Credentials AI by Erosium

Privacy Policy

Version 1.0 · Effective date: 10 July 2026 · Last updated: 10 July 2026

Operator: Beastly Tech GC Pty Ltd (ABN 52 699 330 553), trading as Erosium. For privacy questions, requests or complaints, email privacy@erosium.ai. For general support, email support@erosium.ai.

1. Who we are and what this policy covers

Credentials AI is operated by Beastly Tech GC Pty Ltd (ABN 52 699 330 553), trading as Erosium (we, us or our).

This policy covers Credentials AI and its connected services, including the SchemaPage / AI Profile builder, public business profiles, TrustBadge verification, visitor and lead tracking, quote requests, customer accounts and dashboards, subscriptions, and support.

It explains how we handle personal information about:

  • people who create, claim or manage a business profile;
  • visitors to Credentials AI and public business profiles;
  • people who call, email or submit a quote request through a profile;
  • people who provide verification material or contact support.

2. Information we collect

The information we collect depends on how you use Credentials AI.

Business profile and account information

We may collect:

  • your name, email address, login and authentication records;
  • business name, ABN, business type, description, services and service areas;
  • business address or suburb, phone number, public contact email and website;
  • Google Business Profile and social-media links;
  • FAQs, logos, images and other profile content;
  • the email address of the person who creates or claims a profile;
  • profile ownership, plan, subscription and account status.

The business details selected for a public profile are intended to be public. Account credentials, payment identifiers, private lead details and protected verification evidence are not intended to appear publicly unless we clearly say otherwise or you choose to publish them.

Visitor, device and attribution information

When someone visits or interacts with a Credentials AI profile, we may collect:

  • a randomly generated profile-session identifier stored in browser local storage;
  • profile views and interactions, including call, email, booking, badge and quote-form events;
  • source, medium and campaign information, including UTM parameters;
  • referring page, landing path and basic device class, such as mobile or desktop;
  • browser or request information needed for security, diagnostics and operation;
  • a one-way hash of an IP address when the free profile builder applies its creation limit. We do not store the raw IP address in that rate-limit record.

We do not use third-party advertising cookies. We use essential authentication cookies and limited first-party storage needed to operate accounts, remember profile sessions, measure profile interactions and protect the service.

Quote requests and enquiries

If you request a quote or send an enquiry through a business profile, we may collect:

  • your name;
  • phone number and email address;
  • suburb;
  • service needed;
  • your message;
  • the profile you contacted;
  • source, referrer, landing path and device information associated with the enquiry.

Verification information

If a business seeks verification, we may collect:

  • ABN, licence, registration, insurance or certificate details;
  • reference numbers;
  • uploaded PDFs or images;
  • verification status, review notes, confidence information and timestamps;
  • results from official or public sources, such as the Australian Business Register.

Verification material may contain personal information. Only provide evidence you are authorised to provide and redact unrelated information where possible.

The verification status or outcome, the scope of the check and the date checked may be displayed publicly on the business profile or a linked verification page. The underlying evidence you upload is not intended to be public unless we clearly tell you otherwise and you authorise that disclosure.

Payments and subscriptions

When you buy a paid plan, we may collect or receive:

  • billing contact and payment email;
  • Stripe customer, checkout and subscription identifiers;
  • plan, amount, payment status, renewal and cancellation information;
  • records needed for accounting, refunds, disputes and fraud prevention.

Stripe processes card and bank-payment details. We generally do not receive or store your full card number.

Support, complaints and communications

We collect information you provide when you contact us, ask for help, request a correction or deletion, challenge a verification result, make a complaint, or otherwise communicate with us.

Sensitive information and children

Credentials AI is not designed to collect unnecessary sensitive information. Do not include health information, government identifiers, criminal-history information or other sensitive material unless we specifically request it for a legitimate verification or support purpose. Where possible, redact unrelated details before uploading evidence.

Credentials AI is intended for business use by adults. We do not knowingly target or create accounts for children. A person under 18 should not submit personal information or a quote request without the involvement of a parent or guardian. If you believe a child has provided information to us, contact us so we can review and, where appropriate, remove it.

3. How we collect information

We collect information:

  • directly from you when you use a form, create or claim a profile, upload evidence, pay for a plan or contact us;
  • automatically when a browser visits or interacts with the service;
  • from the business profile a visitor chooses to contact;
  • from payment, email, hosting, database and authentication providers used to operate the service;
  • from public and official sources used for verification, including business and licensing registers;
  • from an authorised representative of a business.

