Privacy Policy

1. Information We Collect

We collect the minimum information needed to provide our service:

• Account information: your name, email address, and profile image from your authentication provider (Google or GitHub) when you sign in.
• Loan file data: loan parameters you enter (loan type, occupancy, property type, borrower name, etc.), the generated readiness checklists, and condition tracking records you create (descriptions, notes, assigned-to names, due dates, and comments). Some of this data may constitute nonpublic personal information (NPI) about third parties (e.g., borrower names) under the Gramm-Leach-Bliley Act. You are responsible for ensuring that your entry of such data into the Service complies with your own GLBA and privacy obligations.
• Uploaded documents: files you upload to checklist items (PDFs, images, Word documents) are stored in secure cloud storage.
• Payment information: if you subscribe to a paid plan, payment details are collected and processed by Stripe. We do not store your credit card number, CVC, or full card details on our servers.
• Guideline Search queries (signed in): if you use the signed-in Guideline Search, the text of your questions and the AI-generated answers are stored in your account. Queries are sent to a third-party AI provider (currently OpenAI) for embedding and answer synthesis as described in Section 6.
• Public Guideline Search queries (no account): the public Guideline Search at /tools/guideline-search does not generate AI answers and does not store query text in an account. Your query text is converted to an embedding via OpenAI to run a vector search against pre-indexed agency guideline excerpts; the response is the matched excerpts themselves, not an AI summary. Server-side audit logs record the query text, an IP-derived identifier, and timing for security and rate-limiting purposes; these logs are not used for analytics, profiling, or marketing.
• Waitlist information: if you join our waitlist, we collect your email address. This information is used only to notify you when access becomes available and is deleted once your invitation is sent or you request removal.
• Usage data: we maintain audit logs of actions taken within the Service (file creation, document uploads, Guideline Search queries, sign-in events) for security and troubleshooting purposes.

2. How We Use Your Data

We use your data only for the following purposes:

• To provide and operate the Service features you use, including generating readiness checklists, storing loan file data, managing conditions, processing Guideline Search queries, and generating export archives of your uploaded documents and checklist data when you request a download
• To process payments and manage subscriptions via Stripe
• For signed-in Guideline Search, to generate and cache AI-powered guideline summaries so that substantially similar questions can be answered more quickly. The cache pool is limited to signed-in queries; public queries do not write to or read from this cache. Cached answers are derived from anonymized query data and do not expose any user's identity
• To maintain audit logs for security, compliance, and troubleshooting
• To communicate service-related notices, including security alerts, billing confirmations, and policy updates
• To send transactional email notifications about your loan files, such as condition status changes and checklist completion milestones, when you have email notifications enabled in your account settings. You can disable these notifications at any time from your Settings page.
• To improve service quality, reliability, and performance based on aggregated, non-identifying usage patterns

We do not sell, rent, or share your personal information or loan file data for marketing or any other purpose. Data is shared only with the infrastructure providers listed in Section 6 as required to operate the Service.

3. Cookies and Sessions

We use the following categories of cookies:

• Essential cookies: maintain your authenticated session. These are strictly necessary for the Service to function and cannot be disabled.
• Analytics cookies: PostHog, our analytics provider, sets cookies to distinguish unique visitors and track usage patterns (pages visited, feature adoption, session duration). For anonymous visitors these cookies hold an opaque visitor identifier with no personal information attached. For signed-in users we associate the cookie with your account identifier and email address so we can measure end-to-end product usage and conversion (for example, whether a visitor who tried a free tool went on to create an account). These cookies are not used for advertising. You can block them via your browser settings without affecting core functionality.

We do not use advertising cookies. No third-party advertising trackers are loaded.

Do Not Track: We do not track users across third-party websites and do not build behavioral profiles for advertising. Because we do not engage in cross-site tracking, we do not change our behavior in response to Do Not Track (DNT) browser signals.

4. Data Security

All data is encrypted in transit using TLS. Our database provider (Neon PostgreSQL) encrypts data at rest. Uploaded documents are stored in Vercel Blob Storage with access mediated through authenticated server routes. Access is scoped to your authenticated session; you can only view your own loan files, documents, and results. All server actions validate inputs and verify authentication before reading or writing data. Exported files are generated on our servers and transmitted to your device over an encrypted connection. Once downloaded, the security of the exported data is your responsibility.

