PART 1 – INTRODUCTION, INTERPRETATION, DEFINITIONS, NOTICE AT COLLECTION, DATA CATEGORIES 

Last Updated: Nov 20, 2025 

This Privacy Policy describes how Scoreinc.com, Inc., including its brands ScoreCEO, CreditRepairBusinessWebsites.com, and Scoreinc.com, (collectively, “Scoreinc.com, Inc.,” “ScoreCEO,” “Company,” “We,” “Us,” or “Our”), collects, uses, discloses, stores, transfers, and protects your information when you use our websites, applications, platforms, tools, and services (collectively, the “Service”).  Your privacy is important to us. We are committed to handling your Personal Data responsibly, transparently, and in compliance with all applicable laws, including: 

• FCRA (Fair Credit Reporting Act) 
• GLBA (Gramm-Leach-Bliley Act) 
• CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) 
• CalOPPA (California Online Privacy Protection Act) 
• CAN-SPAM 
• PCI-DSS standards (via validated processors) 
• Relevant federal and Puerto Rico privacy laws 

Because Scoreinc.com, Inc. provides solutions for credit repair organizations and may integrate with credit reporting services through our clients and partners, we also maintain elevated technical, administrative, and procedural safeguards for handling sensitive data. This Privacy Policy applies to all users of our platforms, including: 

• Visitors to our websites 
• Registered users 
• Business clients and their authorized users 
• Users of ScoreCEO and related applications 
• Individuals interacting with Scoreinc.com, Inc. brand websites 
• Lead forms, portals, integrations, and support channels 

This policy does not override any contractual Data Processing Addendum (“DPA”), Master Services Agreement (“MSA”), or partner agreement with additional obligations. 

1. INTERPRETATION

The words with initial capital letters have meanings assigned to them below. These definitions apply whether the words appear in singular or plural. If there is any conflict between this Privacy Policy and applicable law, the stricter requirement will apply. 

2. DEFINITIONS

For the purposes of this Privacy Policy: 

“Account” – A unique login and profile created for You to access our Service. 

“Affiliate” – An entity that controls, is controlled by, or is under common control with Scoreinc.com, Inc. “Control” means ownership of at least 50% of voting securities. 

“Business” (as defined under CCPA/CPRA) – Scoreinc.com, Inc., the legal entity that determines the purposes and means of processing Consumers’ Personal Data and conducts business in California. 

“CCPA” / “CPRA” – The California Consumer Privacy Act and its amendment, the California Privacy Rights Act. 

“Company” – Scoreinc.com, Inc., including its DBAs ScoreCEO, CreditRepairBusinessWebsites.com, Scoreinc.com, and iScoreSmarter.com, located at:  #1042 José E. Arrarás St. Urb. Terrace Mayagüez, Puerto Rico 00682 United States 

“Consumer” – A California resident, as defined by CCPA/CPRA. 

“Cookies” – Small files stored on your device by a website to help operate, measure, secure, or personalize the Service. 

“Controller” – The entity determining the purpose and means of processing Personal Data. Scoreinc.com, Inc. is a Controller for website visitors and marketing interactions. 

“Processor” / “Service Provider” – An entity processing Personal Data on behalf of a Controller. Scoreinc.com, Inc. acts as a Processor in connection with our business clients’ data and some integrated services. 

“Subprocessor” – A third party engaged by us to process Personal Data on our behalf when acting as a Processor. 

“Do Not Track (DNT)” – A browser setting that expresses a user preference not to be tracked. 

“Personal Data” / “Personal Information” – Any information that identifies, relates to, or could reasonably be linked to an individual. 

“Sensitive Personal Information” (CPRA) – Includes account login and password, precise geolocation, or similar categories defined by law. 

“Service” – The websites, SaaS platforms, portals, tools, APIs, and resources provided by Scoreinc.com, Inc., including ScoreCEO. 

“Usage Data” – Data collected automatically by the Service. 

“Website” – https://www.scoreceo.com https://www.scoreinc.com 

“You” / “User” – The individual or entity accessing or using the Service. 

