article 27 GDPR or Article 27 UK GDPR applies, Kiwimoney will appoint a representative in the EU and / or the UK and publish the representative’s contact details on this page. Until that appointment is published, EU and UK data subjects may continue to address requests to [email protected] or the DPO.

2.3 Information we collect

We collect the following categories of information. The exact data collected from any individual user depends on the products and features that user accesses.

2.3.1 Identity data

Full legal name, preferred name, nationality, gender (where required by KYC vendor);
Date of birth, place of birth;
Government-issued identification documents (passport, national ID, driver’s licence) including image scans, document numbers, issuance and expiry dates;
Selfie images and liveness-check artefacts captured during identity verification;
Photographs of proof-of-address documents (utility bill, bank statement, tenancy agreement);
Tax identifiers — SSN, ITIN, EIN, GSTIN, PAN, UTR, TFN, CRA BN, and equivalents;
Politically-Exposed-Person (PEP), sanctions, and adverse-media screening results.

2.3.2 Contact data

Email addresses (primary and recovery);
Telephone numbers (mobile and landline);
Residential and correspondence addresses;
Language and communication preferences.

2.3.3 Business data

Legal entity name, registration number, country and date of incorporation;
Articles of incorporation, certificate of good standing, memorandum and articles, equivalent constitutional documents;
Beneficial-ownership and control structure including UBO declarations and corporate-tree diagrams;
Director, officer, and authorised-signatory records including identification of each individual;
Source-of-funds and source-of-wealth documentation;
Tax-residency, regulatory-licence, and registration data;
Risk-classification metadata produced by our compliance systems.

2.3.4 Financial & transaction data

Bank-account details, card details (last four digits and token references only — full PAN is never stored by Credible), and wire instructions;
Blockchain wallet addresses, transaction hashes, and on-chain transaction metadata associated with your account;
Transaction history including amounts, currencies, counterparties, timestamps, rails used, and settlement status;
Balance, treasury, and reconciliation records;
Counterparty information including names, addresses, and account details of payees or payers you transact with.

2.3.5 Technical data

IP address (collected on every request);
Device identifiers, device-fingerprint hashes, hardware model, screen resolution, and time-zone offset;
Browser type and version, operating system and version, language preferences;
Referring URLs, exit URLs, and clickstream within the Services;
Cookies, local storage, and similar technologies (see §2.14);
Server logs — request paths, status codes, latencies, error messages, timestamps;
Login history, two-factor authentication state, password-reset events, session metadata;
API-key fingerprints, webhook signing keys, and rate-limit metrics for developer integrations.

2.3.6 Usage & analytics data

Pages and screens viewed, navigation paths, search queries within the Services;
Feature usage — which APIs you call, which dashboards you open, which methods you accept;
Aggregated and pseudonymised behavioural metrics used for product analytics.

2.3.7 Communications data

The content of support tickets, email correspondence with our support, sales, and compliance teams;
Recordings or transcripts of customer calls where lawfully collected and where you have been notified;
Marketing-opt-in status and subscription history.

2.3.8 Compliance & risk data

Sanctions, PEP, and adverse-media screening results;
Transaction-monitoring alerts, case notes, and dispositions;
SAR / CTR / OFAC blocking reports filed about your account (note: by law we may not be permitted to disclose these reports to you);
Court orders, regulatory directives, and law-enforcement requests received by Credible relating to your account.

2.4 Sources of information

We obtain information from the following sources:

Directly from you when you sign up, complete KYC / KYB, submit a transaction, contact support, respond to surveys, or otherwise interact with the Services;
Automatically when you use the Services (technical, usage, and device data);
From identity-verification vendors — selfie / liveness checks, document authentication, address verification;
From sanctions and adverse-media vendors — list matches, PEP screening, and negative-media coverage;
From corporate-registry providers — entity verification, beneficial-ownership lookups, good-standing checks;
From banking and payment-processing partners — return codes, chargebacks, dispute information, payout status;
From blockchain networks — public on-chain transaction data associated with wallet addresses you have linked to your account;
From regulators and law enforcement in connection with lawful requests, investigations, or enforcement actions;
From referral partners when you sign up via a referral, joint marketing campaign, or partner integration.

2.5 How we use your information

We use the data we collect for the following purposes. Each purpose is mapped to a lawful basis in §2.6.

Account creation & operation — onboarding, authentication, account maintenance, dashboard provisioning, API-key issuance;
Transaction processing — routing, settlement, reconciliation, payout, refund, chargeback handling;
KYC, KYB & sanctions compliance — verifying your identity, screening against sanctions and PEP lists, performing enhanced due diligence;
Transaction monitoring & SAR filing — detecting suspicious activity, generating cases, filing reports with FinCEN and equivalent foreign authorities;
Tax reporting — issuing 1099s and equivalents, complying with tax-information-exchange obligations (FATCA, CRS) where applicable;
Fraud prevention — detecting and preventing account-takeover, identity theft, and abusive behaviour using behavioural and device signals;
Risk management — credit, counterparty, and partner-risk underwriting, including for liquidity-pool pre-funding;
Customer support — responding to your enquiries and resolving issues;
Product improvement — diagnosing technical issues, measuring feature performance, A/B-testing UI changes;
Security — protecting the Services and your account against unauthorised access, attack, or compromise;
Communications — service notifications (incident reports, security alerts, regulatory notices) and, where you have opted in, marketing communications;
Legal claims — establishing, exercising, or defending legal claims, including responding to subpoenas and other legal process (see §16).

