Skip to main content

Privacy Policy

Last updated: March 20, 2026

Gonos, Inc. (“Gonos,” “we,” “us”) operates as a Consumer Reporting Agency (CRA) under the Fair Credit Reporting Act (FCRA). This policy describes how we collect, use, share, and protect personal information.

1. Information We Collect

We collect information necessary to provide background verification services: **From Platforms (our customers):** - Organization name, contact information, and billing details - API keys and authentication credentials - Usage data (API calls, check volumes, feature usage) **From Candidates (subjects of background checks):** - Full name, date of birth, Social Security Number (last 4 digits or full, depending on check type) - Address history, email address, phone number - Consent records and disclosure acknowledgments **From Consumers (registered portal users):** - Email address, account credentials - Dispute filings and consumer statements - Security freeze and identity theft block requests **Automatically collected:** - IP addresses, browser type, device information - API request logs (sanitized — no PII in logs) - Session and authentication activity

2. How We Use Information

We use collected information to: - **Provide background verification services** as requested by platforms with valid permissible purpose - **Comply with FCRA requirements** including consent management, adverse action notices, dispute reinvestigation, and consumer file disclosure - **Maintain audit trails** as required by federal and state law (minimum 5-7 year retention) - **Detect and prevent fraud**, unauthorized access, and abuse of our services - **Improve our services** through aggregated, de-identified analytics - **Communicate** with platforms about their accounts, billing, and service updates - **Respond to consumer requests** for file disclosure, disputes, and identity theft protection

3. Information Sharing

We share personal information only as follows: - **With platforms** that have a valid permissible purpose and active consent from the candidate - **With data sources** (courts, registries, verification providers) to fulfill background check requests - **With consumers** for their own file disclosure requests per FCRA §1681g - **As required by law** in response to subpoenas, court orders, or regulatory examinations - **With service providers** (hosting, email delivery, payment processing) under data processing agreements We **never** sell personal information. We **never** share consumer reports without a permissible purpose.

4. Data Security

We implement comprehensive security measures: - **Encryption at rest**: All PII fields encrypted using Fernet symmetric encryption with per-value salting - **Encryption in transit**: TLS 1.2+ enforced on all connections - **Access control**: Role-based access, API key scoping, SSO enforcement - **Audit logging**: Every data access and state change logged with HMAC integrity verification - **Infrastructure**: Deployed on SOC 2 compliant infrastructure with automated backups - **Key management**: Encryption key rotation without downtime, separate keys per data category

5. Data Retention

We retain data as required by FCRA and applicable state law: - **Background check records**: Minimum 5 years from report date (7 years for some record types) - **Audit logs**: 7 years (HMAC-signed for integrity) - **Consumer disputes**: Retained for the life of the disputed record plus 5 years - **Consent records**: Retained for the life of the associated check plus 5 years - **Account data**: Retained while account is active, plus 2 years after closure - **Expired data**: Automatically purged by scheduled housekeeping tasks with audit trail

6. Your Rights

**Under FCRA, consumers have the right to:** - Receive a free copy of their file once per 12-month period - Dispute inaccurate or incomplete information (30-day reinvestigation) - Place a security freeze on their file - File an identity theft block - Receive adverse action notices with a copy of the report and rights summary **Under CCPA (California residents):** - Right to know what personal information we collect and share - Right to delete personal information (subject to FCRA retention requirements) - Right to opt out of the sale of personal information (we do not sell data) - Right to non-discrimination for exercising privacy rights To exercise any of these rights, contact us at privacy@gonos.co or through the consumer portal.

7. Contact Us

**Gonos, Inc.** Email: privacy@gonos.co Website: https://www.gonos.co For consumer file disclosure requests, visit the consumer portal at https://gonos.co/login. This policy was last updated on March 20, 2026.