3. NOTICE AT COLLECTION (Required by CCPA/CPRA)

We are required by law to inform you at or before the point of collection about: 

• The categories of Personal Data we collect 
• The purposes for which we collect and use that data 
• Whether we sell or share Personal Data 
• Retention periods or criteria 
• How to exercise your privacy rights 
• Whether we collect Sensitive Personal Information 
• How we respond to Global Privacy Control (GPC) signals 

This Notice applies to all Scoreinc.com, Inc. brands and platforms. We honor Global Privacy Control (GPC) signals as an opt-out of sale and sharing under CPRA. 

4. CATEGORIES OF PERSONAL DATA WE COLLECT (Long-Form Version)

Scoreinc.com, Inc. collects information directly from You, automatically through your interactions with the Service, and from Service Providers supporting our operations. Below is the complete CCPA/CPRA long-form dataset, including statutory examples. This is intentionally long because California requires detailed category explanations. 

Category A: Identifiers 

Examples include: 

• Real name, alias 
• Postal address 
• Unique personal identifier 
• Email address 
• Account name 
• IP address 
• Device identifiers 
• Phone number 
• Usernames; hashed passwords 
• Government identifiers (driver’s license or passport, only when strictly required for verification) 

Collected: Yes 

Category B: Customer Records (Cal. Civ. Code §1798.80(e)) 

May include: 

• Name, signature 
• Address, telephone number 
• Bank account number (if provided voluntarily by clients) 
• Credit or debit card last 4 digits 
• Some data may overlap with other categories 

Collected: Yes
We do NOT store raw credit card numbers; PCI-DSS certified processors handle payments. 

Category C: Protected Classification Characteristics 

Examples: age (40+), race, ethnicity, gender, sexual orientation, medical conditions, disability status. 

Collected: No 

Category D: Commercial Information 

Examples: 

• Records of products or services purchased 
• Account activity 
• Consideration history for ScoreCEO software or related services 

Collected: Yes 

Category E: Biometric Information 

Examples: fingerprints, faceprints, voiceprints. 

Collected: No 

Category F: Internet or Network Activity 

Examples: 

• Browsing history 
• Search history 
• Interaction with our Website, apps, or ads 
• Device and connection data 
• Diagnostic and performance metrics 

Collected: Yes 

Category G: Geolocation Data 

Examples: 

• Approximate location (via IP) 
• We do NOT collect precise geolocation 

Collected: Approximate only 

Category H: Sensory Data 

Examples: 

• Customer support call recordings (if recorded with notice) 

Collected: Possibly (only with consent) 

Category I: Professional or Employment Information 

Examples: 

• Job title, business contact details (if provided) 

Collected: Limited and optional 

Category J: Non-Public Education Information (FERPA) 

Examples: academic records. 

Collected: No 

Category K: Inferences 

Examples: 

• Profile preferences or behavioral trends 

Collected: Usually no 

Category L: Sensitive Personal Information 

Examples under CPRA: 

• Account login with password 
• Financial login (never collected) 
• Precise geolocation (not collected) 
• Government ID (only if verification required) 
• Racial/ethnic data (not collected) 

Collected: Login credentials; limited, minimal SPI 

PART 2 – USE OF DATA, FCRA/GLBA ADDENDUM, TRACKING, COOKIES, SHARING, RETENTION, TRANSFERS, SECURITY 

5. HOW WE USE YOUR PERSONAL DATA

Scoreinc.com, Inc. may use Personal Data collected about You for a wide range of business purposes. This section incorporates the full-length usage purposes found in standard privacy policies, as well as additional processing purposes required for: 

• CPRA 2024/2025 
• FCRA/GLBA compliance 
• Cross-brand integration 
• Third-party credit-related services (if applicable) 
• SaaS account management 
• Behavioral remarketing 
• Legal obligations 
• Dispute resolution 
• Internal operations 
• Business continuity and security 

We may use your Personal Data for the following purposes: 

5.1 To Provide and Maintain the Service 

Including but not limited to: 

• Operating ScoreCEO, CreditRepairBusinessWebsites.com, Scoreinc.com
• Maintaining secure access 
• Processing account actions 
• Generating dashboards, billing, analytics, and insights 
• Managing user configuration settings 
• Supporting integrations performed by users or clients 
• Offering portal access for consumers, CROs, and partners 

5.2 To Manage and Authenticate Your Account 

This includes: 

• Identity verification 
• MFA (multi-factor authentication) where applicable 
• Password hashing and credential protection 
• RBAC (role-based access control) administration 
• User permission and hierarchy management 
• Internal security checks 

5.3 For the Performance of a Contract 

This includes: 

• Subscription agreements 
• SaaS usage terms 
• Customer onboarding 
• Use of software features 
• Purchase and renewal management 
• Contracts executed between business users and Scoreinc.com, Inc. 