2.6 Legal bases for processing

Where GDPR, UK GDPR, LGPD, DPDP, POPIA, or similar regimes apply, we rely on the following lawful bases under Article 6 GDPR (and equivalent provisions in other laws):

Performance of a contract (Art. 6(1)(b)) — onboarding, account operation, transaction processing, customer support;
Compliance with a legal obligation (Art. 6(1)(c)) — KYC / KYB, sanctions screening, transaction monitoring, SAR / CTR / OFAC filings, tax-information reporting, records-retention obligations;
Legitimate interests (Art. 6(1)(f)) — fraud prevention, risk management, security, network and information security, product analytics, internal record-keeping. Where this basis is used, we balance our interests against your rights and freedoms and document the balancing test;
Consent (Art. 6(1)(a)) — marketing emails, non-essential cookies and tracking technologies, optional features. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal;
Vital interests (Art. 6(1)(d)) — in rare and exceptional cases where processing is necessary to protect life or physical safety;
Legal claims (Art. 9(2)(f) where special-category data is involved) — for establishing, exercising, or defending legal claims.

2.7 Sensitive personal information

In limited circumstances we process information that is treated as “special category” data under GDPR or “sensitive personal information” under CCPA / CPRA / DPDP / LGPD, including:

Government identifiers (passport, national ID, SSN, ITIN, equivalents);
Biometric data inherent in selfie / liveness-check artefacts;
Precise geolocation in limited fraud-investigation scenarios.

We process this data only where strictly necessary for KYC / AML, fraud prevention, and similar regulatory or legitimate-interest purposes. We apply enhanced security controls (encryption, restricted access, mandatory logging) and we will not use sensitive personal information for marketing, profiling for non-compliance purposes, or sale.

2.8 Sharing & disclosure

We share personal data only where necessary and only with the following categories of recipient, in each case under appropriate contractual safeguards:

Regulated partners — partner banks, payment processors, licensed custodians, money-transmitter-licensed entities, on/off-ramp providers, stablecoin issuers, and card-network sponsor banks that participate in delivering the Services;
KYC / KYB / sanctions vendors — identity-verification providers, document-authenticity providers, sanctions and PEP screening providers, adverse-media providers, biometric vendors;
Fraud and risk vendors — device-intelligence, behavioural-biometrics, and risk-scoring providers;
Government agencies and regulators — FinCEN, IRS, SEC, CFTC, state regulators, the FCA, ESMA, equivalent foreign agencies, and law-enforcement under valid legal process (see §16);
Service providers (processors) — cloud hosting, observability and logging, email delivery, customer support, analytics, internal communication tooling. Each service provider is engaged under a written data-processing agreement that meets Article 28 GDPR (or equivalent) requirements;
Professional advisers — auditors, lawyers, accountants, and insurers, in connection with our own legal, tax, audit, or insurance requirements;
Corporate transactions — actual or prospective acquirers, investors, or successors in a merger, acquisition, financing, asset sale, insolvency, or reorganisation, subject to confidentiality agreements.

We do not sell personal data to advertisers, data brokers, or any third party in the meaning of CCPA / CPRA, GDPR, LGPD, or DPDP. We do not share personal data for cross-context behavioural advertising. We do not use third-party advertising or behavioural-tracking cookies on credible.finance.

2.9 Sub-processors

We engage sub-processors to help deliver the Services. Our current list of material sub-processors (cloud hosting, KYC vendor, sanctions vendor, observability, email delivery, support tooling, payment partners) is maintained internally and made available to enterprise customers on request under NDA. We require all sub-processors to maintain confidentiality, implement appropriate technical and organisational measures, and process data only on documented instructions. We will publish an updated public sub-processor list when our enterprise rollouts require it; until then, request the current list from [email protected].

2.10 International transfers

Personal data may be transferred to, processed in, and stored in the United States (where Kiwimoney is established) and other countries where our service providers and partners operate, including jurisdictions that may not provide the same level of data-protection as your home country.

For transfers out of the European Economic Area, the United Kingdom, or Switzerland, we rely on:

The European Commission’s Standard Contractual Clauses (SCCs) — Module 1 (controller-to-controller), Module 2 (controller-to-processor), or Module 3 (processor-to-processor) as applicable;
The UK International Data Transfer Addendum (IDTA) or the UK Addendum to the SCCs;
The Swiss Federal Data Protection and Information Commissioner’s recognised SCCs (where applicable);
Adequacy decisions where the destination country has received one;
Approved derogations under Article 49 GDPR in exceptional cases.

We supplement SCCs with documented Transfer Impact Assessments (TIAs) — reviewed at least annually and on a material change — and apply additional technical safeguards such as encryption and pseudonymisation where the TIA identifies a need.

2.11 Data retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, subject to legal, regulatory, and tax retention obligations. Specific retention periods:

Account data — for the duration of the account plus five (5) years (AML record-keeping under the Bank Secrecy Act and equivalent EU / UK / APAC regimes);
Transaction records — seven (7) years from settlement (Bank Secrecy Act §1010.430);
KYC / KYB records — five (5) years after the end of the customer relationship (FinCEN), or longer where the laws of the customer’s jurisdiction require;
Sanctions screening evidence — five (5) years from screening event;
Marketing data — until you unsubscribe, then deleted within thirty (30) days;
Server access logs — ninety (90) days, except where required for security incident investigation;
Application audit logs — seven (7) years (financial-records context);
Recordings and transcripts of support calls — twelve (12) months, longer where retained for a specific compliance investigation;
Cookies — see §2.14 for per-cookie retention.

Where retention is no longer required, data is securely deleted or irreversibly anonymised.

2.12 Automated decision-making & profiling

In limited circumstances we use automated decision-making and profiling (within the meaning of Article 22 GDPR) to detect fraud, score transaction risk, and assess sanctions exposure. These systems can result in declined transactions, increased transaction friction (e.g. step-up authentication), or referral to manual compliance review.

You have the right to:

Obtain human review of a decision that has a legal or similarly significant effect on you;
Express your point of view and contest the decision;
Request information about the logic involved, the significance, and the envisaged consequences.

