1. Scope and Roles
This Privacy Policy applies to the Debt Digest website at debt-digest.com, the authenticated consumer portal, the creditor and settlement-firm dashboards, the application programming interfaces, and any related services we operate (collectively, the “Service”).
Debt Digest’s privacy role depends on the surface:
- Consumer-facing surfaces (consumer portal, marketing site). Debt Digest is the controller of the personal information it collects directly from the consumer for the purpose of operating the Service.
- Creditor-placed accounts. When a creditor places consumer accounts onto the platform for resolution, the underlying creditor is the controller of that information under the Gramm-Leach-Bliley Act (GLBA) financial-institution framework, and Debt Digest acts as a service provider (and, under the GLBA Safeguards Rule, a covered service provider). The terms of that service-provider relationship are governed by the Data Processing Agreement and the pilot or master services agreement between Debt Digest and the creditor.
2. Information We Collect
2.1 Information you provide directly
- Contact details: name, email address, phone number, mailing address.
- Identity-verification fields: date of birth and the last four digits of your Social Security number (“SSN4”), used solely to match you to the account placed by your creditor.
- Account communications and dispute submissions made through the portal.
- Hardship-program self-attestations, if you elect to submit one.
- Payment details processed by our payment provider (see Section 4).
2.2 Information your creditor provides to us
- Account identifiers (internal account number, creditor name, charge-off date, days past due).
- Outstanding principal balance, accrued interest, fees, and any creditor-configured settlement matrix.
- Compliance flags (e.g., representation by counsel, bankruptcy notice, deceased, SCRA status, cease-communication request).
2.3 Information collected automatically
- IP address (used for rate limiting, security, and audit logging).
- Browser type, device type, operating system, referring URL, and pages visited.
- Session and authentication tokens necessary to keep you signed in.
We do not use cookies or pixels for cross-site advertising and do not participate in advertising-identifier exchanges.
3. How We Use Your Information
We use personal information for the following purposes only:
- To verify your identity and match you to the account placed by your creditor.
- To provide the Service, including settlement offers, payment plans, hardship review, dispute handling, and account communications.
- To generate and deliver legally required notices, including FDCPA §809(a) validation notices on accounts where the §1692e(11) Mini-Miranda is required (see the conditional matrix at /legal).
- To process payments through our payment provider.
- To enforce code-path compliance guardrails (Reg F dispute pauses, cease-communication enforcement, counsel / NDR firewall, SCRA scrub, bankruptcy scrub).
- To detect, prevent, and respond to fraud, abuse, or security incidents.
- To comply with federal and state regulatory obligations, including audit-log retention and reporting.
- To improve the Service (in aggregate or de-identified form only).
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use personal information to market unrelated products.
4. Third-Party Processors
Debt Digest uses a small set of vetted subprocessors. Each is contractually required to protect personal information, to use it only for the purposes specified, and to maintain safeguards consistent with the GLBA Safeguards Rule.
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing and payout to creditor of record. | Payment-method tokens, payment amount, payment metadata. PCI-scoped fields are tokenized by Stripe and not stored on Debt Digest infrastructure. |
| SendGrid (Twilio) | Transactional email delivery (FDCPA notices, account communications, magic-link sign-in). | Email address, message body, delivery metadata. |
| Neon (PostgreSQL) | Managed PostgreSQL database hosting for the production data store. U.S. region. | All Service data at rest, encrypted with database-level encryption. |
| Railway | Application hosting (web and API tier) and request-log retention. | Request metadata, IP, application logs, deployment artifacts. |
If we add a new processor that materially changes how personal information is processed, we update this list and the effective date at the top of the page.
5. When We Share Information
- With your creditor of record, as necessary to service the account, route disputes, and complete settlements.
- With our subprocessors, as described in Section 4.
- When required by law, including in response to a valid subpoena, court order, or regulatory request.
- In connection with a corporate transaction (merger, acquisition, financing, or sale of substantially all assets), subject to a successor commitment to honor this policy.
- To protect rights, safety, or property of Debt Digest, our users, or the public.
We do not share consumer personal information with third parties for their own marketing purposes.
6. Data Security
Debt Digest applies administrative, technical, and physical safeguards consistent with the GLBA Safeguards Rule (16 CFR Part 314) and applicable state data-security laws. These include, at a minimum:
- Encryption of data in transit (TLS 1.2 or higher) and at rest at the database layer.
- Password hashing using a memory-hard key-derivation function (scrypt).
- Role-based access controls and tenant-scoped query enforcement.
- Server-enforced rate limiting and progressive lockout on authentication endpoints.
- Append-only audit logging of administrative access and material consumer events, retained for a minimum of thirty-six (36) months post-termination of the governing agreement.
- Annual access review and incident-response procedure.
Suspected security issues should be reported to security@debt-digest.com. See our published security posture for further detail.
7. Data Retention
Personal information is retained as long as necessary to fulfill the purposes described in this policy, comply with our legal obligations (including federal and state record-retention requirements applicable to debt servicing and collection), resolve disputes, and enforce agreements. Specific retention windows are documented per record class in our internal data-governance policy and in the DPA.
Audit-log entries supporting FDCPA, Reg F, and TCPA compliance are retained for a minimum of thirty-six (36) months post-termination of the governing agreement. Account-level financial records are retained for the term required by the creditor of record and applicable record-retention statutes, whichever is longer.
8. Your Rights
8.1 Under the California Consumer Privacy Act (CCPA / CPRA)
If you are a California resident, you have the following rights with respect to personal information Debt Digest holds about you:
- Right to know. Request the categories and specific pieces of personal information collected, sources, purposes, and the categories of third parties with whom it has been shared.
- Right to delete. Request deletion of personal information, subject to exceptions for information that is necessary to complete a transaction, comply with a legal obligation, or maintain integrity of audit and security records.
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of sale or share. Debt Digest does not sell or share personal information; this right is honored by default.
- Right to limit use of sensitive personal information. Honored by default; sensitive personal information (including SSN4 and account financial detail) is used only for the purposes described in Section 3.
- Right to non-discrimination for exercising any of these rights.
To exercise these rights, email privacy@debt-digest.com. We will verify your identity before processing the request and respond within forty-five (45) days, extendable once for an additional forty-five (45) days as permitted by law.
8.2 Under the Gramm-Leach-Bliley Act (GLBA)
For accounts placed by a financial-institution creditor, the creditor is the controller of nonpublic personal information (NPI). The creditor’s own privacy notice and opt-out mechanisms apply. Debt Digest acts as a covered service provider under the GLBA Safeguards Rule (16 CFR Part 314) and applies the safeguards described in Section 6. NPI is used only as authorized by the creditor and as required to deliver the Service.
8.3 Under the Fair Debt Collection Practices Act (FDCPA)
You may dispute all or part of a debt under FDCPA §1692g; request validation under FDCPA §809; and request that direct communication cease under FDCPA §1692c(c). These rights are described in detail at /legal.
9. Children
The Service is not directed to children under the age of 18 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@debt-digest.com and we will delete it.
10. Cross-Border Transfers
The Service is operated in the United States. By using the Service from outside the United States, you understand that your personal information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction.
11. Changes to this Policy
Debt Digest may update this Privacy Policy from time to time. Material changes will be noted at the top of this page with an updated effective date. For substantive changes that affect how we use personal information, we will provide additional notice through the authenticated portal or by email where appropriate.
12. Contact
Email privacy@debt-digest.com for any data-rights request or for general privacy questions. For security reports, use security@debt-digest.com. For all other contact, use pgvanderwolk@gmail.com.