ALL ABOUT the TECH
Go under the hood to see how we transform anonymous metadata into highly predictive risk signals. No black boxes, no magic—just pure data science and millisecond-grade engineering.
How it works
We transform anonymised device and behavioural metadata into a predictive intelligence layer. Whether for credit risk, fraud prevention, or marketing optimisation, we turn how a user interacts with their device into the insights you need to grow safely.
How to integrate
Integration should not be a headache. Our lightweight SDKs for Android, iOS, and Web are designed for minimal performance impact and maximum flexibility. With modular deployment, detailed documentation, and dedicated on boarding support, your IT team will actually like us.
How we handle data
We hunt for patterns, not identities. We never touch personal or sensitive data. All metadata is anonymised, stays fully under your control, and is stored in secure cloud environments that meet the world’s most rigorous standards.
ALL ABOUT PRIVACY & SECURITY
In our world, privacy is not a feature. It is the foundation. We built Credolab to close the data asymmetry gap while ensuring that your users' personal identities remain strictly off-limits.
Data Sources & Collection
We use privacy-protected metadata sourced directly from device interactions. We have zero interest in (and zero access to) sensitive content such as messages, contacts, or location data. Collection only begins when the user gives their consent.
Consent & Transparency
Our SDKs sit quietly in the background, waiting to be triggered. They only activate after a user explicitly opts in through your consent flow. We even provide best-practice templates to ensure your messaging is as clear as it is compliant.
Compliance & Regulations
From GDPR (EU) and CCPA (USA) to PDPA (Singapore), LFPDPPP (Mexico) and LGPD (Brazil), we speak the language of global compliance. Our legal and InfoSec teams stay ahead of every regulatory shifts so you do not have to.
Data Protection Practices
Security is the DNA of our code. We apply encryption at rest and in transit, enforce strict "need-to-know" access controls, and isolate data by client. We don't just protect data; we wall it off.
ISO Certifications
Credolab is ISO/IEC 27001 certified. This isn't just a badge; it’s a commitment reviewed annually by independent auditors to ensure our infrastructure and development processes remain world-class.
Privacy Policy
Clear, concise, and fully compliant. Our policy defines our role as a data processor and outlines our consent-based approach. It’s the roadmap for how we protect your interests and your users’ privacy.
How It Works
Credolab’s technology transforms device and web behavioural metadata into powerful, privacy-consented predictors of credit risk, fraud alerts, and marketing insights.
Our SDKs and APIs collect behavioural patterns such as app usage, device settings, typing speed and cadence, gestures and UI interactions, without accessing personal or sensitive information. This data is then processed through our proprietary machine learning models to generate predictive scores and granular insights. The result is a secure, scalable solution that improves predictive power and expands financial inclusion while respecting user privacy and complying with global data regulations.
Key Points
Uses behavioural metadata from mobile devices and UI interactions to assess credit risk, detect fraud, and improve marketing.
Employs privacy-by-design principles with anonymised data that never captures PII.
Machine learning models generate scores and insights for better credit risk, fraud and marketing decisions.
How To Integrate
Credolab’s technology transforms device and web behavioural metadata into powerful, privacy-consented predictors of credit risk, fraud alerts, and marketing insights.
Our SDKs and APIs collect behavioural patterns such as app usage, device settings, typing speed and cadence, gestures and UI interactions, without accessing personal or sensitive information. This data is then processed through our proprietary machine learning models to generate predictive scores and granular insights. The result is a secure, scalable solution that improves predictive power and expands financial inclusion while respecting user privacy and complying with global data regulations.
Key Points
Uses behavioural metadata from mobile devices and UI interactions to assess credit risk, detect fraud, and improve marketing.
Employs privacy-by-design principles with anonymised data that never captures PII.
Machine learning models generate scores and insights for better credit risk, fraud and marketing decisions.
How We Process Data
Credolab’s technology transforms device and web behavioural metadata into powerful, privacy-consented predictors of credit risk, fraud alerts, and marketing insights.
Our SDKs and APIs collect behavioural patterns such as app usage, device settings, typing speed and cadence, gestures and UI interactions, without accessing personal or sensitive information. This data is then processed through our proprietary machine learning models to generate predictive scores and granular insights. The result is a secure, scalable solution that improves predictive power and expands financial inclusion while respecting user privacy and complying with global data regulations.
Key Points
Uses behavioural metadata from mobile devices and UI interactions to assess credit risk, detect fraud, and improve marketing.
Employs privacy-by-design principles with anonymised data that never captures PII.
Machine learning models generate scores and insights for better credit risk, fraud and marketing decisions.
Only 1st Party Data
We are an embedded technology provider and process only the data we know works via our proprietary mobile and Web SDKs.