Email [email protected] to invoke any of these rights.

2.13 Marketing & opt-outs

We only send marketing communications where you have opted in (or where a soft-opt-in under PECR / equivalent law applies). You can:

Unsubscribe at any time using the link at the bottom of every marketing email;
Email [email protected] to opt out of all marketing in one request;
Adjust granular communication preferences in your account settings (where available).

Service notifications — incident reports, security alerts, regulatory notices, KYC requests, transaction confirmations — are necessary to deliver the Services and cannot be opted out of while you maintain an account.

2.14 Cookies & tracking technologies

The Services use the following categories of cookies and similar technologies. Specific cookies and their retention are listed in §14 (Cookie Policy).

Essential — required for the site and dashboard to function (session, CSRF, load balancing). These cannot be disabled;
Functional — remember your theme (cf-theme), language, and dashboard layout preferences;
Analytics — only set with explicit consent; pseudonymised at IP level; aggregate site-usage metrics;
Security — fraud and bot-detection, account-takeover protection.

We do not use advertising, retargeting, or third-party behavioural-tracking cookies on credible.finance. Where a Global Privacy Control (GPC) signal is detected on a request, we treat that as an opt-out for any non-essential tracking the user has not explicitly enabled. We honour browser Do-Not-Track (DNT) signals on a best-effort basis.

2.15 Children’s privacy

The Services are not directed at users under the age of 18 (or higher where local law requires). We do not knowingly collect personal data from children. If you believe a child has provided personal data to Credible, contact [email protected] and we will delete the data promptly. Where required by COPPA (US), the DPDP child-data provisions (India), or equivalent regimes, we will obtain verifiable parental consent before knowingly processing a child’s data.

2.16 Security & breach notification

We implement technical and organisational safeguards proportionate to the risk, including:

Encryption of data in transit (TLS 1.2 or above) and at rest (AES-256 or equivalent);
Role-based access control (RBAC) with least-privilege defaults and quarterly access reviews;
Multi-factor authentication for all employee, contractor, and customer accounts;
Centralised secrets management with hardware-backed key storage;
24/7 security monitoring, intrusion detection, and on-call incident response;
Network segmentation between production, staging, and corporate environments;
Independent annual penetration testing and a continuous bug-bounty programme;
SOC 2 Type II readiness; ISO 27001 alignment;
Comprehensive audit logging with tamper-evident storage;
Disaster-recovery and business-continuity testing.

Breach notification. If a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware (Article 33 GDPR). Where the breach is likely to result in a high risk, we will also communicate the breach to affected data subjects without undue delay (Article 34 GDPR). US state breach-notification statutes (e.g. NY SHIELD, California Civil Code §1798.82) are honoured in parallel.

2.17 Your rights — GDPR (EU / UK) & equivalent

Where GDPR or UK GDPR applies, you have the following rights:

Right of access (Art. 15) — confirmation of whether we hold your data, a copy of the data, and information about how we process it;
Right to rectification (Art. 16) — correction of inaccurate or incomplete data;
Right to erasure / ‘right to be forgotten’ (Art. 17) — deletion, subject to legal retention obligations (see §2.11);
Right to restriction of processing (Art. 18) — limiting how we process your data while a dispute is resolved;
Right to data portability (Art. 20) — receiving your data in a structured, commonly-used, machine-readable format and transmitting it to another controller;
Right to object (Art. 21) — objecting to processing based on legitimate interests or for direct marketing;
Rights related to automated decision-making (Art. 22) — see §2.12;
Right to withdraw consent (Art. 7) — for any processing based on consent;
Right to lodge a complaint with a supervisory authority — see §2.20.

2.18 Your rights — CCPA / CPRA (California)

If you are a California resident, the CCPA / CPRA give you the following rights, exercisable up to twice per twelve-month period:

Right to know — what categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the third parties with whom we share;
Right to delete personal information we have collected, subject to specified exceptions;
Right to correct inaccurate personal information;
Right to opt out of sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of;
Right to limit use and disclosure of sensitive personal information beyond what is necessary to provide the Services;
Right to non-discrimination — we will not deny goods or services, charge different prices, or provide a different level of quality if you exercise a CCPA right;
Right to designate an authorised agent to make a request on your behalf, subject to verification.

We will respond to verifiable consumer requests within forty-five (45) days, extendible by a further forty-five (45) days where reasonably necessary.

Shine-the-Light (California Civil Code §1798.83). California residents may request a list of personal information we have shared with third parties for those third parties’ direct-marketing purposes. We do not share personal information for third-party direct-marketing purposes.

2.19 Your rights — DPDP (India), LGPD (Brazil) & other regimes

If the Indian DPDP applies to your personal data, you have the right to:

Obtain a summary of personal data being processed and processing activities;
Correction, completion, updating, and erasure;
Withdraw consent and to grievance redressal;
Nominate another individual to exercise rights in case of death or incapacity.

If the Brazilian LGPD applies, you have the right to confirmation, access, correction, anonymisation, portability, deletion, information about sharing, information about the consequences of refusing consent, and revocation of consent (Articles 17–20 LGPD).

If POPIA (South Africa), PIPEDA (Canada), Privacy Act 1988 (Australia), Personal Information Protection Law (China), or other regional regimes apply, we honour the rights available under those laws on the same operational basis described in §2.20.

2.20 How to exercise your rights, and complaints

To exercise any right described in §§2.12, 2.17, 2.18, 2.19, email [email protected] with sufficient information to identify you (we may need to ask for additional information to verify your identity before actioning the request).

We will:

Acknowledge receipt within five (5) business days;
Respond substantively within thirty (30) days (or forty-five (45) days for CCPA / CPRA requests);
If the request is complex or numerous, extend the response window and notify you in writing of the extension and the reason;
Where we cannot fulfil a request (e.g. legal retention obligations conflict with erasure), explain the reasons and the rights you have to challenge the decision.

If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection supervisory authority in your jurisdiction. Examples include: the UK Information Commissioner’s Office (ICO), the Irish Data Protection Commission (DPC), France’s CNIL, Germany’s BfDI, India’s DPB, Brazil’s ANPD, the California Privacy Protection Agency (CPPA), and equivalent authorities in other jurisdictions.

2.21 Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is dated May 2026. Material changes — including new categories of data collected, new purposes of processing, new categories of recipients, or material reductions in user rights — will be notified by email to registered users at least fourteen (14) days before they take effect (where lawful) and posted at blog.credible.finance. Non-material changes (clarifications, typographical fixes) may be made without individual notice. The most current version always governs.

3. AML & Compliance Policy

3.1 Overview

Credible maintains a comprehensive Anti-Money Laundering (“AML”), Counter-Terrorist Financing (“CTF”), Counter-Proliferation Financing (“CPF”), and sanctions compliance program, designed to meet or exceed the standards set by:

The US Bank Secrecy Act (BSA) and its implementing regulations administered by the Financial Crimes Enforcement Network (FinCEN);
The Financial Action Task Force (FATF) 40 Recommendations and their guidance for virtual-asset service providers (VASPs);
The EU Anti-Money Laundering Directive (AMLD) framework and the EU Anti-Money Laundering Regulation (AMLR);
The UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
OFAC, OFSI, EU, and UN sanctions regimes;
Equivalent regimes in the jurisdictions where we, our customers, and our end-users operate.

The program is owned by Credible’s designated Money Laundering Reporting Officer (MLRO) / BSA Officer, reports to the Board of Directors, and is subject to annual independent review.

3.2 KYC & KYB

Before granting access to any Service that processes funds, Credible will perform identity and entity verification commensurate with the assessed risk. This may include:

Identity verification (KYC). Government-ID document capture and authentication, liveness/selfie checks, address verification, sanctions and PEP screening, and adverse-media review;
Business verification (KYB). Corporate registration verification, beneficial-ownership and control-structure analysis, director/officer identification, and business-purpose review;
Source-of-funds (SoF) and source-of-wealth (SoW) verification for higher-risk customers and large transactions;
Ownership verification for all natural-person beneficial owners holding 25% or more of an entity (lower thresholds may apply by jurisdiction or risk classification);
Enhanced Due Diligence (EDD) for customers, transactions, or counterparties presenting higher money-laundering or sanctions risk, including politically-exposed persons (PEPs) and customers in higher-risk jurisdictions.

The depth and frequency of verification varies based on:

Jurisdiction of incorporation and operations;
Transaction volume, value, and complexity;
Business category and product mix;
Risk score generated by our internal models;
Adverse-media or regulatory signal;
Partner-bank or processor requirements.

Customers are subject to periodic re-verification, typically annually for low-risk customers and more frequently for higher-risk customers.

3.3 Transaction Monitoring

All transactions processed through the Services are subject to automated and human-reviewed monitoring designed to detect:

Structuring or smurfing — transactions deliberately split to avoid reporting thresholds;
Unusual or unexplained volume, velocity, geography, or counterparty patterns;
Patterns consistent with layering or integration of illicit proceeds;
Transactions involving sanctioned jurisdictions, persons, or entities;
Patterns consistent with fraud, market abuse, or insider activity;
Transactions inconsistent with the customer’s declared business activity or risk profile.

Alerts generated by our monitoring systems are triaged by trained analysts and escalated to compliance officers where appropriate.

3.4 Sanctions Screening

Every transaction and every counterparty is screened in real time against:

The OFAC Specially Designated Nationals (SDN) and Consolidated Sanctions Lists;
The UK Consolidated List (OFSI);
The EU Consolidated List;
The United Nations Consolidated List;
Other lists relevant to the jurisdictions in which we operate.

Hits are reviewed and dispositioned in accordance with documented policies. Confirmed matches are blocked and reported to the appropriate authorities.

3.5 Reporting

Where suspicious activity is identified, Credible files Suspicious Activity Reports (SARs) with FinCEN and equivalent reports with foreign authorities as required by law. We also file:

Currency Transaction Reports (CTRs) where applicable;
Form 8300 reports of cash payments where applicable;
Sanctions-blocked reports to OFAC within 10 business days;
Reports required under EU AMLD/AMLR, UK MLR 2017, and equivalent regimes.

Customers may not be informed when a SAR or equivalent report has been filed about them, as “tipping off” is prohibited by law.

3.6 Account Restrictions

Where compliance concerns arise, Credible may, with or without notice and in our sole discretion:

Freeze pending or future transactions;
Suspend access to your account or specific Services;
Delay settlements while a review is pending;
Reject incoming or outgoing transfers;
Require additional documentation as a condition of continued service;
Terminate the customer relationship.

You agree that any such action is taken in good faith and that Credible shall not be liable for losses arising from compliance-driven holds, restrictions, or terminations.

3.7 Training & Governance

All Credible personnel receive AML, sanctions, and financial-crime training at hire and annually thereafter. Heightened training is delivered to compliance, operations, engineering, and customer-facing roles. Our compliance program is reviewed at least annually by an independent third party, and policies are updated to reflect evolving regulatory standards and lessons learned.

4. Acceptable Use Policy

4.1 Purpose

This Acceptable Use Policy (“AUP”) sets out the kinds of activity that are not permitted on the Credible Services. The AUP is incorporated by reference into the Terms of Service. Breach of the AUP may lead to suspension or termination of your account and, where appropriate, reporting to law enforcement or regulators.

