Credit4Ever

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes how Florida Hitech Services Inc ("we", "us", "our", or "Credit4Ever") collects, uses, stores, shares, retains, and protects information when you use our multi-tenant SaaS platform available at credit4ever.com (the "Service").

By using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Who we are

Florida Hitech Services Inc is a company registered in the State of Florida, USA. We operate Credit4Ever, a multi-tenant SaaS platform for consulting and professional service companies that enables management of clients, contracts, billing, appointments, and documents.

2. Information we collect

2.1 Information you provide directly

  • Account data: first name, last name, email, password (stored as a secure hash, never in plain text), role within your organization.
  • Organization (tenant) data: legal name, address, phone, EIN, state registration number, logo, website, contact email.
  • End-client data: data you, as a Service user, enter about your own clients (name, email, phone, address, documents, contracts, invoices, notes, appointments). You act as the data controller of this data; we act as the data processor.
  • Documents and files: documents uploaded by you or your clients (IDs, proof of address, credit reports, signed contracts). Stored in private buckets with encryption at rest (AES-256-GCM for sensitive document content).
  • Payment information: card data is never stored on our servers; it is processed exclusively by our PCI DSS Level 1 certified payment processor. We retain internal customer and subscription identifiers only.

2.2 Information collected automatically

  • Session and audit data: IP address, user agent, login method, date/time, and approximate IP-based geolocation (country, region, city). Used solely for security and audit purposes. Retention: 90 days.
  • Operational logs: application errors and aggregated usage metrics.
  • Strictly necessary cookies: used to keep your authenticated session and to protect against CSRF during the Google OAuth flow. We do not use advertising or third-party tracking cookies.

2.3 Information from Google services (OAuth)

If you connect your Google Calendar account to the Service, we access the information described in Section "4. Use of Google API Services and Google User Data" below.

3. How we use information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Create and manage your account and your organization's workspace.
  • Process payments (Service subscriptions and charges to your end-clients) through a PCI DSS Level 1 certified payment processor.
  • Send transactional emails (account confirmations, appointment reminders, contracts, invoices, password resets).
  • Enable integration with Google Calendar to create, update, and synchronize events related to appointments booked through the Service.
  • Process credit reports through automated processing to extract structured information when you upload a PDF. This data is not used to train AI/ML models.
  • Detect abuse, fraud, and protect the security of the Service.
  • Comply with applicable legal obligations.

4. Use of Google API Services and Google User Data

This section discloses, in accordance with the Google API Services User Data Policy (including the Limited Use requirements), how Credit4Ever accesses, uses, stores, shares, retains, and protects Google user data.

4.1 Data accessed

When a user voluntarily connects their Google account to Credit4Ever, we request and access the following Google user data through the following OAuth 2.0 scopes:

  • https://www.googleapis.com/auth/calendar.events — read/write access to calendar events. We use this scope to create, update, and delete calendar events that the Service itself generates when an end-client books, reschedules, or cancels an appointment, including any associated Google Meet video conference link.
  • https://www.googleapis.com/auth/calendar.freebusy — read-only access to free/busy time ranges. We use this scope to query the user's availability (busy blocks only, with no event content, titles, attendees, or descriptions exposed to us) so we can compute available appointment slots and avoid double-booking.
  • openid, email, and profile — basic profile information (the Google account email and name) used solely to identify which Google account is connected and to show it back to the user in the Service settings.

We do not request, access, or read full calendar event content (titles, descriptions, attendees, locations) from events that the Service itself did not create.

4.2 Data usage

Google user data is used only for the following purposes, all of which are user-facing features the user explicitly opts into:

  • Creating calendar events for appointments: when an end-client books an appointment with a Service user, we create a calendar event on the user's Google Calendar with the appointment details (start/end time, end-client name and email as attendee, internal appointment notes if any), and optionally generate a Google Meet link if the appointment type is configured to do so.
  • Updating and deleting events: if the appointment is rescheduled, cancelled, or modified inside the Service, we update or delete the corresponding Google Calendar event accordingly. We only ever touch events we created.
  • Computing availability: when an end-client visits the public booking page, we call the free/busy API for the assigned Service user to subtract their existing busy blocks from the configured working hours, so we only show truly available appointment slots.
  • Identifying the connected account: we display the Google account email back to the user in /settings/availability so they can confirm which account is currently linked and disconnect it if needed.

Affirmative statements (Limited Use):

  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not use Google user data to develop, improve, or train generalized AI and/or ML models. Google user data is never sent to any AI or ML provider for any purpose.
  • We do not sell Google user data.
  • We do not allow humans to read Google user data, except: (a) with the user's explicit consent for specific data points, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) when data is aggregated and anonymized and used solely for internal operations.

4.3 Data sharing

We do not sell, rent, or share Google user data with third parties for their own purposes. Google user data is shared only with the following categories of sub-processors, strictly to operate the Service and only as much as necessary:

  • Hosting and database infrastructure (Supabase / Vercel, USA): encrypted Google OAuth tokens and calendar event metadata (event ID, start/end, appointment ID linkage) are stored in our database, which is hosted with these providers under signed Data Processing Agreements. They have no logical access to decrypt tokens because token decryption happens only inside our application using a key held outside the database.