If you provide personal information about someone else, you must be authorised to do so and should tell them how the information will be used where appropriate.

4. Why we use information

We use personal information to:

  • create, host, display and maintain business profiles;
  • place eligible active profiles in our sitemap and make them machine-readable;
  • create and secure accounts, authenticate users and manage ownership;
  • provide dashboards, subscriptions, support and founder-assisted service;
  • receive, store, attribute and deliver quote requests and enquiries;
  • measure profile views and interactions and show businesses how enquiries reached them;
  • review credentials, check public registers and display verification outcomes;
  • process payments, renewals, cancellations and refunds;
  • send service, security, billing, lead and account communications;
  • apply builder limits, prevent abuse and investigate fraud or security incidents;
  • maintain, diagnose and improve the service;
  • meet legal, tax, accounting and regulatory obligations;
  • establish, exercise or defend legal claims;
  • send marketing only where we have consent or another lawful basis, with an unsubscribe option.

Depending on the context, we handle information because it is needed to provide a requested service, you have consented, it supports reasonable business and security operations, or the law requires or permits it.

5. Public profiles, indexing and third-party copies

Information selected for a public business profile is published at a public URL. Eligible active profiles may be included in our sitemap and may be crawled, indexed, cached, quoted or otherwise processed by search engines, AI systems, internet archives and other third parties.

Those third parties operate independently and may retain copies after information is changed or removed from Credentials AI. We can update or unpublish information under our control, but we cannot guarantee that a third party will immediately update or delete its own copy.

Only submit profile information you are authorised and comfortable to make public. Contact us if a public profile contains inaccurate, unauthorised or unsafe personal information.

Credentials AI makes business information easier for machines to understand. We do not guarantee indexing, ranking, recommendation, leads or sales.

A public verification result is a limited, dated statement about the specific evidence or source identified. It is not a general endorsement or guarantee of a business, its work, safety, honesty, solvency, insurance or licensing unless that specific matter is expressly stated as checked.

6. Quote requests and disclosure to businesses

When you submit a quote request through a business profile, you are asking to be contacted by that business. We store the request and disclose its contents, together with relevant attribution information, to the selected business or its authorised representative so they can respond.

We may also send an email notification containing the request through our email provider. Credentials AI may retain the enquiry in its lead dashboard and operational records.

The profiled business is responsible for how it handles the enquiry after receiving it. Its own privacy practices may also apply. Submitting a service enquiry does not by itself authorise Credentials AI or the business to send unrelated marketing.

We do not sell contact lists or disclose quote-request details to unrelated businesses or data brokers. The disclosure to the selected business is part of delivering the enquiry you requested.

7. Who we disclose information to

We may disclose personal information to:

  • the business or authorised representative selected by a quote-request sender;
  • Supabase, for database, authentication, API and file-storage services;
  • Railway, for application hosting and deployment infrastructure;
  • Stripe, for checkout, payments, subscriptions, refunds and fraud controls;
  • Resend, for transactional, account, founder and lead-notification email;
  • domain, DNS, security and internet infrastructure providers used to operate the sites;
  • official or public registers used to check submitted business credentials;
  • professional advisers, insurers, auditors or regulators where reasonably necessary;
  • law-enforcement bodies, courts or other parties where required or permitted by law;
  • a buyer or successor if our business or assets are restructured or transferred, subject to appropriate confidentiality and notice where required;
  • another party where you direct us or consent.

These providers handle information under their own terms, privacy commitments and security controls. We limit disclosures to what is reasonably needed for the relevant purpose.

Credentials AI does not currently send profile, lead or verification information to an AI model provider to generate content. If that changes materially, we will update this policy and the relevant collection notice before using personal information in that way.

8. Overseas processing

Some service providers and their subprocessors operate outside Australia. Information may therefore be stored in or accessed from Australia, the United States and other countries in which those providers or their subprocessors operate.

For example, our current Railway application runtime is deployed in a United States region. Provider locations and infrastructure can change, and we do not claim that all information remains in Australia.

Where required, we take reasonable steps to select reputable providers and use contractual, account and technical controls appropriate to the service. Privacy and legal protections in another country may differ from those in Australia.

9. Storage, security and data breaches

We use reasonable technical and organisational safeguards designed to protect information from loss, misuse, interference and unauthorised access, modification or disclosure. Measures include access controls, private service-role database rules for lead and tracking records, encrypted network connections, account authentication and restricted administrative access.

