Draft — pending counsel review. This policy reflects Mortgage Dude Holdings, LLC's intended data practices. Before the Service accepts paying customers in production, this document must be reviewed and finalized by licensed counsel familiar with GLBA, the FTC Safeguards Rule (16 CFR Part 314), state privacy laws (CA CPRA, TX TDPSA, CO CPA, VA VCDPA, NY SHIELD Act), state breach-notification statutes, and the ECOA Regulation B privacy provisions that apply to mortgage originators.

Privacy Policy

Effective: [DATE] · Last updated: [DATE] · Version 2.0

Mortgage Dude Holdings, LLC ("MDH," "we," "our") operates the LoanIQ platform at myloaniq.ai and related domains ("the Service"). MDH is a Texas limited liability company. This Privacy Policy describes how MDH collects, uses, shares, and protects information when you use the Service.

The Service is used primarily by mortgage loan officers and originators ("Customer LOs"), and secondarily by borrowers who receive shared Loan Comparison links from a Customer LO. Both sets of users are covered by this policy. Importantly:

  • For Customer LOs — this policy describes how MDH handles the information MDH collects from you about your use of the platform (account info, telemetry, billing, etc.).
  • For information you upload about your borrowers — including borrower documents in Income OCR — MDH acts as your service provider / data processor under GLBA. The handling of that information is governed contractually by our Data Processing Addendum. Your borrowers' privacy notice obligations remain with you (the GLBA-covered financial institution), not with MDH.

1. Information we collect

Information you provide directly (Customer LO)

  • Account information — name, email address, NMLS ID, company, phone number, and branding assets (logo, photo) you upload as a Customer LO.
  • Loan scenario inputs — property addresses, purchase prices, loan amounts, fee details, and any borrower information you choose to enter into the manual calculator surfaces.
  • Client records — when you save client details in Loan Comparison or the Income Calculator, we store name, contact info, and any notes you add. These records sit in your owner-scoped Firestore tree.
  • Scenario Desk queries — the questions you ask Lola are processed to retrieve guideline context and generate a response. The system prompt instructs Lola to refuse borrower-identifying inputs, but you are responsible for not pasting NPI into free-text prompts (see Acceptable Use Policy).
  • Income OCR uploads — borrower tax returns, paystubs, and bank statements you upload for AI-assisted extraction. These documents contain non-public personal information ("NPI") about your borrowers. Their handling is governed by the Data Processing Addendum; technical safeguards including server-side PII sanitization between OCR and the LLM are described in our AI Governance Policy Section 7C.
  • Billing information — we do not store payment card data. Billing is handled by Stripe; we receive only the subscription status and last four digits of the card on file.

Information collected automatically

  • Usage data — login times, feature usage counts, session length, approximate geographic location from IP.
  • Device data — browser user agent, operating system, screen size.
  • Cookies — we use cookies for authentication and session management. We do not use third-party advertising trackers.

Borrower information processed on the Customer LO's behalf

When a Customer LO uploads borrower documents for Income OCR, generates a Loan Comparison share link for a borrower, or otherwise causes borrower information to enter the platform, MDH processes that borrower information solely on the Customer LO's behalf and pursuant to the Data Processing Addendum. The Customer LO is the GLBA-covered financial institution with respect to those borrowers; the Customer LO is responsible for the borrower-facing privacy notice and any required consent. MDH does not deliver privacy notices to your borrowers and does not market to them.

2. How we use information

  • To provide, maintain, and improve the Service.
  • To process subscriptions and handle billing (via Stripe).
  • To respond to support requests and communicate about the Service.
  • To detect and prevent fraud, abuse, and security incidents.
  • To produce audit-log records that support Customer LO compliance with GLBA, the FTC Safeguards Rule, Fannie Mae LL-2026-04, and other applicable regulations on regulator request.
  • To comply with our legal obligations.

We do not sell your personal information. We do not share or sell personal information for cross-context behavioral advertising. We do not use your data, your borrowers' data, or any data you upload to the Service to train any AI model. Our sub-processor contracts include the same no-training commitment from each sub-processor.

