Legal & Compliance

SimpleCheck operates at the intersection of sales technology and consumer financial data. That means compliance isn't optional - it's the foundation everything is built on. Our legal framework covers three primary bodies of regulation:

SimpleCheck maintains a dedicated legal team that continuously monitors changes in applicable law and updates our compliance framework accordingly. When regulations change, we adapt - so you don't have to.

The Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) is the federal law that regulates the collection, dissemination, and use of consumer credit information. SimpleCheck rigorously adheres to FCRA requirements at every step of the data access process.

How SimpleCheck meets FCRA requirements:

• Permissible Purpose. SimpleCheck's platform is designed exclusively for the permissible purpose of allowing businesses to pre-qualify inbound leads who have voluntarily consented to have their financial data accessed. This use case falls within FCRA's framework for business pre-qualification activities when proper consent is obtained.
• Written Consumer Consent. We obtain explicit, written consent from every consumer before conducting any soft pull. The consent language is carefully designed to align with FCRA requirements and ensure it is informed and unequivocal.
• Soft Pull Only. All data access is via soft inquiry - never a hard pull. This satisfies FCRA's consumer protection objectives by ensuring no adverse impact on the consumer's credit file.
• Accurate Disclosure. Consumers are clearly informed of the nature of the data access, the party requesting it, and their right to decline without consequence to any purchase decision.
• Prohibited Use Enforcement. SimpleCheck's platform is built to prevent use of consumer data for any purpose not covered under the consent framework - including employment screening, housing decisions, or credit underwriting.

What FCRA does not require in this context:

FCRA's adverse action notice requirements (e.g., sending formal denial notices) apply when consumer report data is used to make a formal credit, employment, or housing decision. SimpleCheck's use case - pre-qualifying inbound leads for sales calls - does not constitute such a decision, and therefore formal adverse action notices are not required. Clients may not use SimpleCheck data as the basis for any decision that would trigger FCRA's adverse action provisions without obtaining appropriate separate consent and implementing the required FCRA notices.

A "soft inquiry" or "soft pull" is a credit inquiry that does not affect the consumer's credit score and does not appear on their credit report as visible to other creditors or lenders. This is fundamentally different from a "hard inquiry," which occurs when a consumer applies for new credit and can reduce their score by several points.

SimpleCheck only ever performs soft inquiries.

Here's what that means in practice:

• The consumer's credit score is not affected in any way.
• The inquiry does not appear on the consumer's credit report as visible to mortgage lenders, auto lenders, or other creditors.
• The consumer will see the inquiry if they check their own credit report, but it carries no negative implication.
• No credit application is made. No credit decision is made. The data is used solely to signal purchasing capacity.

Soft pulls are the same type of inquiry used when:

• A consumer checks their own credit score on Credit Karma, Experian, or similar.
• A credit card company pre-approves a consumer for an offer.
• An employer runs a background check (with consent).
• A bank reviews an existing customer's account.

SimpleCheck's soft pull delivers real-time data at 0.7 second response time - credit score, available credit, and income signals - without the consumer ever knowing a pull occurred in the traditional sense.

Consumer consent is the legal cornerstone of every soft pull SimpleCheck performs. Without valid, informed, explicit consent - no pull occurs. SimpleCheck's CredibleCapture technology makes this non-negotiable at the platform level.

What is CredibleCapture?

CredibleCapture is SimpleCheck's proprietary consent verification system. At the moment a consumer submits their opt-in form, CredibleCapture:

• Records the consumer's IP address as a verifiable identifier.
• Time-stamps the exact moment consent was given.
• Creates an immutable, encrypted digital record of the consent event.
• Ties that record to the specific consent language displayed to the consumer.
• Stores the record securely for a minimum of 24 months for FCRA audit purposes.

This means that if a consumer ever disputes that they consented, SimpleCheck and its clients have definitive, timestamped proof of the exact consent given, the exact language shown, and the exact IP address that submitted it.

Required Consent Language. SimpleCheck mandates that all business clients display the following consent language (or an approved variant) on their opt-in forms:

Consumer Right to Decline. The consent language explicitly states that consenting to a soft pull is optional and not required to make a purchase. Consumers who decline are never blocked from purchasing a client's product or service. This is a non-negotiable requirement of SimpleCheck's consent framework.

HIPAA (the Health Insurance Portability and Accountability Act) governs Protected Health Information (PHI) - data that relates to an individual's health condition, healthcare provision, or payment for healthcare services. We address this directly because it sometimes comes up as a question from prospects in medical-adjacent verticals.

SimpleCheck does not process PHI.

The data SimpleCheck accesses consists exclusively of:

• Name, email address, and phone number (provided directly by the consumer)
• Credit score indicator (financial data, not health data)
• Available credit information (financial data, not health data)
• Income signals (financial data, not health data)

Under the HIPAA Privacy Rule (45 CFR § 160.103), PHI explicitly requires a connection to health information. None of the data categories above qualify as PHI because none are tied to any health condition, diagnosis, treatment, or healthcare payment. The HIPAA Privacy Rule therefore does not apply to SimpleCheck's data processing activities.

