Credngo logo
Book a Call
Credngo logo
Get Free Consultation
Credngo logo
Get Free Consultation
Get a Free Consultation
Credngo logo
Get Free Consultation
Get a Free Consultation
Credngo logo

Credngo Privacy Policy

CredNgo (“we”, “us”, “our”) provides credentialing, enrollment, and related administrative services to therapy providers, practices and facilities (collectively, “Services”). This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the choices available to you regarding your information.

1. Scope and applicability

This Privacy Policy applies to personal information collected when you use our website, portals, mobile applications, Services, or otherwise interact with CredNgo. It applies to information about providers, clinic staff, patients, and any other individual whose personal information we process in the course of delivering Services.

2. Information we collect

We collect the following categories of information, depending on the Services used:

  1. Identifiers and contact information. Full name, professional title, business and home addresses, phone numbers, email addresses, NPI, tax ID, employer details, and similar identifiers.
  2. Professional and credentialing data. License numbers, certifications, training records, board statuses, malpractice coverage, education, employment history, CAQH details, and other credentials required for payer enrollment.
  3. Health and Protected Health Information (PHI) where necessary. When performing credentialing, enrollment, claims setup, or related tasks, we may receive or maintain PHI (for example, limited clinical identifiers required by payers or for enrollment). Where we act on behalf of a covered entity or perform services involving PHI, we will treat such information consistent with HIPAA and applicable law. (See Section 7 on PHI and HIPAA.
  4. Usage and technical data. IP addresses, device and browser information, cookies and tracking data, log files, and analytics about how you use our website and Services.
  5. Payment and billing information. Billing contacts, invoice and payment history, and related financial details when you purchase paid Services.

3. How we collect information

We collect information:

  • Directly from you or your organization (forms, onboarding, email, phone).
  • From third parties (employers, payers, credentialing bodies, CAQH, licensing boards).
  • Automatically via website cookies and analytics.
  • From authorized representatives (billing agents, attorneys) when permitted.

Examples of competitor industry practices and templates show credentialing providers frequently combine direct collection with third-party feeds (licensing boards, CAQH) to validate credentials.

4. Purposes for which we use information

We use personal information to:

  • Provide and administer credentialing, enrollment, re-credentialing and related services.
  • Verify identity, professional qualifications and licensure.
  • Communicate with providers, payers and your organization.
  • Manage billing, invoices and payments.
  • Maintain CAQH profiles and other payer portals on your behalf.
  • Comply with legal, regulatory and payer requirements.
  • Detect and prevent fraud, misuse or abuse of our Services.
  • Improve and analyze our Services and website performance.
  • Respond to legal requests and enforce our Terms of Service.

5. Legal bases for processing (where applicable)

If you are a data subject in a jurisdiction requiring a legal basis (for example, EU/UK GDPR), we will process personal data on the bases of:

  • Performance of a contract (providing Services);
  • Legal obligations (regulatory and payer requirements);
  • Legitimate interests (fraud prevention, service improvement), where not overridden by your rights; or
  • Consent where required.

6. Disclosure and sharing

We may share personal information with:

  • Payers and insurers for enrollment and credentialing.
  • Licensing boards, CAQH and credentialing services to verify credentials.
  • Business partners and service providers who perform services on our behalf (e.g., hosting, analytics, document management). These subprocessors are contractually required to protect personal data.
  • Our affiliates and professional advisors (legal, audit).
  • Third parties if required by law, court order or to respond to lawful requests.
  • Buyers or other parties in connection with a sale, merger or reorganization of CredNgo; in such cases we will require the acquirer to honor this Policy.

When we act as a Business Associate (for PHI) to a covered entity, disclosures will be governed by a Business Associate Agreement (BAA) consistent with HIPAA requirements.

7. PHI, HIPAA and safeguarding health information

Where CredNgo receives or maintains PHI in the course of providing Services to a covered entity, we will:

  • Treat PHI as confidential and use or disclose PHI only as permitted by the applicable Business Associate Agreement and HIPAA rules.
  • Implement administrative, physical and technical safeguards designed to protect PHI, consistent with HIPAA Security and Privacy Rules (access controls, encryption, audit logging, workforce training, incident response). Guidance for SaaS vendors on HIPAA compliance is recognized industry practice.

Note: HIPAA compliance is a shared responsibility. Covered entities and their providers must configure and use our Services in a manner that supports their HIPAA obligations. We recommend executing a BAA with any covered entity client.

8. Data security

We use reasonable administrative, technical and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration and destruction. Measures include encryption in transit and at rest, role-based access controls, multi-factor authentication for administrative access, regular security assessments, and incident response procedures.

While we strive to protect your information, no system can guarantee absolute security. We will notify affected parties and regulators as required by applicable breach notification laws. Recent industry guidance and templates underscore the importance of robust breach procedures and timely notification.

9. Cookies and tracking

We use cookies, web beacons and similar technologies to operate the website, analyze usage, and deliver features. You can control cookies through your browser settings; however, some functionality may be impaired if cookies are disabled.

10. International transfers

If we transfer personal information across borders (for example, to subprocessors or partners), we will protect such transfers with appropriate safeguards under applicable law (standard contractual clauses, intra-group agreements, or other lawful mechanisms).

11. Data retention

We retain personal information as long as necessary to provide Services, to comply with legal obligations (including payer or licensing retention requirements), to resolve disputes, and for legitimate business purposes. Typical retention periods depend on the data type, payer rules and statutory limits; credentialing records are frequently retained for several years in order to meet audit and payer requirements.

12. Your rights and choices

Depending on local law you may have rights to:

  • Access, correct or update your personal information.
  • Request deletion or restriction of processing (subject to legal and contractual limits).
  • Receive a copy of your data in a portable format.
  • Object to certain processing based on legitimate interests.
  • Withdraw consent where we rely on consent.

Requests should be sent to the contact below. We will respond within the timing required by applicable law. For EU/EEA/UK residents, we will honor data subject requests consistent with GDPR requirements.

13. Children

Our Services are not directed to children under 13 (or higher minimum age where required). We do not knowingly collect personal information from children; if we learn we have done so we will take steps to delete it.

14. Third-party links and third-party services

Our website and Services may contain links to third-party sites. This Policy does not cover those sites. We encourage you to review third-party privacy policies before providing personal information.

15. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, applicable law, or Service features. When we make material changes, we will post the updated policy with a new effective date and, where required by law, provide additional notice.

16. Contact information

For questions, access requests, complaints, or to request a Business Associate Agreement, contact:

Email: [email protected]