Plain Language First
Privacy Policy
Each section opens with a one-line summary. Tap to read the full policy.
In one paragraph
We collect what we need to run the platform, never sell your data, share only with the loan officers and vendors that actually help you, encrypt everything at rest and in transit, and let you ask for a copy or deletion anytime. The full text below is the binding version.
01Introduction
What this policy is, how it applies, and what using the platform means for your data.
Introduction
What this policy is, how it applies, and what using the platform means for your data.
Full text
This Privacy Policy describes how TheLoanOfficer (“we,” “our,” or “us”) collects, uses, and protects your information when you use our loan marketplace platform.
By using our platform, you consent to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.
02Information we collect
Personal info you give us (name, contact, financial details, ID) and platform info we record (interactions, device, IP).
Information we collect
Personal info you give us (name, contact, financial details, ID) and platform info we record (interactions, device, IP).
Full text
Personal information
- Name, email address, and contact information
- Financial information necessary for loan applications
- Professional credentials and licensing information (for loan officers)
- Identity verification documents
Usage information
- Platform interaction data and preferences
- Communication logs between borrowers and loan officers
- Search history and listing views
- Device information and IP addresses
03Data retention and disposal
Uploaded documents are deleted within 10 minutes of confirmation. Most other data is retained while your account is active or as required by law.
Data retention and disposal
Uploaded documents are deleted within 10 minutes of confirmation. Most other data is retained while your account is active or as required by law.
Full text
We retain your information only as long as necessary for the purpose it was collected, or as required by law. Financial documents submitted through the secure upload portal are treated as nonpublic personal information (NPI) under the Gramm-Leach-Bliley Act (GLBA) and handled accordingly.
Financial document upload flow
When you upload documents (W-2s, tax returns, bank statements, etc.) through our secure portal, the following retention schedule applies:
In-memory processing — seconds
File buffers exist only during the upload request and are discarded immediately when the request ends. Nothing is written to a database.
Encrypted temporary storage — up to 10 minutes
While you review AI-extracted data, your files are held in AES-256 encrypted temporary storage (Google Cloud Storage, US region). A countdown timer is shown on screen. Files are deleted immediately when you confirm submission.
Safety net deletion — automatic
If a session is abandoned without confirmation, the staged files expire at the end of the review window and are permanently deleted by an automated cleanup job. No manual action is required.
Email delivery — on confirmation
On confirmation, documents are attached to a TLS-encrypted email sent directly to your loan officer. Temporary storage is deleted immediately after delivery. Once in the loan officer's inbox, their own data retention obligations under GLBA apply.
Retention schedule
Borrower data
- • Profile information: retained while your account is active; deleted on request, subject to legal requirements
- • Loan requests: retained while your account is active or as long as the law requires
- • Messages: retained while your account is active
- • Uploaded financial documents: deleted within 10 minutes of confirmation
- • AI-extracted data fields: retained with the loan request record
Loan officer data
- • Professional credentials: retained while your account is active
- • Subscription and billing records: retained as required for tax and accounting purposes
- • Messages: retained while your account is active
Third-party data processors
We use the following processors under executed Data Processing Agreements (DPAs):
- • Google Cloud (Firebase): Cloud infrastructure and temporary file storage. AES-256 encryption at rest, TLS in transit. ISO 27001, SOC 2 Type II certified. GLBA compliance documentation published by Google.
- • Resend: Transactional email delivery. Files transmitted via STARTTLS-encrypted connections between mail servers. SOC 2 Type II certified. Resend retains email content for 1–3 days maximum before purging.
The full internal Data Retention and Disposal Policy is available on request at support@theloanofficer.io.
04Consent and authorization
What you authorize as a borrower vs a loan officer, and how to withdraw consent at any time.
Consent and authorization
What you authorize as a borrower vs a loan officer, and how to withdraw consent at any time.
