Privacy Policy

SM89 ehf operates Credarlo and is committed to protecting your personal data in accordance with GDPR and Icelandic data protection law.

• Name, email address, date of birth
• Address, city, postcode, country
• Loan details and repayment history
• Device and usage data
• IP address and browser information

• To provide the Credarlo service
• To process loan agreements
• To send payment reminders and notifications
• To comply with legal obligations
• To prevent fraud and money laundering

• We share data with Supabase (database hosting)
• We share data with Stripe (payment processing)
• We share data with Resend (email delivery)
• We may share data with licensed debt collection agencies in the event of loan default
• We never sell your data to third parties

• Account data is retained for 7 years after account closure for legal compliance
• Loan agreements are retained for 10 years
• You may request deletion of your data subject to legal retention requirements

• Right to access your data
• Right to correct inaccurate data
• Right to delete your data
• Right to data portability
• Right to object to processing
• Contact privacy@credarlo.com to exercise your rights

• We use essential cookies for authentication
• We use analytics cookies to improve the service
• You can control cookies through your browser settings

• All data is encrypted in transit and at rest
• We use bank-grade security through Supabase
• We conduct regular security reviews

For privacy questions contact privacy@credarlo.com — Data Controller: SM89 ehf, Reykjavík, Iceland.