4.2 Prohibited Activities

You may not use the Services, directly or indirectly, to:

Operate or facilitate any illegal business in your or your end-customer’s jurisdiction;
Commit, attempt to commit, or facilitate fraud of any kind;
Operate or promote Ponzi schemes, pyramid schemes, multi-level marketing schemes structured as investment vehicles, or any other scheme that depends on continuous recruitment for participant returns;
Finance terrorism, weapons of mass destruction proliferation, or other activities prohibited under counter-terrorism / counter-proliferation laws;
Operate, support, or transact with darknet markets, illicit mixers, or anonymising services designed to obscure the origin of funds;
Evade or facilitate evasion of sanctions imposed by OFAC, OFSI, the EU, the UN, or equivalent authorities;
Operate or facilitate illegal gambling, illegal sports betting, or unlicensed online gaming in jurisdictions where such activity is prohibited;
Distribute, sell, or facilitate adult content involving non-consenting persons, exploitation, or any depiction of minors;
Distribute, sell, or facilitate any form of child sexual-abuse material;
Distribute malware, ransomware, spyware, phishing kits, or other malicious software;
Operate financial scams including investment fraud, romance scams, business-email-compromise schemes, and tech-support scams;
Operate unregistered securities offerings, unauthorised collective-investment schemes, or unauthorised futures, options, or derivatives trading;
Operate unauthorised banking, money-services, or insurance businesses;
Manipulate market prices, engage in wash trading, spoofing, layering, or other forms of market abuse;
Engage in deceptive or unfair commercial practices, undisclosed billing, hidden fees, or false advertising;
Infringe the intellectual property rights of any third party.

4.3 High-Risk Businesses

Certain industries are not prohibited per se but require enhanced due diligence and may be subject to product-specific restrictions, processing limits, or additional pricing:

Gaming, esports, and prediction markets;
Digital-asset exchanges, wallets, and other virtual-asset service providers;
Cross-border remittance and money-services businesses;
Online dating and adult-services platforms (legal categories only);
Firearms, ammunition, and weapon accessories;
Online pharmacies and telehealth providers;
High-volume merchants in fraud-prone verticals.

Approval for high-risk verticals is at Credible’s sole discretion and may be conditioned on enhanced documentation, periodic re-verification, or reserve requirements.

4.4 Technical Misuse

You may not:

Probe, scan, or test the vulnerability of the Services without prior written authorisation through our responsible-disclosure program;
Bypass, disable, or circumvent any security or authentication mechanism;
Generate excessive traffic intended to disrupt the Services (DoS / DDoS);
Use the Services to send unsolicited bulk communications (spam);
Reverse engineer, decompile, or disassemble any non-open-source Credible software except to the extent expressly permitted by applicable law.

4.5 Enforcement

Credible may, in our sole discretion and with or without notice:

Decline or reverse specific transactions;
Suspend or terminate access to all or part of the Services;
Report violations to law enforcement, regulators, or affected third parties;
Cooperate with investigations as set out in Section 16.

5. Risk Disclosure

Use of the Credible Services involves risk. This section summarises the principal categories of risk you should consider before transacting. The list is not exhaustive, and you should obtain independent professional advice if you are uncertain about any risk.

5.1 Stablecoin Risks

Depegging events — temporary or permanent loss of the peg to the reference asset, resulting in loss of value;
Liquidity disruptions — inability to redeem, convert, or transfer at the expected rate or within the expected timeframe;
Regulatory restrictions — issuance, transfer, holding, or redemption restrictions imposed by authorities;
Issuer counterparty failure — insolvency, fraud, or operational failure at the stablecoin issuer;
Reserve risk — quality, composition, or legal status of reserves backing the stablecoin;
Freezing and blacklisting — issuer-level freezing of addresses or balances at the direction of authorities.

5.2 Blockchain & Network Risks

Congestion — periods of high network load may delay confirmation and increase fees;
Downtime — validator outages, fork events, or planned maintenance may interrupt service;
Smart-contract vulnerabilities — bugs, exploits, or governance attacks affecting protocols Credible integrates with;
Reorgs and finality — chain reorganisations may reverse transactions that appeared confirmed;
Key compromise — loss or theft of private keys, including via phishing or device compromise.

5.3 Banking & Payment Partner Risks

Settlement delays — payment partners may delay or reject transactions for operational, risk, or compliance reasons;
Service restrictions — partners may restrict supported corridors, currencies, or counterparties on short notice;
Partner insolvency — failure of a banking or processing partner may impair access to funds during the resolution period;
De-banking risk — partners may decline to serve specific categories of customer.

5.4 FX & Market Risks

Foreign-exchange rates move; the rate you observe at quote may differ from the rate at settlement unless explicitly locked;
Volatile market conditions may widen spreads or trigger circuit-breakers at execution venues;
Cross-currency settlement involves multiple legs each subject to its own market risk.

5.5 Regulatory & Legal Risks

Digital-asset and payments regulation is evolving rapidly and varies by jurisdiction;
New laws, regulations, interpretations, or enforcement actions may impair or prohibit specific products or transaction types;
Court orders or regulatory directives may freeze or seize assets;
Tax treatment of stablecoin and cross-border payments may be uncertain in your jurisdiction.

5.6 Operational & Cybersecurity Risks

The Services depend on cloud providers, APIs, and third-party software, any of which may fail;
Cyber-attacks may target Credible, our partners, or you directly;
Account-takeover via phishing, SIM-swapping, or credential theft can result in unauthorised transactions.

5.7 No Advice

Nothing in the Services or on credible.finance constitutes investment, legal, tax, or accounting advice. Yield, APY, and return figures (including any “16% APY” figures published in connection with the Liquidity product) are variable, projected, and not guaranteed. Past performance does not indicate future results. You should consult your own licensed advisers before transacting.

