Privacy Policy

Margie — Pre-Underwriting Analysis Platform

Effective Date: March 22, 2026

Last Updated: March 22, 2026

Margie (“we,” “us,” “our”) operates the pre-underwriting analysis platform available at getmargie.com (the “Platform”). This Privacy Policy describes how we collect, use, disclose, and protect information when licensed Illinois mortgage brokers (“you,” “your,” “Users”) use our Platform to process borrower documents through our forensic analysis engine.

This Privacy Policy is designed to comply with the Gramm-Leach-Bliley Act (“GLBA”), the Illinois Personal Information Protection Act (815 ILCS 530), and other applicable federal and state privacy laws.

1. Information We Collect

1.1 Account Information

When you register for the Platform, we collect:

• Full name and professional contact information (email address, phone number, business address)
• Illinois mortgage broker license number and NMLS identifier
• Company name and business details
• Billing and payment information (processed by Stripe; we do not store full payment card numbers)

1.2 Borrower Document Data

When you upload borrower documents for analysis, the Platform processes the following document types and the data contained within them:

• W-2 forms: Employer information, wages, tax withholdings, Social Security numbers
• Pay stubs: Employer details, earnings, deductions, pay frequency
• Bank statements: Account numbers, transaction history, balances, institution details
• 1003 Uniform Residential Loan Applications: Comprehensive borrower financial and personal data including Social Security numbers, income, assets, liabilities, employment history, and property details

This borrower data constitutes “nonpublic personal information” (“NPI”) as defined under the GLBA and is handled in accordance with the safeguards described in this Policy and our GLBA Compliance Statement.

1.3 Usage and Technical Data

We automatically collect certain technical information when you use the Platform:

• IP address, browser type, operating system, and device identifiers
• Pages viewed, features used, and timestamps of activity
• Error logs and performance data (collected via Sentry for reliability and debugging purposes)
• Rate-limiting metadata (managed via Upstash Redis)

1.4 Information from Third-Party Services

We use Firebase Authentication to manage sign-in via email and password. Account creation requires an invitation code issued by Margie.

2. How We Process and Use Information

2.1 Borrower Document Processing Architecture

Margie's forensic analysis engine processes borrower documents through a six-stage pipeline. Understanding our processing architecture is critical to understanding how we protect borrower data:

• In-memory processing only. Uploaded borrower documents are processed entirely in volatile memory (RAM). Documents are never written to disk, local storage, or cloud object storage at any point during the analysis pipeline.
• OCR extraction. Document content is extracted using Azure Document Intelligence. Data is transmitted to Azure over encrypted channels for optical character recognition and is not retained by Azure beyond the processing request.
• AI-assisted analysis. Extracted data is analyzed using Anthropic Claude (for narrative analysis and forensic commentary) and Google Gemini (for automated field population). Data sent to these services is transmitted over encrypted channels. Our AI providers' standard commercial terms of service contractually prohibit the use of customer inputs and outputs for training general-purpose AI models. Data may be temporarily retained for limited periods (up to 7 days for Anthropic, variable for Google) for service delivery and automated safety monitoring, after which it is deleted.
• Results storage. Only the structured analysis results — not the original documents or raw document images — are stored in Google Firebase Firestore, encrypted at rest.
• Automatic purging. Once processing is complete and results are delivered, the in-memory document data is released and becomes unrecoverable. No copies of the original uploaded documents are retained by Margie.

2.2 Purposes of Use

We use collected information for the following purposes:

• Providing the Platform: Processing borrower documents, generating pre-underwriting analyses, and delivering results to you
• Account management: Maintaining your account, authenticating your identity, and managing your subscription
• Billing: Processing payments, tracking file usage against your plan, and issuing invoices via Stripe
• Platform improvement: Analyzing aggregate usage patterns to improve performance, reliability, and features
• Security and fraud prevention: Detecting unauthorized access, monitoring for abuse, and enforcing rate limits
• Legal compliance: Complying with applicable laws, regulations, and legal processes
• Communications: Sending transactional notifications, service updates, and responding to support requests

2.3 Use Limitations

We do not use borrower NPI for marketing purposes. We do not sell, rent, or lease borrower NPI to any third party. We do not use borrower document data to train machine learning models. Our AI service providers (Anthropic and Google) are contractually prohibited from using data submitted through their APIs for model training under their standard commercial terms of service.

3. Third-Party Service Providers

We share information with the following categories of service providers, each of which processes data solely to perform services on our behalf:

Each third-party provider is contractually obligated to protect the confidentiality of data they process and to use it solely for the services they provide to us. We maintain data processing agreements with each provider that include appropriate security and confidentiality obligations.

4. Data Retention

• Borrower documents: Not retained. Processed in memory only and purged upon completion of analysis.
• Analysis results: Retained in Firebase Firestore for as long as your account remains active, or as required to provide the services. You may request deletion of specific analysis results at any time.
• Account information: Retained for the duration of your account and for a reasonable period thereafter as necessary for legal, tax, or audit purposes.
• Usage and technical data: Retained for up to 12 months for operational and security purposes.
• Payment records: Retained as required by applicable tax and financial recordkeeping laws.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information processed through the Platform:

• Encryption in transit: All data transmitted between your browser, our servers, and third-party services uses TLS 1.2 or higher.
• Encryption at rest: Analysis results stored in Firebase Firestore are encrypted at rest using AES-256 or equivalent.
• In-memory processing: Borrower documents exist only in volatile memory during processing, significantly reducing the attack surface for data exposure.
• Access controls: Role-based access controls limit access to production systems and stored data to authorized personnel only.
• Authentication security: User authentication is managed through Firebase Authentication with support for secure password policies.
• Rate limiting: Upstash Redis enforces rate limiting to prevent brute-force attacks and abuse.
• Monitoring: Sentry provides real-time error tracking and alerting (configured to exclude borrower NPI from error reports).
• Vendor security: Third-party service providers maintain SOC 2 Type II compliance or equivalent security certifications.

For additional detail on our security program, see our GLBA Compliance Statement.

6. Your Rights and Choices

6.1 Account Information

You may access, update, or correct your account information at any time by logging into the Platform. To request deletion of your account, contact us at the address below.

6.2 Analysis Results

You may request deletion of stored analysis results associated with your account by contacting us. We will process deletion requests within 30 days.

6.3 Communications

You may opt out of non-transactional communications at any time. Transactional communications related to your account, billing, and service operations are not subject to opt-out.

6.4 Illinois Residents

Under the Illinois Personal Information Protection Act, if we become aware of a data breach affecting your personal information, we will notify you in accordance with applicable law.

7. Borrower Rights

Margie processes borrower data on your behalf, as you are the mortgage broker with the direct customer relationship. As between you and Margie, you are the data controller responsible for providing any required privacy notices to your borrowers. We will cooperate with you in responding to any borrower requests regarding their data.

8. Children's Privacy

The Platform is a B2B professional tool designed for use by licensed mortgage brokers. We do not knowingly collect information from individuals under the age of 18. If we learn that we have collected information from a minor, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Platform with a revised “Last Updated” date and, where appropriate, by email notification. Your continued use of the Platform after any changes constitutes acceptance of the revised policy.

10. Governing Law

This Privacy Policy is governed by the laws of the State of Illinois, without regard to conflict-of-law principles.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Margie
Email: contact@getmargie.com
Website: getmargie.com