5.4 To Contact You 

We may contact You regarding: 

• Updates 
• Security alerts 
• Feature announcements 
• Technical issues 
• Billing matters 
• Support requests 
• Compliance or legal notices 

We may use: 

• Email 
• Phone 
• SMS 
• Push notifications 
• In-app messaging 
• System alerts within portals 

5.5 To Provide You With Marketing and Promotional Communications 

Unless you opt out, we may share: 

• News updates 
• Feature launches 
• Events 
• Special offers 
• CRO education materials 
• Automated lifecycle communications 
• Conversion optimization emails 
• Behavioral onboarding 

You may unsubscribe at any time via the link in the email. 

5.6 To Deliver Personalized Content or Advertising 

We may use cookies, analytics, or pixel-based tools to deliver: 

• Personalized content 
• Remarketing messages 
• Offers tailored to your interests 
• Location-relevant business materials 
• Experience-driven UX improvements 
• Cross-device consistency in marketing 

5.7 To Manage Requests and Support 

This includes: 

• Customer support 
• Ticketing 
• Chat assistance 
• Troubleshooting 
• System status updates 
• Logging communications for quality and legal compliance 
• Internal analysis of customer inquiries to improve response time 

5.8 For Business Transfers 

If we engage in: 

• Merger 
• Acquisition 
• Asset sale 
• Corporate restructuring 
• Financing event 

Your Personal Data may be transferred to the acquiring or merging entity, subject to obligations consistent with this Privacy Policy. 

5.9 For Internal Analytics and Service Improvements 

Including: 

• A/B testing 
• User flow analysis 
• System performance measurement 
• Feature usability studies 
• Heat-mapping tools (if used) 
• Machine learning/AI system improvement 
• User retention studies 

5.10 For Legal and Compliance Obligations 

We may use or disclose Personal Data to: 

• Comply with federal or state regulations 
• Maintain records for audits 
• Enforce our agreements 
• Detect or prevent fraud 
• Investigate potential abuse 
• Respond to law enforcement requests 
• Protect our legal rights 

5.11 For Security 

We may use Personal Data to: 

• Enforce access control 
• Detect suspicious activity 
• Prevent automated abuse 
• Maintain system integrity 
• Log access events 
• Investigate anomalies 
• Protect our systems and users 

5.12 For Any Other Purpose With Your Consent 

This includes any purpose disclosed at the time of collection where you explicitly authorize additional processing. 

6. FCRA / GLBA ADDENDUM

This section is specifically included to satisfy Array’s compliance requirements and to demonstrate Scoreinc.com, Inc.’s controls when credit monitoring features may be integrated through third parties. Even if YOU do not act as a Consumer Reporting Agency, this addendum ensures compliance with: 

• FCRA (Fair Credit Reporting Act) 
• GLBA (Gramm-Leach-Bliley Act) 
• FTC Safeguards Rule 
• Permissible Purpose verification 
• Security and minimization controls 

6.1 Scoreinc.com, Inc. Is NOT a Consumer Reporting Agency 

We do NOT: 

• Collect credit report data for resale 
• Aggregate or generate consumer reports 
• Furnish data to lenders 
• Decide creditworthiness 
• Make eligibility decisions 
• Maintain CRA files 

6.2 When We Act as a Service Provider for Third-Party Credit Integration 

If a partner (e.g., a credit monitoring provider such as Array) integrates through ScoreCEO: 

• Consumers authorize the pull 
• Scoreinc.com, Inc. acts solely as a Processor 
• Data flows occur only through secure API connections 
• We never store raw credit report files unless required for a client’s lawful permissible purpose workflow 
• Any stored data is encrypted and retained minimally 