3. Sub-processors

We use the following third-party services to operate LoanIQ. Each is contractually bound to protect your data and comply with applicable privacy laws. The current list is also published in our Data Processing Addendum and updated per the DPA's notification cadence.

  • Google Cloud Platform / Firebase — application hosting, authentication, database (Firestore), encrypted file storage, serverless compute, OCR via Cloud Vision API. Data residency: us-central1. SOC 2 Type II, ISO 27001, HIPAA-eligible. Cloud Vision (used for the OCR step in Income OCR) does not retain document content beyond the operational window required to return a response. Same Google Cloud DPA covers Firebase + Cloud Vision.
  • Anthropic, PBC — provider of the Claude large language model used for Scenario Desk, Ask Lola Income Chat, and the structured-extraction step of Income OCR. Anthropic processes prompts under standard API terms, which include a contractual commitment that customer prompt and completion data is not used for model training. Important: for Income OCR, Anthropic receives only the SANITIZED text output of the Cloud Vision step — borrower PDFs and unredacted OCR text never reach Anthropic. SOC 2 Type II.
  • Pinecone Systems, Inc. — vector search for guideline retrieval. Stores only published guideline text, not borrower data. SOC 2 Type II, ISO 27001.
  • Stripe, Inc. — subscription billing and payment processing. PCI-DSS Level 1.
  • Transactional email provider — account emails and share-link notifications.

4. How we share information

We share personal information only as follows:

  • With sub-processors as listed above, solely to operate the Service.
  • With borrowers you explicitly share a link with — when a Customer LO generates a Loan Comparison share link, the borrower accessing the link sees the information the Customer LO chose to include.
  • For legal compliance — if compelled by valid subpoena, court order, or other legal process, we will respond consistent with applicable law and push back on overbroad requests where possible.
  • In a business transfer — if MDH is acquired, your information may transfer to the acquiring party subject to this policy.

5. Data retention

Customer LO account data. Active account data is retained for the life of your subscription. On cancellation, data is retained for 90 days to allow reactivation, then permanently deleted from our active systems. Backups may retain data for an additional period (up to 180 days) before being purged on the backup rotation cycle.

Borrower information processed on Customer LO's behalf. Borrower documents uploaded to Income OCR and the structured extractions derived from them are retained in the Customer LO's owner-scoped Firestore tree at the Customer LO's direction, subject to the FTC Safeguards Rule's two-year-from-last-use floor (16 CFR § 314.4(c)(6)). MDH does not impose its own retention schedule on borrower data; retention is at the Customer LO's discretion.

You may request earlier deletion by emailing austen@austensmith.com. We confirm deletion in writing within 30 days.

6. Your rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information ("right to be forgotten" / CCPA right to delete).
  • Port your information to another service (export as JSON).
  • Opt out of the sale of personal information — we do not sell personal information, so this right is honored by default.

To exercise any of these rights, contact us at austen@austensmith.com. We will respond within 30 days. Borrower-initiated rights requests are handled via your Customer LO, who is the controller of borrower data; MDH does not respond to borrower data-subject requests directly.

7. Security

We protect your information with industry-standard controls: owner-scoped Firestore security rules, TLS 1.2+ in transit, AES-256 at rest (Google-managed), defense-in-depth path validation in Cloud Functions, server-side PII sanitization in the Income OCR pipeline, and PCI-DSS Level 1 for payments via Stripe. See our full AI Governance & Information Security Policy for the comprehensive control list.

8. Children

The Service is not directed at children under 13 and we do not knowingly collect information from children. If you believe a child has submitted information to us, contact us and we will promptly delete it.

9. International users

The Service is operated from the United States. Data is stored on Google Cloud servers located in us-central1. If you access the Service from outside the US, your information will be transferred to and processed in the United States under US privacy law.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on your account and posted here with a new Effective Date. Continued use of the Service after a change constitutes acceptance of the revised policy.

11. Contact us

Questions, concerns, or requests regarding this policy:

Mortgage Dude Holdings, LLC
Attn: Privacy
Austin, Texas
Email: austen@austensmith.com
Phone: (512) 773-6729

This Privacy Policy is provided for transparency. It does not create legal rights beyond those granted by applicable law and is subject to the Terms of Service and the Data Processing Addendum.