Privacy Policy

Effective Date: June 7, 2026  ·  Last Updated: June 7, 2026  ·  Version: 1.0

1. About This Policy

This Privacy Policy (the “Policy”) describes how [LEGAL ENTITY NAME] (“Underwriting Studio,” “we,” “our,” or “us”) collects, uses, discloses, retains, and otherwise processes information in connection with our website at underwritingstudio.com, our web application at underwritingstudio.com/app, and any related services we provide (collectively, the “Service”).

This Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Service, you acknowledge that you have read, understood, and agreed to this Policy and the related Terms. If you do not agree, do not use the Service.

2. Our Role: Service Provider / Processor

The Service is built for businesses — primarily merchant cash advance (“MCA”) funders, brokers, and ISOs — to analyze merchant applications and bank statements they have lawfully obtained from their applicants. The personal information contained in those uploaded documents (such as the names, identifiers, and financial activity of the merchant business, its owners, and its account-holders) belongs to those applicants and is provided to us by you.

With respect to merchant or applicant data contained in documents you upload, you act as the controller (or comparable role under applicable law), and Underwriting Studio acts as your processor or service provider. You are responsible for ensuring that you have a lawful basis for collecting, using, and submitting that information to the Service, and for providing any required notices and obtaining any required consents from the data subjects.

With respect to information we collect directly from you for your own account (your email address, your billing information, your usage of the Service), we act as the controller.

3. Information We Collect

3.1 Information You Provide When You Create & Use Your Account

3.2 Information in Documents and Content You Upload

3.3 Information We Collect Automatically

3.4 Information from Third-Party Sources

When you ask us to fetch your company’s logo or brand colors from your website (via the Pull Branding feature), we request publicly available resources from your domain and from third-party logo providers (currently Clearbit and Google’s favicon service). We do not receive personal data from those providers; we receive only the requested image bytes or HTML metadata necessary to render your branding inside the Service.

4. How We Use Information

We use the information we collect for the following purposes:

5. Sub-Processors & Third-Party Services

We rely on a small number of trusted third-party providers to operate the Service. These providers are contractually bound to use the information they process only for the limited purposes of providing their services to us. Our current sub-processors include:

ProviderPurposeType of InformationLocation
Anthropic, PBC Large language model API used to generate underwriting reports and chat responses. Document text, bank statement contents, prompts you submit, and any other content sent to the model. United States
Netlify, Inc. Web hosting, edge proxy functions, content delivery. Web traffic metadata; routed API requests. United States
Supabase, Inc. (planned) Authentication, database storage, file storage (planned for future paid tiers). Account information; deal history; uploaded files where applicable. United States
Stripe, Inc. (planned) Subscription billing and payment processing (planned for future paid tiers). Billing identifiers; payment-card data is held by Stripe, not by us. United States
Clearbit (HubSpot) / Google Favicon API Optional fetch of public branding assets when you request the Pull Branding feature. Domain name you submit. United States

We may update our sub-processors from time to time. We will keep this list current and provide notice of material changes that affect how your information is processed.

6. We Do Not Use Your Content to Train AI Models

Underwriting Studio does not use the documents you upload, the reports we generate, your chat conversations, or other User Content to train, fine-tune, or otherwise develop machine learning or artificial intelligence models. Per Anthropic’s commercial terms, Anthropic also does not use customer inputs and outputs submitted through the Service to train its models. Should this ever change, we will update this Policy and notify users.

7. When We Share Information

We do not sell your personal information. We do not share your information for cross-context behavioral advertising. We disclose information only in the limited circumstances described below:

8. Data Retention & Deletion

We retain different categories of information for different periods, as appropriate to fulfill the purposes for which we collected it:

9. Security

We implement administrative, technical, and physical safeguards designed to protect the information we process. These include transport-layer encryption (TLS) for data in transit, salted-and-hashed password storage, access controls for personnel, and isolation of user data on a per-account basis. We require our sub-processors to maintain appropriate security measures as a condition of receiving data from us.

Despite these measures, no system is perfectly secure, and we cannot guarantee the absolute security of any information you transmit to us or store through the Service. You are responsible for keeping your account credentials confidential, for using a secure device and network, and for promptly notifying us of any suspected compromise.

10. Your Rights and Choices

Depending on your jurisdiction and the role in which we are processing your information, you may have certain rights, which may include:

You can exercise many of these rights directly within the Service (for example, deleting your account or clearing your local data). For other requests, contact us using the details in Section 16. We will respond within the timeframes required by applicable law. Where we are acting as a processor for User Content you uploaded, please direct rights requests from the underlying data subjects to you, as the controller; we will assist you in responding to such requests as required by law.

11. California & State Privacy Rights

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), grants you certain rights with respect to your personal information, including the rights described in Section 10 above. We do not “sell” personal information as that term is defined under the CCPA. We do not knowingly process the personal information of minors.

Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and other states with similar laws) may have analogous rights. To exercise any state privacy right, contact us using the information in Section 16. We will not discriminate against you for exercising your privacy rights.

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, please note that the Service is intended for business users in the United States, and we do not currently market the Service to data subjects in those regions.

12. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, you understand and acknowledge that your information will be transferred to, stored, and processed in the United States and other jurisdictions where our sub-processors operate. The data protection laws of those jurisdictions may differ from those of your country of residence. By using the Service, you consent to such transfer.

13. Children’s Privacy

The Service is intended for business users who are 18 or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18, we will delete it. If you believe a child has provided us with personal information, please contact us.

14. Cookies and Similar Technologies

The Service uses a minimal set of cookies and similar technologies, primarily to support essential functions such as keeping you signed in. We do not use third-party advertising cookies. We may use lightweight analytics in the future to measure aggregate usage patterns; if and when we do, we will update this Policy and offer appropriate controls.

15. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Last Updated” date at the top and, if the changes are material, provide reasonable advance notice (for example, by email or in-app notice). Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

16. How to Contact Us

For privacy questions or to exercise your rights:

[LEGAL ENTITY NAME]
Attn: Privacy
[STREET ADDRESS]
[CITY, STATE, ZIP]
Email: privacy@underwritingstudio.com