Privacy Policy
- About This Policy
- Our Role: Service Provider / Processor
- Information We Collect
- How We Use Information
- Sub-Processors & Third-Party Services
- We Do Not Use Your Content to Train AI Models
- When We Share Information
- Data Retention & Deletion
- Security
- Your Rights and Choices
- California & State Privacy Rights
- International Data Transfers
- Children’s Privacy
- Cookies and Similar Technologies
- Changes to This Policy
- How to Contact Us
1. About This Policy
This Privacy Policy (the “Policy”) describes how [LEGAL ENTITY NAME] (“Underwriting Studio,” “we,” “our,” or “us”) collects, uses, discloses, retains, and otherwise processes information in connection with our website at underwritingstudio.com, our web application at underwritingstudio.com/app, and any related services we provide (collectively, the “Service”).
This Policy is incorporated into and forms part of our Terms of Service. By accessing or using the Service, you acknowledge that you have read, understood, and agreed to this Policy and the related Terms. If you do not agree, do not use the Service.
2. Our Role: Service Provider / Processor
The Service is built for businesses — primarily merchant cash advance (“MCA”) funders, brokers, and ISOs — to analyze merchant applications and bank statements they have lawfully obtained from their applicants. The personal information contained in those uploaded documents (such as the names, identifiers, and financial activity of the merchant business, its owners, and its account-holders) belongs to those applicants and is provided to us by you.
With respect to information we collect directly from you for your own account (your email address, your billing information, your usage of the Service), we act as the controller.
3. Information We Collect
3.1 Information You Provide When You Create & Use Your Account
- Account information. Your email address, password (which we store only as a salted, irreversible hash), display name, and the company you indicate you work for.
- Configuration data. Your underwriting guidelines, auto-decline rules, brand information (company name, logo, brand colors, website URL), risk-tier preset selections, and similar settings you configure within the Service.
- API keys. If you bring your own third-party API key (for example, an Anthropic API key) to use with the Service, we store that key in your browser’s local storage, and (if you save it to the company-wide configuration) on our servers in encrypted form, solely to make API calls on your behalf.
- Billing information. If you purchase a paid Subscription, our payment processor (currently planned to be Stripe) collects and processes your payment information. We do not store full payment card numbers ourselves.
- Communications. The content of any email, support ticket, chat, or other communication you send to us.
3.2 Information in Documents and Content You Upload
- Merchant submissions. The PDF application forms, bank statements, and other documents you upload to the Service may contain personal information about the merchant business’s owners and authorized signers (including names, business addresses, Employer Identification Numbers or other tax IDs, dates of birth or year-of-birth, contact information, and similar identifiers) and detailed transactional banking activity (deposits, withdrawals, balances, counterparties).
- Derived analyses. The AI-generated underwriting reports, summaries, decision suggestions, suggested offers, deal history entries, and metadata produced from your inputs.
- Decisions and notes. The outcomes you record (Approved / Declined), amounts, terms, frequencies, your reasoning notes, deal renames, and similar annotations you provide.
- Chat messages. Messages you exchange with the in-app assistant (“Alec”), including any text you highlight from a report and ask the assistant about.
3.3 Information We Collect Automatically
- Usage data. Pages visited, features used, time spent, deals processed, files uploaded, errors encountered, and approximate timing of actions.
- Device and connection data. IP address, browser type and version, operating system, device type, language, and referring URLs.
- Local storage. The Service stores most of your configuration and deal history in your browser’s local storage (rather than on our servers) to keep your data close to you and reduce the surface area we maintain.
- Cookies and similar technologies. See Section 14 below.
3.4 Information from Third-Party Sources
When you ask us to fetch your company’s logo or brand colors from your website (via the Pull Branding feature), we request publicly available resources from your domain and from third-party logo providers (currently Clearbit and Google’s favicon service). We do not receive personal data from those providers; we receive only the requested image bytes or HTML metadata necessary to render your branding inside the Service.
4. How We Use Information
We use the information we collect for the following purposes:
- To provide the Service — including reading documents you upload, generating underwriting reports through AI, storing your configurations and deal history, surfacing duplicates, and producing the in-app chat assistant’s responses.
- To operate and improve the Service — including monitoring performance, debugging, preventing fraud and abuse, planning capacity, and developing new features.
- To communicate with you — including responding to your support requests and sending operational notices about the Service.
- To bill you and prevent payment fraud — through our payment processor.
- To comply with legal obligations — including responding to lawful requests from public authorities, exercising or defending legal claims, and complying with tax, accounting, and recordkeeping requirements.
- To enforce our agreements — including investigating violations of our Terms of Service and protecting the rights, property, and safety of Underwriting Studio, our users, and the public.
5. Sub-Processors & Third-Party Services
We rely on a small number of trusted third-party providers to operate the Service. These providers are contractually bound to use the information they process only for the limited purposes of providing their services to us. Our current sub-processors include:
| Provider | Purpose | Type of Information | Location |
|---|---|---|---|
| Anthropic, PBC | Large language model API used to generate underwriting reports and chat responses. | Document text, bank statement contents, prompts you submit, and any other content sent to the model. | United States |
| Netlify, Inc. | Web hosting, edge proxy functions, content delivery. | Web traffic metadata; routed API requests. | United States |
| Supabase, Inc. (planned) | Authentication, database storage, file storage (planned for future paid tiers). | Account information; deal history; uploaded files where applicable. | United States |
| Stripe, Inc. (planned) | Subscription billing and payment processing (planned for future paid tiers). | Billing identifiers; payment-card data is held by Stripe, not by us. | United States |
| Clearbit (HubSpot) / Google Favicon API | Optional fetch of public branding assets when you request the Pull Branding feature. | Domain name you submit. | United States |
We may update our sub-processors from time to time. We will keep this list current and provide notice of material changes that affect how your information is processed.