Breach notification:In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users without unreasonable delay and in accordance with applicable state and federal law, including Colorado's data breach notification statute (C.R.S. § 6-1-716). We will also notify any applicable regulatory authorities as required by law.

5. Data Retention

We retain your data for as long as your account is active. Specific retention periods by data category:

• Account information, loan files, and uploaded documents: retained while your account is active. Deleted within 30 days of a verified deletion request.
• Guideline Search queries and answers (signed in): retained while your account is active. Upon account deletion, your query history is deleted. Anonymized, cached answers derived from your queries may persist to serve other signed-in users, but they contain no information identifying you as the original questioner.
• Public Guideline Search audit logs: server-side audit log entries for public searches at /tools/guideline-search are retained for up to 12 months for security, abuse prevention, and rate-limit enforcement. These entries record the query text, IP-derived identifier, and timing only; they are never associated with a Loanwright account.
• Audit logs: retained for up to 12 months after account deletion for security, compliance, and fraud prevention purposes. Audit log entries reference your user ID but do not contain the substantive content of your loan files or documents.
• Payment records: Stripe retains billing records according to its own retention policy. We retain subscription status records for the duration of the account and for up to 12 months after deletion for financial reconciliation.

You may request deletion of your account and all associated data (including uploaded documents) at any time by contacting us. Upon receiving a verified deletion request, we will remove your data within 30 days, except as described above or where retention is required by law.

6. Third-Party Services

We use the following third-party services to operate Loanwright. Each has its own privacy policy:

• Google (via Auth.js): authentication and identity verification. See Google's Privacy Policy.
• GitHub (via Auth.js): authentication and identity verification. See GitHub's Privacy Statement.
• Neon PostgreSQL: database hosting (stores account data, loan files, checklists, and audit logs). See Neon's Privacy Policy.
• Vercel: application hosting and blob storage for uploaded documents. See Vercel's Privacy Policy.
• Stripe: payment processing for paid subscriptions. Stripe receives your payment method details and billing address directly. See Stripe's Privacy Policy.
• OpenAI: Guideline Search queries are sent to OpenAI. The signed-in surface uses OpenAI both for query embedding (to drive vector search) and for answer synthesis (GPT-4o summarizes the matched guideline excerpts). The public surface at /tools/guideline-search uses OpenAI only for query embedding; no answer synthesis runs on the public path, so no query text is sent to a generative model from the public tool. Only your query text is transmitted in either case; no personal information, borrower data, or loan file details are included in API requests. OpenAI does not use API data for model training. See OpenAI's Privacy Policy.
• Upstash (Redis): rate limiting and abuse prevention. We send hashed, non-identifying request metadata (such as user ID hashes and IP-derived identifiers) to Upstash to enforce usage limits. No personal information or loan data is stored in Upstash. See Upstash's Privacy Policy.
• PostHog:product analytics. PostHog collects usage data (pages visited, feature interactions, session duration) to help us understand how the Service is used and improve it. For anonymous visitors these events are tied only to an opaque per-browser identifier. When you sign in we identify the PostHog session with your account identifier and email address so anonymous events from before sign-up can be stitched to the resulting account, and so feature-adoption funnels can be measured end-to-end; we reset the identifier when you sign out. PostHog does not receive borrower data, loan file content, or Guideline Search query text. For the public free tools (Guideline Search, Gift Fund, Condo, USDA, FHA), we capture tool-usage events that include the tool name, the outcome category (e.g. eligible / ineligible / over-limit), and numeric metadata such as query length or count of citations returned. We do not capture the literal text of any query you submit through these tools. IP addresses are not stored in PostHog's default configuration. See PostHog's Privacy Policy.
• Sentry: error monitoring. Sentry captures unhandled application errors, stack traces, and basic device and browser metadata (browser name, OS, screen size) to help us identify and fix bugs. Sentry does not receive borrower data, loan file content, or Guideline Search queries. See Sentry's Privacy Policy.
• Resend: transactional email delivery for condition status updates and checklist milestone notifications. When you have email notifications enabled, Resend receives your email address and limited notification content, which may include borrower last names, condition descriptions, and checklist progress. No uploaded documents, full loan file data, or financial details (income, assets, credit scores) are sent to Resend. See Resend's Privacy Policy.
• Loanwright Browser Extension: we offer an optional browser extension (currently distributed as a beta install from our public repository) that adds a right-click menu entry for looking up Agency Guidelines. The extension does not read the content of any web page. The only data it transmits is the text you explicitly highlight and select from the right-click menu; that text is sent to loanwright.io/tools/guideline-searchas a normal URL query parameter, identical to typing the same query into Guideline Search yourself. The extension stores two user-controlled settings locally via the browser's sync storage (open-mode preference and an optional alternate base URL); no personal data, browsing history, or usage telemetry is collected by the extension itself. Search activity that originates from the extension is captured server-side at loanwright.io/tools/guideline-search the same as a direct visit, distinguished only by a utm_source=extension URL parameter for analytics attribution.
• Slack: internal operational notifications. When you join our waitlist, your email address is sent to a private Slack channel accessible only to Loanwright staff so we can follow up promptly. No loan file data, uploaded documents, or financial details are sent to Slack. See Slack's Privacy Policy.