6.3 Permissible Purpose Requirements 

When credit report or financial data is accessed through the platform: 

• The user or business must certify a permissible purpose 
• We maintain system logs verifying who accessed which data and when 
• We support secure audit trails 
• Access is blocked if purpose verification fails 

6.4 Data Minimization 

We do not: 

• Combine credit report data with marketing data 
• Sell or share credit data 
• Use credit data for behavioral advertising 
• Store full reports longer than necessary 

6.5 Retention and Destruction for FCRA/GLBA Data 

Unless otherwise required by law: 

• Credit attributes stored temporarily: ≤ 48 hours 
• Derived data or summaries (if used by clients): ≤ 90 days 
• Backups automatically purge per rotation: 30–60 days 

Destruction methods follow NIST SP 800-88 guidelines. 

6.6 Access Controls 

We enforce: 

• MFA 
• Role-based access 
• Logging and monitoring 
• Screening of personnel (where lawful) 
• Annual security and privacy training 
• Limited access based on job role 

6.7 Technical Safeguards 

• Encryption in transit (TLS 1.2+) 
• Encryption at rest (AES-256) 
• Secure key management 
• API authentication 
• Zero Trust principles 
• Rate limiting 
• Anomaly detection 

6.8 No Secondary Use 

We do not use credit data for: 

• Cross-context advertising 
• Retargeting 
• Profit-building 
• Consumer profiling 
• Resale or redistribution 

6.9 Incident Response 

If any credit-related data is involved in an incident: 

• We notify impacted parties 
• We comply with regulatory-required timelines 
• We provide investigation details 
• We take corrective action 
• We notify partners such as Array if required by contract 

7. TRACKING TECHNOLOGIES AND COOKIES

We use Cookies and similar tracking technologies to operate our Website and Service. These include: 

• Cookies 
• Web beacons 
• Pixel tags 
• SDKs 
• Local storage 
• Session-based tokens 

7.1 Types of Cookies We Use 

Necessary / Essential Cookies 

Required for: 

• Authentication 
• Security 
• Core platform functionality 
• Portal operations 
• Session management 

Without these, the Service may not function. 

Cookies Policy / Notice Acceptance Cookies 

Track cookie consent status. 

Functionality Cookies 

Used to remember: 

• Preferences 
• Region 
• Language 
• User settings 
• Persistent login sessions 

Performance and Analytics Cookies 

Used to: 

• Measure traffic 
• Analyze user behavior 
• Improve UX 
• Test new features 

Examples include: 

• Google Analytics 
• Internal analytics engines 
• Heatmapping tools (if implemented) 

Advertising and Targeting Cookies 

Used to: 

• Deliver relevant ads 
• Manage remarketing 
• Track ad performance 
• Prevent repetitive ads 
• Connect marketing systems 

Examples may include: 

• Google Ads 
• Facebook/Meta 
• Twitter/X 
• LinkedIn Ads 
• Third-party advertising networks 

7.2 Cookie Management 

Users may: 

• Block or delete cookies via browser settings 
• Disable non-essential cookies via our cookie banner 
• Submit Do Not Sell/Share requests 
• Utilize GPC (Global Privacy Control) signals 
• Opt out via industry tools (see Appendix) 

Note: Browser-based opt-outs must be repeated on each device. 

8. DISCLOSURE AND SHARING OF PERSONAL DATA

This section is intentionally long to match regulatory expectations and your original policy. We may share Personal Data as follows: 

8.1 With Service Providers 

This includes companies providing: 

• Hosting 
• Analytics 
• Email delivery 
• SMS services 
• Customer support tools 
• Payment processing 
• Security solutions 
• Marketing tools 
• Infrastructure and cloud operations 
• Backup and recovery 
• AI-powered system enhancements 
• Identity verification 
• Data processing for FCRA/GLBA where applicable 
• Credit monitoring integrations (such as Array) 

All Service Providers are bound by contractual requirements to: 

• Use data only for specified purposes 
• Maintain confidentiality 
• Apply security protections 
• Prohibit secondary use 

We provide 30 days’ prior notice of new subprocessors. 

8.2 With Affiliates 

Shared only on a need-to-know basis via secure channels. 

8.3 With Business Partners 

For: 

• Joint marketing (when permitted) 
• Integrated tools 
• Partner apps 
• Reseller programs 
• Managed SaaS operations 
• Training or events 

8.4 For Behavioral Advertising (CPRA “Sale” or “Share”) 

Sharing identifiers or activity data with third-party advertisers can be deemed “sale” or “sharing” under CPRA. 

We provide: 

• A “Do Not Sell or Share My Personal Information” option 
• Cookie preference controls 
• GPC recognition 

8.5 For Legal Reasons 

We may disclose Personal Data to: 

• Courts 
• Law enforcement agencies 
• Regulatory bodies 
• Auditors 
• Legal counsel 

8.6 Business Transfers 

If the Company undergoes a change of control, Personal Data may transfer. 

8.7 With Your Consent 

For any other purpose described at the point of collection. 

9. RETENTION OF PERSONAL DATA

We retain Personal Data only as long as necessary.
Below is the full retention schedule: 

Category	Retention Period	Notes
Account Data	Active + 7 years	Legal/audit defense
Identity Data	Active + 7 years	For fraud prevention
Communications	24–36 months	For support & quality
Analytics Data	13 months	CPRA adherence
Email Logs	24 months	Deliverability troubleshooting
Payment Records	7 years	Required by law
Card Data	Never stored	Processors only
Log Files	12–24 months	Security compliance
Backup Data	Rolling 30–60 days	Auto-purged
FCRA/GLBA Credit Data	48 hours – 90 days	Minimal retention
Credit Dispute/Adverse Action Logs	2–7 years	Depending on CRO obligations

If deletion is technically infeasible in backups, data is isolated and overwritten through scheduled rotation. 

10. INTERNATIONAL DATA TRANSFERS

If Personal Data is transferred outside the United States: 

• SCCs (Standard Contractual Clauses) are used 
• Additional security measures are applied 
• Data minimization principles apply 
• Transfers follow applicable laws 

We do not intentionally transfer consumer credit report data outside the United States unless required by a third-party provider’s infrastructure and permitted by law. 

11. SECURITY OF PERSONAL DATA

Scoreinc.com, Inc. maintains industry-standard and enhanced safeguards, including: 

11.1 Technical Protections 

• TLS 1.2+ encryption 
• AES-256 encryption at rest 
• RBAC (Role-Based Access Control) 
• Password hashing (bcrypt or equivalent) 
• MFA for internal systems 
• API authentication with tokens/keys 
• Network firewalls 
• WAF (Web Application Firewall) 
• IDS/IPS monitoring 
• Anti-malware and anti-bot tools 
• Rate-limiting 
• Secure session handling 
• Continuous vulnerability scanning 
• Penetration tests (annual) 

11.2 Administrative Protections 

• Security and privacy training for all employees 
• Vendor risk management 
• Access reviews 
• Incident response policy 
• Change management controls 
• Logging and monitoring 
• Internal audits 

11.3 Physical Protections 

• Secure data centers 
• Access controls 
• Surveillance 
• Environmental controls 
• Backup redundancy 

11.4 Incident Response 

If an incident involves Personal Data: 

• We investigate promptly 
• Assess scope 
• Notify affected parties 
• Take corrective action 
• Notify regulators where required 
• Provide post-incident updates 

PART 3 – ANALYTICS, ADVERTISING & REMARKETING, CCPA/CPRA RIGHTS, SENSITIVE PI, SALE/SHARING, VERIFICATION 

12. ANALYTICS SERVICES

We use analytics services to better understand User behavior, improve system performance, enhance user experience, and support marketing measurement. 