6. We Do Not Use Your Content to Train AI Models
Underwriting Studio does not use the documents you upload, the reports we generate, your chat conversations, or other User Content to train, fine-tune, or otherwise develop machine learning or artificial intelligence models. Per Anthropic’s commercial terms, Anthropic also does not use customer inputs and outputs submitted through the Service to train its models. Should this ever change, we will update this Policy and notify users.
7. When We Share Information
We do not sell your personal information. We do not share your information for cross-context behavioral advertising. We disclose information only in the limited circumstances described below:
- With our sub-processors, as described in Section 5;
- With your authorization, including when you share an underwriting report with an external party or invite a teammate to your account;
- For legal reasons, when we believe in good faith that disclosure is reasonably necessary to (a) comply with a law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or this Policy; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Underwriting Studio, our users, or the public;
- In a business transaction, such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of our assets, in which case information may be transferred to the successor or affiliate, subject to the protections of this Policy;
- In aggregated or de-identified form that cannot reasonably be linked back to you or any individual.
8. Data Retention & Deletion
We retain different categories of information for different periods, as appropriate to fulfill the purposes for which we collected it:
- Account information — for as long as your account is active. If you delete your account, we will delete or anonymize account information within a commercially reasonable period, unless we are required to retain it for legal, tax, or regulatory reasons.
- Configuration and deal history — primarily stored in your browser’s local storage; you can clear it at any time through the Service’s Reset controls or by clearing your browser data. Where stored on our servers, we retain it until you delete the deal or your account.
- Documents you upload — currently, uploaded PDFs are transmitted to Anthropic for processing but are not persisted by Underwriting Studio after processing completes (other than as part of the generated report HTML, which is stored in your browser’s local storage). Anthropic’s retention is governed by its own terms.
- Usage and security logs — typically retained for up to 12 months for operational and security purposes, after which they are deleted or anonymized.
- Billing records — retained for the period required by applicable tax and accounting laws (generally 7 years in the United States).
9. Security
We implement administrative, technical, and physical safeguards designed to protect the information we process. These include transport-layer encryption (TLS) for data in transit, salted-and-hashed password storage, access controls for personnel, and isolation of user data on a per-account basis. We require our sub-processors to maintain appropriate security measures as a condition of receiving data from us.
Despite these measures, no system is perfectly secure, and we cannot guarantee the absolute security of any information you transmit to us or store through the Service. You are responsible for keeping your account credentials confidential, for using a secure device and network, and for promptly notifying us of any suspected compromise.
10. Your Rights and Choices
Depending on your jurisdiction and the role in which we are processing your information, you may have certain rights, which may include:
- Access — request a copy of the personal information we hold about you;
- Correction — request that we correct inaccurate or incomplete information;
- Deletion — request that we delete personal information we hold about you (subject to certain exceptions);
- Portability — request a copy of certain information in a portable format;
- Objection / restriction — object to or request restriction of certain processing;
- Withdrawal of consent — withdraw consent at any time where we rely on consent to process your information (this will not affect the lawfulness of processing carried out before the withdrawal).
You can exercise many of these rights directly within the Service (for example, deleting your account or clearing your local data). For other requests, contact us using the details in Section 16. We will respond within the timeframes required by applicable law. Where we are acting as a processor for User Content you uploaded, please direct rights requests from the underlying data subjects to you, as the controller; we will assist you in responding to such requests as required by law.
11. California & State Privacy Rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), grants you certain rights with respect to your personal information, including the rights described in Section 10 above. We do not “sell” personal information as that term is defined under the CCPA. We do not knowingly process the personal information of minors.
Residents of other states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and other states with similar laws) may have analogous rights. To exercise any state privacy right, contact us using the information in Section 16. We will not discriminate against you for exercising your privacy rights.
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, please note that the Service is intended for business users in the United States, and we do not currently market the Service to data subjects in those regions.
12. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, you understand and acknowledge that your information will be transferred to, stored, and processed in the United States and other jurisdictions where our sub-processors operate. The data protection laws of those jurisdictions may differ from those of your country of residence. By using the Service, you consent to such transfer.
13. Children’s Privacy
The Service is intended for business users who are 18 or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18, we will delete it. If you believe a child has provided us with personal information, please contact us.
14. Cookies and Similar Technologies
The Service uses a minimal set of cookies and similar technologies, primarily to support essential functions such as keeping you signed in. We do not use third-party advertising cookies. We may use lightweight analytics in the future to measure aggregate usage patterns; if and when we do, we will update this Policy and offer appropriate controls.
15. Changes to This Policy
We may update this Policy from time to time. When we do, we will revise the “Last Updated” date at the top and, if the changes are material, provide reasonable advance notice (for example, by email or in-app notice). Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.
16. How to Contact Us
For privacy questions or to exercise your rights:
[LEGAL ENTITY NAME]
Attn: Privacy
[STREET ADDRESS]
[CITY, STATE, ZIP]
Email: privacy@underwritingstudio.com