We do not buy data from anyone.
How the SDK Works
Credolab’s SDK is one of the most secure and transparent data collection technologies available. It gives clients a frictionless way to access first-party device and behavioural metadata while maintaining total control and full compliance, forming the foundation for explainable and privacy-first alternative risk scoring, fraud detection and marketing optimisation.
Key Points
Lightweight and Frictionless by Design
Credolab’s SDK is engineered to be ultra-light, fast, and simple to integrate. The Android SDK is under 170KB, the iOS SDK is under 2MB, and the Web SDK consists of just a few lines of JavaScript code. Together, they operate silently in the background without affecting app performance, battery life, or user experience. This minimal footprint makes the SDK ideal for large-scale deployments across mobile and web environments where speed, stability, and efficiency are essential.
Client Control, Always
Our clients maintain full control over when and how the SDK is triggered. It cannot be activated remotely by Credolab or by any third party. This ensures complete operational independence and transparency. Clients decide when the SDK runs, and only within their own environments.
Modular and Permission-Based Architecture
Credolab’s SDK is built with a modular structure that gives clients complete control over which data modules are activated. Each module corresponds directly to a specific app permission, allowing clients to mirror their app’s existing permission set. For example, if a client’s app does not request access to Contacts, they simply do not enable the Contacts module within the SDK, and no related metadata is collected or processed. This modularity ensures that the SDK never accesses data outside the scope of permissions already granted by the app. Clients can fine-tune data access to align perfectly with their privacy policies and compliance requirements, without any changes to their app or user interface.
Privacy by Design
The SDK collects and processes only depersonalised and anonymised metadata. It never accesses, stores, or transmits personal identifiers, sensitive information, or content data. Every data flow follows strict privacy-by-design principles, ensuring compliance with global data protection regulations such as GDPR, LGPD, PDPA, and CCPA.
Independently Audited and Verified
Credolab’s SDK undergoes annual, independent third-party audits that confirm it processes only anonymised metadata and contains no hidden data capture capabilities. These external assessments provide our clients with verifiable assurance of privacy, security, and data integrity.
Transparent Technical Documentation
Full technical specifications, including SDK architecture, data flow, permission requirements, encryption protocols, data dictionaries, and video tutorials are publicly available on Credolab’s Developer Area (https://docs.credolab.com/docs/get-started). These resources help developers and compliance teams review exactly what the SDK collects and how it operates, ensuring end-to-end transparency and trust.
All about
Privacy & Security
Data Sources & Collection
Consent & Transparency
Compliance & Regulations
Data Protection Practices
ISO Certification
Google Play Personal Loans
Data Sources & Collections
Credolab collects metadata that reflects user behaviour patterns from mobile devices and web sessions. This includes technical attributes like app usage frequency, phone settings, and general UI interaction trends. Our technology never accesses or stores personal messages, contact lists, call logs, photos, or GPS locations. The goal is to enable accurate credit risk assessment, fraud detection, and marketing segmentation while safeguarding user privacy through non-invasive, frictionless, and privacy-consented data practices.
Key Points
Only non-intrusive, non-PII metadata from mobile and web devices is collected.
Data includes device and behavioural biometrics signals (e.g., app usage, screen lock, typing rhythm, among others).
No access to personal files, messages, contact lists, or location data.
User Content And Transparency
Consent is at the heart of Credolab’s data practices. Users are required to provide explicit, informed consent before any data collection begins via the SDK embedded into the client’s front end. Our disclosures explain in clear, user-friendly language exactly what type of data is collected, its purpose, and how it contributes to credit risk analysis and fraud detection, all while maintaining compliance with global consent requirements.
Key Points
Users must opt-in before any data is collected or processed.
Credolab is a data processor on behalf of its clients, who serve as the data controllers.
Clear explanations regarding the data collected and its purpose are provided to users.
Compliance & Regulations
Credolab ensures end-to-end compliance with major global data privacy regulations, including the EU’s GDPR, Brazil’s LGPD, and Singapore’s PDPA. Our legal and compliance teams conduct regular assessments to ensure that our data practices meet or exceed regional legal requirements. Compliance is integrated into the design and development of all our products, ensuring that partners can confidently deploy our solutions across diverse regulatory environments.
Key Points
Fully aligned with GDPR, LGPD, PDPA, and other local privacy laws.
Legal and regulatory assessments are built into our product lifecycle.
Continuous monitoring of data protection legislation across jurisdictions.
