1. Scope and Application of Laws
1.1. Nature of the Service and Compliance
The Service acts as a financial institution or financial service provider under GLBA due to its core function of facilitating loan applications and underwriting. The data we collect is primarily Nonpublic Personal Information (NPI) and Sensitive Personal Information (SPI).
- GLBA: Governs the safeguarding and disclosure of NPI collected in connection with providing financial products or services.
- MODPA (Maryland): Applies to the processing of personal data for Maryland residents. This policy is written to comply with MODPA's "Strictly Necessary" standard for SPI.
- SOC 2 Type II: Our operational controls, including those related to privacy and confidentiality, are formally audited under this framework to assure the security and processing integrity of your data.
1.2. Children's Privacy
The Service is intended for use by adults in commercial lending and underwriting. We do not knowingly collect information from children under the age of 18 and prohibit the sale of personal data of anyone under 18 in compliance with MODPA and the Maryland Kids Code.
2. Data Collection and the "Strictly Necessary" Standard (MODPA)
2.1. Categories of Information Collected
We collect only the personal data that is reasonably necessary and proportionate to provide the specific financial product or service (the loan application and underwriting facilitation) requested by you. We do not collect, process, or share Sensitive Personal Information (SPI) unless it is strictly necessary for this purpose.
| Category of Data | Specific Data Points (Schema Reference) | Purpose (Strictly Necessary) |
|---|---|---|
| I. Identification & Account (PII) | Name (firstName, lastName), Email, User Role (role), Organization ID (organizationId), MFA status (mfaEnabled) | To establish and secure your multi-tenant account, enforce access control, and manage login credentials. |
| II. Financial & Application (NPI & SPI) | Business Name, Address, EIN, SSN, Ownership Percentage, Loan Request Amount, Annual Revenue | Strictly necessary to complete the formal loan application, perform underwriting analysis, and fulfill legal requirements (for example, SBA disclosure requirements). |
| III. Connection Tokens (SPI) | Plaid Access Token, Intuit Access Token, Intuit Refresh Token | Strictly necessary to retrieve and verify financial data from third-party institutions as requested by you for application verification. |
| IV. Security & Telemetry | IP Address, User ID, User Role, Action, Entity ID, Timestamp | To maintain the immutable audit trail (activity_logs), ensure system security, and meet SOC 2 security and processing integrity criteria. |
2.2. Data Collection Methods
- Register and create an account on the Service.
- Submit a loan application or related financial forms.
- Connect a financial account using a Third-Party Integration Provider (for example, Plaid).
- Interact with the Service (via web logs, cookies, and mobile app server logs).
3. Data Processing, Security, and Retention
3.1. Security Architecture and Encryption (SOC 2 Confidentiality)
We implement reasonable administrative, technical, and physical safeguards designed to protect the Confidentiality, Integrity, and Availability of your Client Data, commensurate with the high risk associated with NPI and SPI.
- Encryption at Rest: Sensitive Personal Information (SPI) and Nonpublic Personal Information (NPI), including financial access tokens, EINs, and SSNs, are encrypted at rest using an Envelope Encryption method (Cloud KMS Key Management) to comply with SOC 2 CC6.7 requirements.
- Logical Access Control: Access to Client Data is strictly limited based on the user's defined role (role) and their assigned organization (organizationId) in the database schema, ensuring data segregation in the multi-tenant environment.
- WORM Audit Trail: All system actions are logged to the immutable activity_logs collection, which is mirrored to a Write Once, Read Many (WORM) cloud storage bucket. This data is retained for a mandatory period (for example, 7 years) to meet legal and regulatory non-repudiation requirements, even if you delete your account.
3.2. Data Retention and Disposal
- We retain Client Data only for as long as is strictly necessary to fulfill the Service, service your account, or comply with legal obligations.
- NPI/Application Data: Retained for the duration required by GLBA, SBA regulations, and our internal compliance policies related to financial transaction record-keeping.
- Deletion Requests: While you have the right to request deletion, we are legally required to retain some NPI/SPI and all immutable audit logs for purposes of fraud prevention, troubleshooting, and compliance with federal and state financial laws.
4. Disclosure and Sharing of Information
4.1. Disclosure for Processing (Third-Party Service Providers)
We share NPI and PII with the following categories of third-party processors only when strictly necessary to deliver the requested service:
- Lender Clients: To connect borrowers and facilitate the underwriting decision (decision).
- Integration Providers (Plaid, Intuit): To retrieve and verify financial account data for the application.
- Cloud Infrastructure: For hosting and data storage (organizations.infrastructure, Cloud KMS).
- Customer Support/Analytics: Authorized service providers for support and performance analysis.
4.2. Prohibition on Sale of Data
We do not sell your personal data. In compliance with MODPA and the Maryland Kids Code, the sale of all Sensitive Personal Information (SPI) is categorically prohibited. We do not share data with non-affiliated third parties for their direct marketing purposes unless you specifically opt-in.
4.3. Legal and Regulatory Disclosure
We may disclose NPI, PII, or SPI if we believe it is reasonably necessary to comply with a law, legal process, or governmental request (for example, subpoena or court order), or to protect our rights, property, or safety. This includes disclosures necessary to comply with SBA or financial regulatory audits.
5. Your Privacy Rights (MODPA and CCPA)
As a Maryland-based company subject to MODPA, we honor the following rights for all users (and specifically for Maryland and California residents):
| Right | Description | Response Time |
|---|---|---|
| Right to Know/Access | Confirm whether we process your personal data and request a copy of the specific pieces of data we hold about you. | Within 45 days (with a potential 45-day extension). |
| Right to Correction | Request correction of inaccurate personal data, taking into account the nature and use of the information. | Within 45 days (with a potential 45-day extension). |
| Right to Deletion | Request the deletion of your personal data, subject to legal and regulatory exceptions (for example, compliance with GLBA and retention of WORM audit logs). | Within 45 days (with a potential 45-day extension). |
| Right to Data Portability | Request a copy of the personal data you provided to us in a portable and usable format. | Within 45 days (with a potential 45-day extension). |
| Right to Opt-Out of Targeted Advertising | Opt out of the processing of your personal data for targeted advertising. | We will honor the request as soon as possible. |
| Right to Opt-Out of Sale | Direct us not to sell your personal data. (Note: We do not sell data.) | We will honor the request as soon as possible. |
5.1. Exercising Your Rights
To exercise any of these rights, please contact our Data Protection Officer at patron@pocketplanner.io or via postal mail at the address listed above. We will provide an appeal mechanism for any denial of a consumer rights request.