12.1 Google Analytics 

Google Analytics collects: 

• Device identifiers 
• IP address 
• Pages visited 
• Session duration 
• Browser/OS information 
• Interactions (clicks, scrolls, events) 
• Conversion data 

Google may also: 

• Combine collected data with other Google services 
• Use the data to personalize advertising 
• Use cookies or non-cookie technologies (e.g., gtag.js, analytics.js) 

You can opt out using the Google browser add-on: https://tools.google.com/dlpage/gaoptout. Google’s privacy policy: https://policies.google.com/privacy 

12.2 Internal Analytics Tools 

Scoreinc.com, Inc. may use internal measurement systems for: 

• Crash diagnostics 
• API performance 
• Usage heatmaps 
• Funnel analysis 
• Feature adoption 
• Error logging 
• Uptime monitoring 

This data is de-identified where possible. 

12.3 Additional Analytics or Monitoring Providers 

We may also use tools including (but not limited to): 

• Application performance monitoring (APM) 
• Database query performance tools 
• Log monitoring tools 
• Service availability trackers 
• Heatmapping (e.g., Hotjar-type solutions if implemented) 
• Identity threat detection tools 

Any additional provider is bound by contractual obligations to protect Personal Data. 

13. ADVERTISING AND REMARKETING

Scoreinc.com, Inc. may use third-party vendors to deliver ads, measure performance, and provide remarketing. Because CPRA considers some ad-related data sharing a “sale” or “sharing,” this section is intentionally long and detailed. 

You may opt out of these activities via: 

• “Do Not Sell or Share My Personal Information” 
• Cookie preferences 
• Global Privacy Control (GPC) 
• Industry opt-out tools listed in Appendix 
• Mobile device settings 
• Browser-level settings 

We do not use or share credit report data for advertising or marketing. 

13.1 Google Ads / Google Remarketing 

We may use: 

• Google Ads 
• Google Ads Remarketing 
• Google Marketing Platform 
• Display Network advertising 
• Google Signals (cross-device capabilities) 

Google may: 

• Serve ads based on your visit to our Website 
• Use cookies to deliver personalized advertising 
• Use device linking 
• Track conversions 
• Opt-out tools:
  https://www.google.com/settings/ads
  https://tools.google.com/dlpage/gaoptout 

13.2 Meta (Facebook / Instagram) Remarketing 

We may use: 

• Facebook Pixel 
• Facebook Ads 
• Custom Audiences 
• Conversion tracking 

Meta may collect: 

• Device information 
• Pixel events (page view, click, lead, purchase) 
• Cross-site identifiers 
• Browser and device metadata 
• Opt-out and privacy information:
  https://www.facebook.com/privacy/explanation
  https://www.facebook.com/help/568137493302217 

13.3 X (Twitter) Remarketing 

We may use: 

• Twitter Ads 
• Conversion tracking 
• Audience insights 
• Twitter’s ad personalization opt-out:
  https://support.twitter.com/articles/20170405
  Privacy policy: https://twitter.com/privacy 

13.4 LinkedIn Ads 

We may use: 

• LinkedIn Insight Tag 
• Conversion tracking 
• Retargeting 
• Audience analytics 
• Privacy policy:
  https://www.linkedin.com/legal/privacy-policy 

13.5 Third-Party Ad Networks 

Other networks may include: 

• Demand-side platforms (DSPs) 
• Affiliate platforms 
• Programmatic ad partners 
• Sponsored content networks 

These may use: 

• Cookies 
• Pixel tags 
• Mobile identifiers 
• Non-cookie tracking technologies 

You may opt out via: 

• DAA 
• NAI 
• EDAA 
• GPC 
• Cookie preferences 

14. CPRA/CCPA RIGHTS DISCLOSURE

This is intentionally long to maintain completeness and mirror the length of your original policy. California residents have the following rights regarding Personal Information: 

14.1 Right to Notice (Before Collection) 

You have the right to receive notice of: 

• Categories of Personal Information collected 
• Sensitive Personal Information collected 
• Purposes for collection 
• Whether the data is sold or shared 
• Retention periods 
• Right to opt out 
• Right to limit Sensitive PI 
• GPC recognition 
• Contact options for rights exercise 

14.2 Right to Know / Access 

You have the right to request: 

• The specific pieces of Personal Information collected 
• Categories of Personal Information collected 
• Categories of sources 
• Business or commercial purpose for collection 
• Categories of third parties with whom we share, sell, or disclose data 
• Categories of Personal Information sold 
• Categories of Personal Information shared for cross-context advertising 
• Categories of Personal Information disclosed for business purposes 
• The specific pieces of Personal Information about you 

This right covers the preceding 12 months, but we may extend beyond 12 months if feasible. 