For clients in healthcare-adjacent industries (dental, med spa, cosmetic surgery, fertility clinics), this is important: SimpleCheck pulls financial qualification data only - not health records, appointment history, or treatment data. Your patient health data remains entirely within your own systems and is never accessed or processed by SimpleCheck.

What we do instead of HIPAA. Just because HIPAA doesn't apply doesn't mean we take security lightly. Our systems operate to the same standards you'd expect from a company handling regulated financial data - because that's exactly what we do.

SimpleCheck implements enterprise-grade security protocols across all systems that handle consumer data. Our security posture is designed to match the sensitivity of the financial data we process.

SimpleCheck maintains meticulous records at every stage of the data access lifecycle. This protects both our clients and the consumers whose data is accessed.

Consent Records. For every pull performed through SimpleCheck, the following is captured and stored for a minimum of 24 months:

• Consumer's IP address at the time of consent.
• Exact timestamp of the consent event (UTC).
• The specific consent language displayed to the consumer.
• The opt-in form URL from which consent was captured.
• Client account identifier requesting the pull.

Pull Records. Records of every successful soft pull are retained for 90 days in active systems. These records include the data returned, the timestamp of the pull, and the associated consent record. After 90 days, consumer financial data signals are purged from active systems. Consent records are maintained separately for the full 24-month period.

Access to Records. Clients may request a copy of consent records associated with their account at any time by contacting support@simplecheck.com. In the event of a regulatory inquiry or consumer dispute, SimpleCheck will provide the relevant consent records within 5 business days of a written request.

Billing Records. Financial and billing records are retained for 7 years in accordance with standard business and tax retention requirements.

SimpleCheck provides the legal framework, consent technology, and soft pull infrastructure. But compliance is a two-party responsibility. As a SimpleCheck client, you have independent obligations that are a condition of your use of the platform.

What you must do:

• Display the required consent language (or Company-approved variant) prominently on every opt-in form, landing page, and booking page where SimpleCheck pulls are triggered. The language must be visible before the consumer submits their information.
• Include reference to the soft pull consent in your own Terms of Service, accessible from the opt-in form.
• Ensure that all leads whose data you access have submitted through a form containing the required consent language. Do not trigger pulls on leads who have not seen and agreed to the consent disclosure.
• Use the data obtained through SimpleCheck only for the permitted pre-qualification purposes described in the Terms of Service. Do not use the data for employment screening, housing decisions, credit underwriting, or any other purpose that would independently require a different FCRA consent framework.
• Do not share, resell, or redistribute consumer financial data signals obtained through SimpleCheck to any third party not involved in your direct sales process.
• Respond to consumer data requests promptly. If a consumer asks you to confirm whether their data was accessed, provide that confirmation. If they request deletion, notify SimpleCheck at support@simplecheck.com within 5 business days.
• Notify SimpleCheck immediately if you receive any consumer complaint, regulatory inquiry, or legal demand related to your use of SimpleCheck data.

What SimpleCheck handles for you:

• Maintaining the FCRA-compliant soft pull data access infrastructure.
• Creating and storing immutable consent records via CredibleCapture.
• Monitoring for regulatory changes and updating the platform accordingly.
• Providing compliant consent language templates for your opt-in forms.
• Maintaining the data retention and purge schedule described above.
• Responding to platform-level regulatory inquiries directed at SimpleCheck as the data processor.

SimpleCheck takes consumer rights seriously. Consumers whose data is accessed through our platform have the following rights, which we honor and facilitate:

Right to Know. Consumers have the right to know that their financial data was accessed via a soft pull when they consented through one of our clients' opt-in forms. The consent language they agreed to clearly describes this.

Right to Decline. Consenting to a soft pull is explicitly optional and not required to make a purchase from any SimpleCheck client. Any client who conditions a purchase on consent to a SimpleCheck pull violates their client agreement with SimpleCheck.

Right to Inquire. Consumers who have questions about how their data was used may contact SimpleCheck directly at support@simplecheck.com. We will respond to consumer inquiries within 5 business days.

Right to Request Deletion. Consumers may request deletion of their consent record and any associated financial data signals by contacting support@simplecheck.com. Deletion requests will be fulfilled within 30 days subject to our retention obligations for FCRA compliance records.

Right Under State Law. Consumers in California, Virginia, Colorado, and other states with comprehensive data privacy laws may have additional rights under those laws, including rights of access, correction, and portability. Requests under state privacy laws should be directed to support@simplecheck.com.

Dispute Resolution. Any consumer who believes their data was accessed without valid consent or used improperly should contact SimpleCheck at support@simplecheck.com. We will investigate and respond within 10 business days.

For any compliance questions, regulatory inquiries, consumer data requests, or concerns about SimpleCheck's legal framework, please contact us using the information below.