Data location: All Service infrastructure (application hosting, database, blob storage) is located in the United States. AI processing via OpenAI also occurs in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

7. Your Rights (Including CCPA/CPRA and Colorado Privacy Act)

Depending on your jurisdiction, you may have rights under the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act (CPA), and other applicable state privacy laws. These rights may include:

• Access the personal information we hold about you.
• Delete your personal information and account.
• Correct inaccurate personal information.
• Know what categories of personal information we collect and how it is used.
• Opt out of the sale or sharing of personal information. We do not sell or share your personal information, so this right is satisfied by default.
• Non-discrimination for exercising your privacy rights.
• Data portability: obtain a copy of your personal data in a commonly used, machine-readable format. The Export for Submission feature provides self-serve data portability for your uploaded documents and checklist data.

Colorado residents may exercise their rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.). We do not sell personal data or use it for targeted advertising. We do not use your data to profile you for the purpose of making decisions that produce legal or similarly significant effects. Guideline Search queries are used only to return relevant guideline excerpts (and on the signed-in surface, an AI-generated summary of those excerpts), and on the signed-in surface to improve service quality through anonymized caching; they are not used to build behavioral profiles or make automated decisions about you.

To exercise any of these rights, contact us at privacy@loanwright.io. We will respond within 30 days (or 45 days for Colorado Privacy Act requests, as permitted by law).

8. Automated Processing

Loanwright generates file readiness checklists using rule-based logic (deterministic rules, not artificial intelligence) based on the loan parameters you provide. These checklists do not make lending decisions or evaluate borrower eligibility.

Signed-in Guideline Search (Pro). The signed-in Guideline Search uses artificial intelligence (currently OpenAI models) to retrieve and summarize content from publicly available Agency Guidelines. When you submit a query:

• Your query text is converted to an embedding vector and compared against pre-indexed guideline documents stored in our database
• Relevant guideline excerpts and your query are sent to OpenAI to generate a summarized answer
• No personal information, borrower data, or loan file content is included in any request to OpenAI
• All results are clearly labeled as AI-Generated Content and should be verified against original source documents

Public Guideline Search (no account). The public Guideline Search at /tools/guideline-search uses artificial intelligence only for query embedding (vector similarity), not for answer synthesis. The response is the most relevant agency excerpts themselves, taken verbatim from the indexed agency source documents. No GPT-class language model is invoked on the public path. There is no AI-Generated Content surfaced to public users; the source text is.

Neither checklists nor Guideline Search results (signed-in or public) make lending decisions, evaluate borrower eligibility, or perform profiling. Pursuant to Colorado SB 24-205, Guideline Search is an informational reference tool and does not make or substantially factor into consequential decisions.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact

If you have questions about this policy, please reach out to us at privacy@loanwright.io.