14.3 Right to Delete 

You may request deletion of Personal Information, subject to legal exceptions such as: 

• Completing transactions 
• Detecting security incidents 
• Debugging functionality 
• Exercising free speech rights 
• Complying with legal obligations 
• Internal uses reasonably aligned with user expectations 
• Scientific, historical, or statistical research 
• Legal claims or regulatory requirements 

14.4 Right to Correct Inaccurate Personal Information 

You may request correction of inaccurate Personal Information we maintain. 

We apply: 

• Verification 
• Reasonableness standards 
• Proof requirements (in some cases) 

14.5 Right to Opt Out of “Sale” or “Sharing” 

Under CPRA: 

• “Sale” includes any transfer for monetary or other valuable consideration 
• “Sharing” refers specifically to cross-context behavioral advertising 

You may opt out using: 

• Our “Do Not Sell or Share My Personal Information” link 
• GPC (Global Privacy Control) signals 
• Cookie preferences 

We do not sell: 

• Credit report data 
• FCRA-regulated data 
• Children’s data 

14.6 Right to Limit the Use and Disclosure of Sensitive Personal Information 

You may request that we limit use of Sensitive PI to what is: 

• Necessary to provide and maintain the requested services 
• Reasonably expected by the average consumer 

Applicable data: 

• Login credentials 
• Government IDs (if collected) 
• Certain account-related data 

We do not use Sensitive PI for: 

• Profiling 
• Advertising 
• Sale or sharing 

14.7 Right Against Discrimination 

We will not discriminate against you for exercising your rights, such as: 

• Denying goods or services 
• Charging different prices 
• Providing a different level of service 
• Suggesting negative consequences 

14.8 Right to Data Portability 

Upon request, we may provide certain Personal Information in a: 

• Readily usable 
• Machine-readable 
• Portable format 

15. SALE OR SHARING OF PERSONAL INFORMATION (Required by CPRA)

CPRA defines both “sale” and “sharing” broadly. 

15.1 Categories Potentially Sold or Shared 

For advertising/retargeting purposes: 

• Identifiers 
• Commercial information 
• Internet/network activity 
• Device data 
• Cookie identifiers 
• Pixel event data 

15.2 Categories Never Sold or Shared 

We never sell, share, or use for behavioral advertising: 

• Credit report data 
• FCRA/GLBA data 
• Financial account data 
• Sensitive Personal Information 
• Children’s information (under 16) 

16. HOW TO EXERCISE YOUR CPRA/CCPA RIGHTS

You may make requests through: 

• Online: https://scoreceo.com/contact-scoreceo-credit-repair-business-experts/  
• Email: support@scoreinc.com 
• Phone: 1-877-876-5921 
• Mail: Scoreinc.com, Inc. #1042 José E. Arrarás St. Urb. Terrace Mayagüez, Puerto Rico 00682, USA 

17. VERIFICATION PROCESS FOR CONSUMER REQUESTS

To protect your Personal Information, we verify: 

• Your identity 
• Authority (for agents) 
• That your request matches our records 

We may ask for: 

• Two or more identifiers (for standard requests) 
• Three or more identifiers (for sensitive requests) 
• Signed authorization from an agent 
• Additional documentation when necessary 

If we cannot verify your identity, we will deny the request and explain why. 

18. AUTHORIZED AGENTS

You may authorize an agent to act on your behalf. They must provide: 

• Written authorization signed by you 
• Proof of identity 
• Proof of your identity 
• Any required legal documentation (power of attorney, etc.) 

19. RESPONSE TIMELINES

We will respond: 

• Within 45 days 
• With one possible 45-day extension 

We will explain if extra time is needed. 

20. APPEALS PROCESS (Required in Some States)

If your privacy request is denied: 

• You may appeal within 30 days 
• Email:  support@scoreinc.com 
• We will respond within 45 days 

If still dissatisfied, you may contact: 

• California Privacy Protection Agency (CPPA) 
• Federal Trade Commission (FTC) 
• Other applicable regulators 

📘 PART 4 – CHILDREN’S PRIVACY, LINKS, CHANGES, CONTACT, DPA, SUBPROCESSORS, APPENDICES & FOOTER REQUIREMENTS 

21. CHILDREN’S PRIVACY

We do not knowingly collect or solicit Personal Information from individuals: 

• Under the age of 13 (COPPA)
• Between 13–16 for any data considered a “sale” or “sharing” under CPRA without affirmative authorization (“opt-in”) 

If you are a parent or guardian and believe your child under 13 has provided Personal Information, you may contact us using the information in the Contact Us section. Upon verification, we will: 

• Delete the information 
• Block the account (if applicable) 
• Prevent further collection 

We require that third-party integrations and partners also comply with children’s privacy laws. 

We do not market to children, nor do we knowingly collect FCRA/GLBA-regulated data from minors. 

22. LINKS TO OTHER WEBSITES

Our Service may contain links to third-party websites, products, or services that are not owned or controlled by Scoreinc.com, Inc. 

Examples may include: 

• Educational materials 
• Compliance documentation 
• Partner integration sites 
• Social media platforms 
• Payment gateways 
• Blog references 
• Vendor privacy policies 

We strongly encourage you to review the privacy policies of every site you visit. We have no responsibility for the: 

• Content 
• Privacy practices 
• Data handling 
• Security 
• Cookies 
• Policies 

of any third-party site. 

23. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Change triggers may include: 

• Legal or regulatory updates (CPRA, FTC, GLBA) 
• New features or products 
• Additional integrations 
• Operational changes 
• Internal security improvements 
• Business restructuring 
• Changes in data processing practices 

23.1 Notice of Material Changes 

For material updates, we will: 

• Provide notice on our Website 
• Email registered users (if applicable) 
• Update the “Last Updated” date 
• Provide links to archived versions 
• Provide explanation of major changes (CPRA requirement for clarity) 

24. CONTACT US

If you have any questions about this Privacy Policy or wish to exercise your rights, you may contact us: 

• By Email: support@scoreinc.com 
• By Website: https://www.scoreceo.com/contact 
• By Phone: +1-877-876-5921 
• By Mail: Scoreinc.com, Inc. #1042 José E. Arrarás St. Urb. Terrace Mayagüez, Puerto Rico 00682, United States 

We will review and respond to all privacy-related inquiries consistent with legal requirements. 

25. DATA PROCESSING ADDENDUM (DPA)

(For Business Clients) 

For business clients, partners, and enterprise accounts using ScoreCEO or related services, our Data Processing Addendum (DPA) governs: 

• Our role as a “Processor” 
• Your role as a “Controller” 
• Subprocessor conditions 
• Cross-border transfer mechanisms 
• Security measures and technical controls 
• Access, deletion, and correction procedures 
• Incident response 
• Data subject rights assistance 
• Recordkeeping 
• Purpose limitation 
• Confidentiality 
• Cooperation with audits 

The DPA includes the EU Standard Contractual Clauses (SCCs) and covers all Scoreinc.com, Inc. brands. 

26. SUBPROCESSORS (Required by CPRA & GDPR)

When acting as a Processor, we may use Subprocessors for certain operational tasks, including: 

• Hosting and cloud storage 
• Analytics 
• Email/SMS delivery 
• Customer support software 
• Security monitoring tools 
• Payment processors 
• DevOps/IT services 
• Data warehousing 
• Logging and performance tracking 
• API infrastructure 
• Credit monitoring or financial data integrations 

26.1 Subprocessor Notification 

You may subscribe to subprocessor notifications (if applicable). We will provide 30 days’ prior notice of new Subprocessors. 

27. CPRA REQUIRED FOOTER LINKS

To comply with CPRA §1798.100 et seq., we provide the following links in the footer of all major brand sites: 

• Privacy Policy → https://scoreceo.com/scoreceo-privacy-policy/  
• Terms and Conditions → https://scoreceo.com/scoreceo-terms-and-conditions/  

These must appear in the footer of: 

• Scoreceo.com