Data Protection Practices
Data security is embedded into Credolab’s infrastructure and operational processes. All metadata is encrypted using robust, industry-standard protocols both at rest and during transmission. Access to data is tightly controlled, logged, and monitored, with permissions based on strict role segregation. Our systems undergo regular penetration testing, vulnerability assessments, and third-party audits to proactively identify and address security risks, ensuring our clients’ data is always protected.
Key Points
Encryption in transit and at rest using industry standards (e.g., TLS 1.3 protocol and AES-256 cryptographic algorithm).
Strict access controls, with role-based permissions and audit trails.
Regular security audits, penetration testing, and vulnerability scans.
ISO Certification
Credolab is an ISO 27001:2013 certified company. Our scope of ISO27001 certification is specific to providing alternative credit scores to banking and non-banking financial institutions globally based on mobile and web digital footprints.
With this accreditation, clients can be assured that our products are developed and delivered professionally and in full compliance with international Information Security standards and practices.
Google Play Personal Loans Policy
Google Play Personal Loans Policy: What changed, impact, and mitigations for digital lenders
Executive summary
- Google Play has tightened its Financial Services, Personal Loans policy. Personal-loan apps, lines of credit, facilitators/lead generators, accessory credit apps (calculators/guides), and EWA apps are prohibited from accessing several sensitive permissions (e.g., contacts, photos/videos, precise location, phone numbers, broad app visibility, external storage).
- Expect enforcement during app review and on updates. Non‑compliance can lead to rejection or removal.
- Impact on data-driven lending: certain device signals will no longer be available, which can reduce model lift if you relied on them.
- Credolab’s view: Compliance first. Predictive performance can be preserved with a tailor‑made model that taps our 11M+ engineered features (vs. the ~100 features many clients use today) and focuses on permitted, stable signals.
What changed (at a glance)
Who’s in scope
- Personal‑loan apps (including lead generators/facilitators and lines of credit)
- Accessory loan/credit apps (e.g., calculators, guides)
- Earned Wage Access (EWA) apps
Prohibited permissions for in‑scope apps (examples)
- READ_CONTACTS (no phonebook access)
- READ_MEDIA_IMAGES / READ_MEDIA_VIDEO (no broad photo/video access)
- READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE
- ACCESS_FINE_LOCATION (precise location)
- READ_PHONE_NUMBERS
- QUERY_ALL_PACKAGES (no broad installed‑app inventory)
Other ongoing requirements (selected)
- App category must be set to "Finance".
- Disclose min/max repayment period, max APR, representative cost example, privacy policy in store listing.
- Short‑term personal loans (≤60 days) are not allowed.
- US APR ≥36% is not allowed.
- Country‑specific licensing and disclosures apply for India, Indonesia, Philippines, Nigeria, Kenya, Pakistan, and Thailand.
Timing
Enforcement is active. Assume no grace if you newly request a prohibited permission.
What this means for your app and models
The following signals are likely to disappear:
- Contacts/phonebook: Referral flows, social‑graph heuristics, collections “friend reach” tactics.
- Photos/videos/external storage: Any verification or “gallery scan”‑type checks.
- Precise location: Fine‑grained geolocation features.
- Read phone numbers: Automatic line detection, some telco‑based heuristics.
- Installed‑app inventory (broad): Installed apps features via QUERY_ALL_PACKAGES.
Still have questions?
Whether it is a deep dive into our DPA or a technical query about our encryption, our experts are ready to provide the clarity you need.
Frequently Asked Questions
Our credit bureau hit rates are low. How can we grow without them?
Credolab generates a predictive risk score for 100% of your applicants using privacy-safe device and behavioural metadata, not credit history.
We fill the gap, giving your risk team a consistent signal from day one. You grow the portfolio today; the bureau catch up tomorrow.
We already pay for ID verification, income data, and fraud tools. Why add Credolab to the stack?
By placing our intelligence layer at the start of the waterfall, you identify non-human threats and manipulated sessions instantly. You stop the "operational waste" and ensure your budget is spent only on genuine, high-quality humans that have a high probability of paying you back.
It’s a leaner funnel and a better bottom line.
Is this just another tracking tag? Where does it actually sit in the journey?
Credolab sits at the very start of the onboarding journey, analysing the integrity and user's intent in that session. We don't just identify the device; we assess the applicant’s willingness to repay.
It’s a scoring-grade decisioning tool that identifies the character behind the clicks, helping you reserve those costly downstream checks for the applicants who actually deserve them.
Will this require a massive overhaul of our existing risk models?
While our "sweet spot" is scoring thin-file applicants, our scores are equally effective at catching high-score "hit and run" fraudsters who have no intention of paying.
You can champion/challenge our scores against your existing setup or use them as a complementary layer. Either way, you get the score via a simple API, and our experts guide you through the process.
This is some text inside of a div block.