Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect the minimum information needed to provide our service:

  • Account information: your name, email address, and profile image from your authentication provider (Google or GitHub) when you sign in.
  • Loan file data: loan parameters you enter (loan type, occupancy, property type, borrower name, etc.), the generated readiness checklists, and condition tracking records you create (descriptions, notes, assigned-to names, due dates, and comments).
  • Uploaded documents: files you upload to checklist items (PDFs, images, Word documents) are stored in secure cloud storage.
  • Payment information: if you subscribe to a paid plan, payment details are collected and processed by Stripe. We do not store your credit card number, CVC, or full card details on our servers.
  • Guideline Search queries: if you use the Guideline Search feature, the text of your questions and the AI-generated answers are stored in your account. Queries are sent to a third-party AI provider (currently OpenAI) for processing as described in Section 6.
  • Usage data: we maintain audit logs of actions taken within the Service (file creation, document uploads, Guideline Search queries, sign-in events) for security and troubleshooting purposes.

2. How We Use Your Data

Your data is used solely to provide, maintain, and improve the Loanwright service. We do not sell, rent, or share your personal information or loan file data for marketing or any other purpose. Data is shared only with the infrastructure providers listed in Section 5 as required to operate the Service.

3. Cookies and Sessions

We use essential cookies to maintain your authenticated session. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use tracking cookies, analytics cookies, or advertising cookies. No third-party trackers are loaded.

4. Data Security

All data is encrypted in transit using TLS. Our database provider (Neon PostgreSQL) encrypts data at rest. Uploaded documents are stored in Vercel Blob Storage with access mediated through authenticated server routes. Access is scoped to your authenticated session; you can only view your own loan files, documents, and results. All server actions validate inputs and verify authentication before reading or writing data.

5. Data Retention

We retain your data for as long as your account is active. You may request deletion of your account and all associated data (including uploaded documents) at any time by contacting us. Upon receiving a verified deletion request, we will remove your data within 30 days, except where retention is required by law.

6. Third-Party Services

We use the following third-party services to operate Loanwright. Each has its own privacy policy:

  • Google & GitHub (via Auth.js): authentication and identity verification.
  • Neon PostgreSQL: database hosting (stores account data, loan files, checklists, and audit logs).
  • Vercel: application hosting and blob storage for uploaded documents.
  • Stripe: payment processing for paid subscriptions. Stripe receives your payment method details and billing address directly. See Stripe's Privacy Policy.
  • OpenAI: Guideline Search queries are sent to OpenAI for embedding generation and answer synthesis. Only your query text is transmitted; no personal information, borrower data, or loan file details are included in API requests. OpenAI does not use API data for model training. See OpenAI's Privacy Policy.

7. Your Rights (Including CCPA/CPRA and Colorado Privacy Act)

Depending on your jurisdiction, you may have rights under the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act (CPA), and other applicable state privacy laws. These rights may include:

  • Access the personal information we hold about you.
  • Delete your personal information and account.
  • Correct inaccurate personal information.
  • Know what categories of personal information we collect and how it is used.
  • Opt out of the sale or sharing of personal information. We do not sell or share your personal information, so this right is satisfied by default.
  • Non-discrimination for exercising your privacy rights.
  • Data portability — obtain a copy of your personal data in a commonly used, machine-readable format.

Colorado residents may exercise their rights under the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.). We do not sell personal data, use it for targeted advertising, or engage in profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact us at hello@loanwright.io. We will respond within 30 days (or 45 days for Colorado Privacy Act requests, as permitted by law).

8. Automated Processing

Loanwright generates file readiness checklists using rule-based logic (deterministic rules, not artificial intelligence) based on the loan parameters you provide. These checklists do not make lending decisions or evaluate borrower eligibility.

Guideline Search uses artificial intelligence (currently OpenAI models) to retrieve and summarize content from publicly available Agency Guidelines. When you submit a Guideline Search query:

  • Your query text is converted to an embedding vector and compared against pre-indexed guideline documents stored in our database
  • Relevant guideline excerpts and your query are sent to OpenAI to generate a summarized answer
  • No personal information, borrower data, or loan file content is included in any request to OpenAI
  • All results are clearly labeled as AI-Generated Content and should be verified against original source documents

Neither checklists nor Guideline Search results make lending decisions, evaluate borrower eligibility, or perform profiling. Pursuant to Colorado SB 24-205, Guideline Search is an informational reference tool and does not make or substantially factor into consequential decisions.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact

If you have questions about this policy, please reach out to us at hello@loanwright.io.

← Back to home