We may also disclose Google user data when required by law, valid legal process, court order, or to protect the rights, property, or safety of Credit4Ever, our users, or others — and only to the minimum extent legally required.

4.4 Data storage and protection

  • Tokens at rest: Google OAuth access tokens and refresh tokens are encrypted at the application layer using AES-256-GCM before being written to the database. The encryption key is stored as an environment variable on our hosting provider and is never written to the database alongside the encrypted tokens.
  • Tokens in transit: all communication with Google APIs and between our application and the database uses TLS 1.2 or higher.
  • Database isolation: Google connection records are isolated per tenant and per user via row-level security policies, so users can only ever access their own Google connection rows.
  • Access controls: only the user who connected their Google account can trigger calls that use those tokens from within the Service.
  • Audit: we maintain internal logs of token refresh events and calendar API calls for security monitoring; these logs do not contain calendar content.

4.5 Data retention and deletion

  • While the connection is active: Google OAuth tokens are retained as long as the user keeps the Google Calendar integration connected. Tokens are automatically refreshed using the refresh token as needed.
  • User-initiated disconnect: users can revoke our access at any time from Settings → Availability → Calendar → Disconnect inside the Service. When they do, we (a) call Google's oauth2.revoke endpoint with the access token to revoke our credentials on Google's side, and (b) delete the local database row that contained the encrypted tokens and the calendar/email metadata.
  • Direct revocation from Google: users can also revoke our access at any time directly from https://myaccount.google.com/permissions. When this happens, our subsequent attempts to call Google APIs will fail; we detect this and mark the connection as revoked in our database.
  • Account deletion: if you delete your Credit4Ever account, all Google OAuth tokens associated with your account are revoked and deleted within 30 days as part of the account deletion process.
  • Request deletion directly: you can email us at support@credit4ever.com at any time to request immediate deletion of all Google user data associated with your account. We will action the request within 30 days and confirm by email.

4.6 Google's Limited Use compliance statement

Credit4Ever's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Who we share information with (Sub-processors)

We do not sell your personal data. We share information only with the service providers strictly necessary to operate the Service, grouped into the following categories:

  • Hosting and database infrastructure (storage, authentication, files) — data in the USA.
  • Payment processing (subscriptions and charges) — PCI DSS Level 1 certified provider, data in the USA.
  • Transactional email delivery — data in the USA.
  • Automated document processing (structured information extraction from credit report PDFs) — data in the USA. The data submitted is not used to train models.
  • External calendar integration (only when the user voluntarily connects their account) — Google LLC, data in the USA.
  • Error monitoring and security telemetry — data in the USA, with PII scrubbed before transmission.

We may also share information when required by law, court order, or to protect the rights, property, or safety of Credit4Ever, our users, or others.

6. Storage and security

  • Encryption in transit via TLS 1.2+ on all connections.
  • Encryption at rest at the disk level in our hosting infrastructure.
  • Google OAuth tokens encrypted at the application layer with AES-256-GCM.
  • Sensitive identity documents (e.g. IDs, SSN snippets, proof of address) encrypted at the application layer with AES-256-GCM before upload to private storage.
  • Strict multi-tenant isolation at the database level: no organization can access another organization's data.
  • Sensitive documents stored in private storage with short-lived signed URLs and per-access audit logging.
  • We never store full payment card data: everything is delegated to a PCI DSS Level 1 certified payment processor.
  • Login audit including IP, user agent, and approximate geolocation.
  • Multi-factor authentication (TOTP) available for all staff accounts.

7. Data retention and deletion

  • Account data and content: retained while your account is active.
  • Login logs: 90 days.
  • Read notifications: 30 days (automatic purge).
  • Unread notifications: 90 days (automatic purge).
  • Document access logs: 365 days.
  • AI usage logs: 365 days.
  • Google OAuth tokens: deleted when the user disconnects or when the account is deleted (see Section 4.5).
  • After account cancellation: data is deleted or anonymized within 30 days, except where the law requires longer retention (e.g., financial and tax records).

To request immediate deletion of your account and associated data, write to us at support@credit4ever.com.

8. Your rights

Depending on your jurisdiction (USA, EU, UK, others), you may have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Request deletion ("right to be forgotten").
  • Request portability of your data in a structured format.
  • Object to or restrict certain processing.
  • Withdraw consent previously given (e.g., disconnect Google Calendar).
  • File a complaint with your competent data protection authority.

To exercise any of these rights, contact support@credit4ever.com. We will respond within 30 days.

9. International transfers

The Service is operated from the USA. If you access it from outside the USA, understand that your data will be transferred, stored, and processed in the USA by us and our sub-processors.

10. Minors

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with information, please contact us so we can delete it.

11. Cookies

We use only strictly necessary cookies to keep the authenticated user session and to protect against CSRF during the Google OAuth flow. We do not use marketing, third-party analytics, or advertising cookies.

12. Changes to this policy

We may update this policy periodically. When we do we will update the "Last updated" date at the top and, if the changes are material, we will notify you by email or through a prominent notice in the Service.

13. Contact

For any questions about this Privacy Policy or about the processing of your personal data: