1. Who we are

Credostar is a digital credentialing platform operated by Thinqzo Technologies Private Limited (“Credostar”, “we”, “us”). We help organizations design, issue, manage, and verify digital certificates, badges, and professional credentials at scale, using the W3C Verifiable Credentials and OpenBadges 3.0 open standards.

This policy explains what personal information we handle in connection with the Credostar website, the Credostar platform, and credentials issued through it. It applies to three groups of people: visitors to credostar.com, our customers (organizations that use Credostar to issue credentials), and recipients of credentials that customers issue through the platform.

2. Information we collect

From website visitors

When you visit credostar.com we collect:

Form submissions. If you submit our Design Partner Program application, contact form, partner application, or newsletter signup we store the information you provide (such as name, work email, company, role, and any notes you include) so we can respond and assess fit.
Technical request data. Standard server log information including IP address, user agent, referrer, and request timestamps. We use this to operate the site, detect abuse, and produce aggregate analytics.
Bot-protection signals. We use Cloudflare Turnstile to distinguish humans from automated traffic on our forms. See the dedicated Cloudflare Turnstile section below for details.

From customers

When your organization signs up for Credostar we collect business contact information for the account administrators, billing details, and any data you upload or generate while using the platform (templates, recipient lists, branding assets, configuration settings).

From credential recipients

When a Credostar customer issues a credential to you, the credential typically contains your name, the credential subject (program name, course title, certification scope), the issue date, and a unique credential identifier. The customer who issued the credential is the controller of that personal information; Credostar processes it on their behalf. We also receive your email address from the customer so we can deliver the credential.

3. How we use information

We use the personal information we collect to:

Provide, operate, and improve the Credostar platform and website.
Issue, deliver, store, and verify credentials on behalf of customers.
Communicate with you about your account, applications, the Design Partner Program, security advisories, and product updates.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with our legal and regulatory obligations.
Produce aggregate, de-identified analytics about how the website and platform are used.

We do not sell personal information. We do not use credential data or customer-uploaded data to train third-party machine learning models.

4. Service providers and sub-processors

We rely on a small set of vendors to operate Credostar. We require each one to maintain appropriate security controls and to process personal information only on our instructions.

Cloudflare (United States, with EU and APAC presence). Content delivery, DDoS protection, DNS, and Cloudflare Turnstile bot protection.
Zoho Corporation (India, United States, EU). Customer relationship management for applications and contact submissions received through credostar.com.
Email delivery providers for transactional credential delivery and account notifications.
Cloud infrastructure providers for compute, storage, and key management services that host the Credostar platform.

We maintain an up-to-date list of sub-processors. Enterprise customers can request the current list by emailing [email protected].

5. Cloudflare Turnstile

We use Cloudflare Turnstile to protect our forms (the Design Partner Program application, the newsletter signup, and any other forms we add over time) from automated abuse without requiring you to solve a CAPTCHA puzzle.

When you load a page that contains one of our forms, your browser fetches the Turnstile challenge script from challenges.cloudflare.com. The script performs a series of non-intrusive checks on your browser environment (such as evaluating browser characteristics, rendering behaviour, and network signals) and returns a single-use cryptographic token to our server when you submit the form. Our server then asks Cloudflare to verify that token before accepting your submission.

The data Cloudflare processes for this purpose includes:

Your IP address, user agent, and request headers, transmitted to Cloudflare as part of the challenge.
A set of browser-derived signals used by Turnstile’s machine learning models to distinguish humans from bots.
A short-lived cookie or local-storage value used to remember a recent successful challenge so you are not re-challenged on every form interaction within a short window.

Cloudflare acts as our sub-processor for this purpose. Cloudflare states that it does not use Turnstile data to track users across sites and that Turnstile is designed to avoid the invasive fingerprinting and behavioural profiling associated with traditional CAPTCHA services. Cloudflare’s own description of what Turnstile collects and how it processes that data is published at cloudflare.com/turnstile-privacy-policy and is incorporated into this policy by reference.

Turnstile is required for our forms to function. If you block the Turnstile script (for example with strict browser-extension content blockers) the affected form will not submit; contact us at the address in the contact section and we will accept your enquiry over email instead.

6. International data transfers

Credostar operates from India. Personal information we collect may be transferred to and stored on servers located in countries other than your country of residence, including India, the United States, and the European Union. When we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.

7. Cookies and tracking

The credostar.com marketing website uses a minimal set of cookies and similar technologies:

Strictly necessary cookies. Set by Cloudflare for security, bot protection, and load balancing. These are required for the site to function.
Preference cookies. Remember your view-transition state and similar UI preferences. No personal information is stored.

We do not use third-party advertising cookies or cross-site tracking on credostar.com. We do not load Google Analytics or Facebook Pixel on the marketing website.

8. Data retention

We retain personal information only as long as needed for the purposes described above, then delete or anonymize it. Specifically:

Application and contact submissions: retained for 24 months after the last interaction, then deleted unless converted to a customer account.
Customer account data: retained for the duration of the account plus 90 days to allow recovery, then deleted unless legal obligations require longer retention.
Credentials and verification metadata: retained according to the policy the issuing customer configures. Premium and Blockchain tier credentials are designed for lifetime verification; Standard tier credentials have a customer-configurable retention window.
Server logs: retained for 90 days for security and operational purposes, then aggregated or deleted.

9. Security

We follow the practices documented at credostar.com/security, including encryption in transit and at rest, role-based access controls, audit logging, and credential signing using dedicated keys stored in a managed key management service. We are ISO 27001 certified and undergoing SOC 2 Type II audit.

No internet-connected system is perfectly secure. If you believe you have discovered a security issue, email [email protected].

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict processing of, or port your personal information. You may also have the right to object to certain processing or withdraw consent where we rely on consent.

To exercise these rights:

If you are a website visitor or applicant, email [email protected].
If you are a customer, use the data management controls in your Credostar workspace, or contact [email protected].
If you are a credential recipient, contact the organization that issued your credential first; they are the data controller and can correct or remove credentials. If they do not respond, contact us and we will route the request.

We respond to verifiable requests within 30 days. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with a data protection supervisory authority in your jurisdiction.

11. Children

Credostar is a B2B platform not directed at children. We do not knowingly collect personal information from individuals under the age of 16 directly through credostar.com. Credentials issued through the platform may relate to programs that include minors; in those cases the issuing organization is responsible for obtaining required consents under applicable law.

12. Changes to this policy

We may update this policy from time to time. When changes are material we will post a notice on credostar.com and update the “Effective” date above. Continued use of the site or platform after the effective date constitutes acceptance of the updated policy.

13. Contact

For questions about this Privacy Policy or how we handle personal information:

Email: [email protected]
Operating entity: Thinqzo Technologies Private Limited (India)
For security issues: [email protected]