6. Settlement & Treasury Disclosure

6.1 Settlement Timing

Settlement timing depends on the rail used and on factors outside Credible’s control. Common factors include:

Banking cut-offs. Most fiat rails operate on a business-day, cut-off, and batch model. Transactions submitted after cut-off settle the next business day;
Liquidity conditions. Available liquidity in the destination currency or stablecoin at the moment of execution;
Blockchain confirmations. Number of confirmations required for finality varies by chain and by counterparty policy;
Compliance checks. Sanctions screening, transaction monitoring, and EDD reviews may add latency;
Third-party processing. Acquirer, network, custodian, or local-rail performance;
Holiday calendars. Bank holidays vary by jurisdiction and may delay settlement.

T+0 settlement is a target service level, not a contractual guarantee. Specific SLAs may be agreed in writing with individual customers.

6.2 Treasury Infrastructure

The Credible treasury infrastructure orchestrates funds across multiple custody and rail providers. This involves:

Stablecoin conversions executed via licensed exchanges, market-makers, and on-chain venues;
Pre-funding of liquidity pools to enable instant settlement before underlying rails clear;
Third-party banking providers for fiat custody and rail access;
Multi-chain custody integration including non-custodial vault contracts on Solana, Polygon, and Ethereum;
Programmatic sweeps and re-balancing intended to minimise idle balances;
Hedging arrangements for treasury and customer FX exposure.

6.3 Float & Pre-Funding

Where Credible advances funds to enable instant settlement to a merchant or receiver before the underlying rail clears, the advance is financed by Credible’s liquidity pools and the corresponding receivable is held against the inbound rail. You should be aware that:

Pre-funded settlement creates a credit exposure that Credible underwrites and prices;
Reserves and exposure limits may apply to individual customers;
Liquidity-pool yield is variable and dependent on real payment volume.

7. FX & Pricing Disclosure

7.1 FX Rates

Foreign-exchange rates quoted by Credible may differ from public benchmark or mid-market rates due to:

Liquidity conditions in the relevant currency pair at the moment of execution;
Market volatility, which widens dealer spreads;
Banking and rail costs embedded in the rate by upstream providers;
Stablecoin premiums or discounts versus the underlying fiat;
Risk margin reflecting settlement timing, counterparty, or jurisdictional risk;
Quote staleness — quotes are valid for a limited period and may expire before execution.

Where a rate is described as “mid-market”, it is sourced from a public reference feed available at the time of quotation and used for informational comparison only.

7.2 Fees

Fees applicable to your use of the Services may include:

Transaction fees — per-transaction or volume-tiered processing fees;
FX spreads — the difference between the rate quoted to you and the rate at which Credible sources liquidity;
Banking fees — wire fees, ACH return fees, SEPA non-EUR fees, intermediary-bank fees, and similar pass-through charges;
Network fees — blockchain gas and protocol fees;
Stablecoin conversion fees — mint, burn, or redemption fees imposed by issuers;
Chargeback and dispute fees imposed by card networks and acquirers;
Compliance pass-through fees — KYC / KYB / sanctions screening costs for high-risk transactions where applicable;
Reserve requirements — withheld balances required to cover chargeback or settlement risk.

The fees applicable to your account are set out in your Order Form or in the Credible dashboard. Fees may be updated from time to time on reasonable notice.

8. Custody & Funds Disclaimer

Credible is not a bank, broker-dealer, investment adviser, insurance company, or licensed custodian.

Depending on the Service used:

Fiat balances are held by regulated partner banks and licensed payment processors under their own banking licences. Where applicable, end-customer fiat may be eligible for FDIC pass-through insurance subject to the partner bank’s terms — Credible itself is not a bank and is not FDIC-insured;
Stablecoin balances are held in non-custodial vault contracts on supported public blockchains. Smart contracts are audited and addresses are publicly verifiable on-chain;
Custodial digital-asset balances, where used, are held by qualified third-party custodians under those custodians’ own licences and terms;
Settlement is processed by Credible’s orchestration software and executed by regulated rails (ACH, SEPA, Faster Payments, UPI, Pix, AANI, NIBSS, etc.) or by public blockchains.

Credible acts solely as a technology and orchestration provider. Credible does not take legal title to customer funds. Where balances appear in the Credible dashboard, they represent claims against (or balances held by) the relevant regulated partner or smart contract, not deposits with Credible.

Banking and custody arrangements may change as Credible expands its partner network or as partners modify their service terms. The specific partners providing custody for your balances are identified in your dashboard and partner agreements.

9. Licensing & Regulatory Disclosure

9.1 Operating Entity

Credible Finance is operated by Kiwimoney Inc, a Delaware corporation registered with the Financial Crimes Enforcement Network (FinCEN) as a Money Services Business — MSB Registration Number 31000324258161. See /licenses for the current registration details.

9.2 Partner-Provided Services

Certain Services or product features are provided through licensed third-party partners. These may include:

Licensed banks providing deposit-taking, account, and rail-access services;
Licensed payment institutions providing acquiring, issuing, and payout services;
Non-Bank Financial Companies (NBFCs) providing lending and balance-sheet services in specific jurisdictions;
Card-network programs managed by sponsor banks;
Virtual-Asset Service Providers (VASPs) and qualified digital-asset custodians providing on/off-ramp and custody services;
Money-transmitter-licensed entities in jurisdictions where direct licensure is required.

The specific partner providing a Service to you, and any partner-imposed terms, are identified in your dashboard and partner agreements.

9.3 Jurisdictional Availability

Service availability varies by jurisdiction. Credible operates in line with its registered, licensed, and partner footprint. We are actively pursuing additional registrations and licences in line with the published roadmap at /about, including Canadian RPAA, MPI (Singapore), MSO (Hong Kong), US state Money-Transmitter Licences (MTLs), and EU/UK payments licences.