No internet service or storage system is completely secure. You are responsible for protecting your login credentials and for promptly telling us about suspected unauthorised access.

If we become aware of a privacy or security incident, we will investigate, contain and remediate it. Where a notification obligation applies, we will notify affected people and relevant regulators as required.

10. How long we keep information

We keep personal information only for as long as reasonably needed for the purposes described in this policy, including service delivery, security, dispute handling, legal claims, and tax, accounting or regulatory obligations. The periods below are our current operational targets and may be shortened when information is no longer needed. A legal hold, security or fraud investigation, unresolved complaint, or legal requirement may justify longer retention.

In general:

  • public profile and account information is generally kept while active and for up to 90 days after closure or unpublishing;
  • quote requests and direct lead details are generally kept for up to 24 months from the latest lead activity;
  • profile views, click events, session and attribution records are generally kept for up to 13 months before deletion, de-identification or aggregation;
  • hashed-IP profile-creation limit records are generally kept for up to 30 days;
  • verification evidence is generally kept while the verification is current and for up to 12 months after expiry, revocation, rejection or account closure. A verification outcome and audit record may be kept for up to seven years where reasonably needed to substantiate a public claim, complaint history or legal defence;
  • billing, refund and transaction records are generally kept for seven years or the period required by tax, accounting and other laws;
  • routine support, complaint and privacy-request records are generally kept for up to 24 months after resolution, or longer where material to a dispute, regulator matter or legal claim;
  • authentication and security logs are generally kept for up to 12 months, subject to provider settings and active incident or legal holds;
  • minimal suppression records may be retained for as long as reasonably needed to honour and evidence a marketing opt-out;
  • backups may retain residual copies for a limited period until they are overwritten or securely expired.

We maintain an internal retention and deletion schedule and will refine technical deletion controls as the service develops. We will not retain information merely because it may be useful someday.

11. Access, correction, deletion and profile removal

You may ask us to:

  • tell you what personal information we hold about you;
  • provide access to that information;
  • correct inaccurate or incomplete information;
  • remove or unpublish personal information from a profile we control;
  • delete information where appropriate;
  • explain or review a verification outcome;
  • stop direct marketing.

Email privacy@erosium.ai. Describe your request and the relevant account, profile or enquiry. We may need to verify your identity or authority before acting. We aim to acknowledge your request within five business days and provide a substantive response within 30 calendar days. If a complex matter needs longer, we will explain why and give you a revised timeframe before that period ends. We will explain if we cannot fully comply, including where retention is required by law, needed for security or dispute records, or necessary to protect another person's rights.

Removing a Credentials AI page does not guarantee immediate removal from search-engine caches, archives or other third-party copies.

12. Marketing and service communications

We may send operational messages needed to provide the service, such as account, security, billing, verification, lead and policy notices.

We will send promotional email or SMS only where we have consent or another lawful basis. Where we ask for express marketing consent, it will be separate from required account, profile or quote information and will not be pre-selected. Marketing messages will identify the sender and provide a functional unsubscribe method. We will action unsubscribe requests within five working days. Opting out of marketing does not stop necessary service communications.

We do not treat creating an account, publishing a profile or submitting a quote request as blanket consent to unrelated marketing.

13. Privacy questions and complaints

Send privacy questions, requests or complaints to privacy@erosium.ai.

Please include enough detail for us to understand the issue. We aim to acknowledge a complaint within five business days and provide a substantive response within 30 calendar days. If a complex complaint needs longer, we will explain why and give you a revised timeframe. We will keep you informed where appropriate and explain the outcome.

Whether every requirement of the Privacy Act 1988 (Cth) applies to Beastly Tech GC Pty Ltd can depend on circumstances and statutory exceptions. Regardless, we intend to operate Credentials AI using privacy practices modelled on the Australian Privacy Principles.

If the Privacy Act applies to your complaint and you are not satisfied with our response, or we have not responded within a reasonable time, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992. Other complaint rights may also apply.

14. Changes to this policy

We may update this policy when the service, providers, law or our practices change. The current version will be posted on this page with its effective and last-updated dates.

If a change materially affects how we use personal information or your rights, we will provide additional notice where required or reasonably appropriate. If consent is legally required for a new use, we will seek it before that use.

15. Contact details

Privacy: privacy@erosium.ai
Support: support@erosium.ai

Beastly Tech GC Pty Ltd
ABN 52 699 330 553
Trading as Erosium
Operator of Credentials AI