Full text
Borrower consent
By creating an account and using our platform, borrowers explicitly consent to:
- Sharing financial information with loan officers
- Temporary storage of documents for loan processing
- Communication through our secure messaging system
- Data processing for loan matching and verification
- Receiving loan offers and related communications
Loan officer authorization
Loan officers must provide explicit authorization for:
- Access to borrower information within their subscription tier
- Professional credential verification and background checks
- Communication with borrowers through our platform
- Data processing for loan origination activities
- Compliance monitoring and audit requirements
Withdrawal of consent
You may withdraw your consent at any time by contacting our support team. However, withdrawing consent may limit your ability to use certain features of our platform. We will process your request within 30 days and ensure all applicable data is properly handled according to your preferences.
05Data security and protection
TLS in transit, AES-256 at rest, signed expiring document links, server-side access controls, and audit logging.
Data security and protection
TLS in transit, AES-256 at rest, signed expiring document links, server-side access controls, and audit logging.
Full text
Security measures
- TLS encryption for data in transit
- AES-256 encryption for data at rest
- Signed, expiring links for document downloads
- All data writes go through authenticated server-side APIs
Access controls
- Role-based access permissions enforced server-side
- Client database writes blocked by security rules
- Rate limiting on sensitive endpoints
- Audit logging of admin and security-relevant actions
06Information sharing and disclosure
Who else sees your data — and a list of what we never share.
Information sharing and disclosure
Who else sees your data — and a list of what we never share.
Full text
We share information with:
- • Loan officers: Only within their subscription tier and for legitimate business purposes
- • Service providers: Third-party vendors who assist in platform operations (under strict confidentiality agreements)
- • Regulatory authorities: When required by law or to comply with legal obligations
- • Business partners: Only with your explicit consent for specific services
Loan officer matching
Based on your loan details, we surface loan officers who typically work with similar borrowers or loan programs.
You may choose freely who to contact.
We do NOT share:
- • Personal information with unverified third parties
- • Financial data for marketing purposes
- • Contact information with other users without consent
- • Sensitive documents outside of the loan application process
07Your rights and choices
Access, correct, delete, or restrict your data — exercise any right at support@theloanofficer.io.
Your rights and choices
Access, correct, delete, or restrict your data — exercise any right at support@theloanofficer.io.
Full text
Access and portability
Request a copy of your personal data in a portable format.
Correction
Update or correct inaccurate personal information.
Deletion
Request deletion of your personal data (subject to legal requirements).
Restriction
Limit how we process your personal information.
08California privacy rights (CCPA)
Right to know, delete, opt-out of sale (we don't sell), and non-discrimination — email support@theloanofficer.io with subject "CCPA Request".
California privacy rights (CCPA)
Right to know, delete, opt-out of sale (we don't sell), and non-discrimination — email support@theloanofficer.io with subject "CCPA Request".
Full text
Under the California Consumer Privacy Act (CCPA), California residents have specific rights regarding their personal information:
- Right to know: You may request details about the categories of personal information we collect, the sources, and the purposes for collection.
- Right to delete: You can request the deletion of your personal information, subject to certain exceptions (e.g., regulatory record-keeping).
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to opt-out: We do not sell your personal information. However, you have the right to direct us not to sell your personal information should our practices change.
To exercise these rights, please contact us at support@theloanofficer.io with the subject line “CCPA Request”.
09Contact us
Privacy: support@theloanofficer.io.
Contact us
Privacy: support@theloanofficer.io.
Full text
If you have any questions about this Privacy Policy or our data practices, please contact us:
Email: support@theloanofficer.io
10Policy updates
We post material changes here and update the date — your continued use after counts as acceptance.
Policy updates
We post material changes here and update the date — your continued use after counts as acceptance.
Full text
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date. Your continued use of our platform after any modifications constitutes acceptance of the updated policy.
The plain-language summaries are explanatory only. In any conflict between the summary and the body text, the body text governs.