9.4 No Advice

Nothing on the credible.finance website, in the Services, or in any communication from Credible constitutes legal, regulatory, tax, accounting, or investment advice. You should obtain independent professional advice tailored to your circumstances.

10. Geographic Restrictions

The Services are not available everywhere. Availability depends on Credible’s registration and licence footprint, partner-imposed restrictions, and applicable sanctions.

10.1 Comprehensively Sanctioned Jurisdictions

The Services are not available to residents of, persons organised in, or transactions involving:

Cuba;
Iran;
The Democratic People’s Republic of Korea (North Korea);
Syria;
The Crimea, Donetsk, and Luhansk regions of Ukraine.

10.2 Product-Specific Restrictions

The Liquidity product (stablecoin pools with variable APY) is not offered to US persons pending further regulatory clarity. US-person status is determined at KYC;
The Creddy consumer product is rolled out market-by-market and may not be available in your jurisdiction;
The Global Collection Account product has rail-specific eligibility (e.g. US ACH requires a US bank-account relationship).

10.3 Higher-Risk Jurisdictions

Customers and transactions in jurisdictions identified as higher-risk by FATF, the EU, the UK, or our partner banks may require enhanced due diligence, additional documentation, lower limits, or longer settlement times.

10.4 Updates

The geographic-restriction list is updated as sanctions, regulatory posture, and partner-bank policies evolve. Eligibility is verified at onboarding and re-evaluated on a per-transaction basis.

11. API Terms

11.1 API Access

Access to the Credible APIs is subject to:

Authentication — API keys, OAuth tokens, or signed requests as documented in the developer documentation;
Rate limits — per-second, per-minute, per-day, and per-account rate limits that may be adjusted with notice;
Usage policies — published in the developer documentation and updated periodically;
Compliance reviews — production API access requires completed KYB and may be subject to additional review based on product, geography, and volume.

11.2 Use of API Data

API responses may not be cached, redistributed, or resold beyond what is reasonably necessary to operate your application;
End-user personal data obtained through the APIs is subject to your obligations as a data controller (or as a joint controller / processor with Credible, as applicable);
Webhooks and event streams must be implemented with idempotency and signature verification;
You must promptly process “account closure” and “data deletion” events.

11.3 Restrictions

You may not:

Abuse, overwhelm, or attempt to disrupt the APIs;
Reverse engineer, decompile, or otherwise attempt to extract Credible source code or model weights from the API responses;
Circumvent rate limits, authentication, or security controls;
Use the APIs to scrape competitive intelligence or to train models intended to compete directly with Credible;
Use the APIs to provide a wrapped or white-label competing service without an executed reseller agreement.

11.4 Versioning & Deprecation

We will provide reasonable advance notice of breaking changes to stable API versions, typically a minimum of 90 days. Beta and preview endpoints may change without notice. The current deprecation schedule is published in the developer documentation.

11.5 Support

Standard developer support is provided via the developer documentation, community channels, and email. Enhanced support tiers may be available under a separate Order Form.

12. SLA & Service Terms

12.1 Service Levels

Credible aims to maintain commercially reasonable uptime, latency, and support standards across the Services. Specific service-level commitments are set out in individual Order Forms or in a separate SLA executed with a customer. In the absence of a written commitment, no contractual service level applies.

12.2 Excluded Events

Service availability metrics exclude:

Planned maintenance windows announced in advance;
Emergency maintenance required to mitigate a security or stability incident;
Failures of third-party banking, processing, custody, or blockchain infrastructure;
Failures of the customer’s own infrastructure, networks, or software;
Force-majeure events including acts of God, war, civil unrest, cyber-attack, and internet outage;
Compliance-driven holds, sanctions blocks, and court-ordered freezes.

12.3 Support

Support channels and response targets vary by tier and are documented in your Order Form. Common channels include email, the developer help-desk, dashboard chat, and (for enterprise customers) a dedicated technical-account-manager (TAM).

12.4 Service Credits

Where an executed SLA provides for service credits, credits are calculated and issued in accordance with that SLA. Service credits are the customer’s sole and exclusive remedy for any failure to meet a service-level commitment.

13. Security Policy

13.1 Credible’s Security Measures

Credible maintains technical and organisational security measures proportionate to the sensitivity of the data and risk of the operations involved, including:

Encryption of data in transit (TLS 1.2 or above) and at rest (AES-256 or equivalent);
Network segmentation between production, staging, and corporate environments;
Role-based access control (RBAC) with least-privilege defaults and quarterly access reviews;
Multi-factor authentication (MFA) for all employee, contractor, and customer accounts;
Centralised secrets management with hardware-backed key storage;
Continuous vulnerability scanning, dependency auditing, and patch management;
Independent annual penetration testing and ongoing bug-bounty program;
24/7 security monitoring, intrusion detection, and on-call incident response;
Comprehensive audit logging with tamper-evident storage;
Disaster-recovery and business-continuity testing;
Security training for all personnel at hire and annually thereafter.

13.2 Incident Response

Credible operates a documented incident-response process aligned with industry standards. Material security incidents affecting customer data will be notified to affected customers without undue delay and consistent with applicable breach-notification laws (typically within 72 hours of confirmation, where required by GDPR).

13.3 Customer Responsibilities

You are responsible for:

Maintaining the confidentiality and security of your account credentials, API keys, and private keys;
Enabling and enforcing MFA on your account;
Reviewing your access logs and reporting suspicious activity promptly;
Implementing appropriate security controls on systems that integrate with Credible;
Promptly applying security updates to your own applications and infrastructure.

13.4 Responsible Disclosure

Security researchers are encouraged to report vulnerabilities under our responsible-disclosure program at [email protected]. Do not test the Services without prior written authorisation.

