LendPacket

Privacy Policy

Draft for attorney review — published for transparency during early access.

DRAFT — FOR ATTORNEY REVIEW. This draft is published for transparency while LendPacket is in early access.

Last updated: July 10, 2026

The short version

Lending firms use LendPacket to collect loan documents from their borrowers. The firm owns that data; we process it only to run the service. We don't sell data, we don't advertise, and we don't train AI models on your documents.

1. What we collect

  • Account data (from lender users): name, work email, password hash, firm name, role, security settings.
  • Loan file data (from firms and their borrowers): borrower names and contact details, document checklists, and the documents borrowers upload — which routinely contain sensitive financial information such as tax returns and bank statements. We collect these ON BEHALF OF the lending firm, which is responsible for having a lawful basis to request them.
  • Billing data: plan, invoices, and payment status. Card numbers go directly to Stripe; we never see or store them.
  • Usage and log data: actions taken in the product (kept in each firm's audit trail), error reports, and basic device information needed to run a secure web application.

2. How we use it

To provide the service (storing and organizing documents, sending the emails firms configure, AI document review), to secure it (fraud and abuse prevention, audit trails), to bill for it, and to improve it using aggregate, de-identified usage patterns. AI processing (classification, date extraction, drafted reminders) happens via the Anthropic API under terms that prohibit training on this data.

3. What we never do

  • Sell or rent personal data — anyone's, ever.
  • Use borrower documents for advertising or model training.
  • Email borrowers for our own purposes: borrowers only receive messages about their loan file, sent on the firm's behalf, in the firm's branding.

4. Who else touches the data (subprocessors)

Supabase (database, storage, authentication — AWS, US region), Vercel (hosting), Stripe (payments), Resend (email delivery), Anthropic (AI processing), Sentry (error monitoring). Each processes data only to provide its function to us, under contract.

5. Security

Encryption in transit and at rest; firm-level data isolation enforced at the database layer; borrower access via unguessable, expiring, revocable links stored only as cryptographic fingerprints; role-based permissions and optional two-factor authentication; short-lived signed URLs for every document download; append-only audit trails; upload content screening. Full details on the Security page.

6. Retention and deletion

Firms control their own retention: documents are kept until deleted, and firms may enable an automatic purge policy (with warnings and a permanent deletion record). When an account is terminated, data remains exportable for at least 30 days and is then deleted from production systems on request or per our standard schedule. Backups age out on a rolling basis.

7. Your rights

Lender users may access, correct, or delete their account data by contacting us. Borrowers: your documents are controlled by the lending firm that requested them — direct requests to that firm, and we will assist it in honoring them. Where privacy laws (e.g., CCPA/CPRA, GDPR) grant you rights directly against us as a processor/service provider, we honor them.

8. Cookies

We use only cookies that are necessary to run the service: your sign-in session, security protections, and small preferences (like your board view). No advertising or cross-site tracking cookies — which is why there's no cookie-consent interrogation, just a notice.

9. Children

LendPacket is a business tool and not directed at anyone under 18.

10. Changes and contact

Material changes will be announced in the app or by email. Questions or requests: hello@lendpacket.com.