Security

Your data is your data.

We treat consumer credit information the way a bank does — encrypted, audited, never sold, never shared with lenders. Here's exactly what that means.

Encryption

What we encrypt and how.

Encryption-at-rest and encryption-in-transit are table stakes. We go further on the AI side — bureau data is redacted before it reaches any model.

AES-256-GCM at rest

Every credit report, every analysis, every consent record sits in the database as ciphertext. The key is rotated every 90 days. A database leak gets a leaker bytes, not a credit profile.

TLS 1.3 in transit

All traffic between your browser, our servers, and Equifax flows over TLS 1.3 with modern cipher suites. No data ever moves in the clear.

Privacy-redacted AI prompts

When the funding-readiness analysis runs, your full SSN, DOB, full name, and full address are stripped before any model sees the prompt. Score, utilization, account-age aggregates are sufficient — and that's all the model gets.

What we never store

The list of things you'd be surprised aren't on our servers.

Most fintech security pages list what they protect. Here's the inverse — what isn't on our servers in the first place.

Plaintext SSN — only the last 4 are stored, encrypted, and only at the moment of bureau enrollment
Plaintext credit reports in logs — every log line is filtered through a PII scrubber before write
Bureau passwords or auth credentials — we use Equifax's hosted IDV; your credentials never touch our servers
Your data in any AI prompt without redaction — name, full address, SSN, DOB are stripped pre-prompt
Card data — your card number is tokenized at the payment processor and never touches our servers; we never see or store the full card number

FCRA

What FCRA-compliant means for us.

The Fair Credit Reporting Act is the federal law that governs how consumer credit data can be obtained, used, and disclosed. We are a regulated subscriber.

Permissible purpose, contract-bound

Equifax issues us subscriber codes that are bound to specific permissible purposes — consumer monitoring, identity verification, and consumer-authorized one-time pulls. We can't accidentally use your data outside those purposes; the codes prevent it at the API level.

Written consumer authorization

Every credit pull requires your e-signature consent, captured at enrollment and revocable from your portal. Consents are versioned, timestamped, and retained for FCRA dispute defense.

Disputes go through the bureau

If something on your bureau file is wrong, we tell you what to dispute and link you to Equifax's direct dispute channel. We don't intermediate the dispute — that's the FCRA-compliant path.

Soft inquiries only

Every pull we make is a soft inquiry, which does not affect your credit score. Hard inquiries only happen when you formally apply for credit at a lender — outside of AdvisorHub.

Data handling

What we do with your data — and what we don't.

Never sold

We don't sell your data to third parties. Period. No exceptions for marketing partners, advertisers, or data brokers.

Never shared with lenders

We're not a lead-gen company. Lenders don't see your file unless you apply with them directly.

Account deletion = real deletion

Request deletion from settings → bureau data is removed within 30 days. We retain only the consent records FCRA dispute defense requires.

Subscription cancellation = data preserved, monitoring stopped

Cancel without deleting? Your historical data stays in your portal so you can reactivate. We immediately stop pulling from Equifax to stop incurring per-applicant fees.

Contact

Spot something? Let us know.

Found a security concern, a vulnerability, or a privacy question we haven't answered? Email security and we'll respond within one business day.

security@advisorhub.io

Built like a bank, priced like a tool.

Bank-grade encryption, FCRA-compliant data handling, never sold, never shared. The kind of security you'd expect from a financial institution — at credit-monitoring price.