14. Cookie Policy

14.1 What we use

Credible uses cookies and similar technologies (local storage, session storage) for the following purposes:

Essential — required for the site and dashboard to function (session management, CSRF protection, load balancing). These cannot be disabled;
Functional — remember your preferences such as theme (cf-theme), language, and dashboard layout;
Analytics — only set with explicit consent; help us understand how the site and dashboard are used; IP addresses are pseudonymised;
Security — fraud, bot-detection, and account-takeover protection.

We do not use advertising or third-party behavioural-tracking cookies on credible.finance.

14.2 Managing cookies

You can manage non-essential cookies through your browser settings or by adjusting the consent banner on first visit. Disabling essential cookies may impair core functionality. Consult your browser’s help documentation for instructions specific to your browser.

14.3 Updates

This Cookie Policy may be updated as we add, remove, or change the cookies we use. Material changes will be announced on credible.finance.

15. Compliance Center Disclosure

Credible maintains an internal Compliance Center responsible for the design, operation, and oversight of:

The AML, CTF, CPF, and sanctions compliance program described in Section 3;
Fraud prevention, including device intelligence, behaviour analytics, and chargeback management;
Transaction monitoring, alerting, and case management;
Sanctions screening and watch-list management;
Risk management, including customer-risk scoring, product-risk reviews, and partner-risk due diligence;
Regulatory reporting (SARs, CTRs, OFAC blocks, FBAR, etc.);
Internal training, policy management, and periodic independent review.

Compliance standards evolve continuously in response to regulatory change, partner requirements, and lessons learned from operations. Policies are reviewed and updated at least annually and on an ad-hoc basis where material change is required.

The Compliance Center is led by the designated MLRO / BSA Officer, reports to the Board of Directors, and operates independently of commercial functions. Compliance enquiries: [email protected].

16. Law Enforcement Requests

16.1 Cooperation

Credible cooperates with lawful requests from authorities, including:

Courts of competent jurisdiction;
Financial regulators including FinCEN, the SEC, the CFTC, state regulators, the FCA, ESMA, and equivalent foreign authorities;
Law enforcement agencies including the FBI, IRS-CI, HSI, and equivalent foreign agencies;
Tax authorities including the IRS and equivalent foreign tax authorities;
Sanctions and export-control authorities including OFAC and OFSI.

16.2 Form of Request

We require lawful process for the disclosure of customer information, including (as appropriate):

A duly authorised subpoena, court order, search warrant, or letter rogatory;
For US authorities, requests served in compliance with the Stored Communications Act and equivalent statutes;
For foreign authorities, requests routed through Mutual Legal Assistance Treaty (MLAT) channels or other lawful frameworks;
Emergency disclosures pursuant to applicable emergency-disclosure statutes where there is a good-faith belief that life, safety, or property is at immediate risk.

16.3 Scope of Cooperation

Cooperation may include:

Disclosure of customer account information, transaction records, and KYC/KYB documentation;
Freezing or holding funds or transactions pending court order or regulatory direction;
Filing compliance reports including SARs, CTRs, and OFAC blocks;
Preserving records pending the issuance of legal process.

16.4 Notice to Customer

Where permitted by law, we may notify affected customers of legal process directed at their account. We may be prohibited from providing notice in the case of grand-jury subpoenas, gag orders, non-disclosure orders, certain regulatory or counter-terrorism-financing requests, or where notice would otherwise prejudice the investigation.

16.5 Contact

Law-enforcement requests should be directed to [email protected] and addressed to the Legal & Compliance team, Kiwimoney Inc, 1007 N Orange St, 4th Fl 1838, Wilmington, DE 19801, USA.

17. Intellectual Property Policy

17.1 Ownership

All content, trademarks, software, APIs, documentation, branding, logos, designs, illustrations, copy, audio, video, and other materials made available through credible.finance and the Services are owned by Kiwimoney Inc or its licensors and are protected by copyright, trademark, trade-secret, and other intellectual-property laws.

“Credible”, “Creddy”, and the Credible logo are trademarks of Kiwimoney Inc. All other trademarks referenced on the site (Visa, Mastercard, USDC, USDT, Solana, Polygon, Stellar, etc.) are the property of their respective owners and are used for identification purposes only.

17.2 Limited Licence

Subject to your continued compliance with these Terms, Credible grants you a limited, non-exclusive, non-transferable, revocable licence to:

Access and use the Services for your internal business purposes;
Use the Credible APIs and SDKs to build and operate applications that integrate with the Services;
Use Credible-provided marks and assets in accordance with our trademark and brand guidelines.

17.3 Open Source

Where Credible publishes software under an open-source licence (e.g. our SDKs and code samples published at docs.credible.finance), use of that software is governed by the applicable open-source licence and not by this section.

17.4 Restrictions

You may not:

Copy, reproduce, modify, distribute, publish, or create derivative works of any Credible-owned material except as expressly permitted;
Remove or alter any proprietary notices;
Use Credible trademarks in a manner that suggests sponsorship, endorsement, or partnership where none exists;
Register domain names, social-media handles, or trademarks confusingly similar to Credible marks.

17.5 Infringement Notices

Notices of alleged infringement of Credible’s intellectual-property rights, or notices under the US Digital Millennium Copyright Act (DMCA) addressed to Credible, should be sent to [email protected].

18. Contact Information

For legal, compliance, privacy, or general enquiries:

Legal: [email protected]
Compliance: [email protected]
Privacy / Data Protection: [email protected]
Data Protection Officer: [email protected]
Security: [email protected]
General: [email protected]

Website: https://credible.finance

X / Twitter: https://x.com/crediblefin

Registered address: Kiwimoney Inc, 1007 N Orange St, 4th Fl 1838, Wilmington, DE 19801, USA.