Privacy Policy

1. Who We Are

StatementPull is a financial technology service operated by Lexcrypta LLC ("Lexcrypta", "we", "us", or "our"). StatementPull enables mortgage borrowers ("Borrowers") to securely share verified bank statements with their mortgage broker ("Brokers") through a Plaid-powered bank connection.

This Privacy Policy explains how we collect, use, and protect information from both Brokers and Borrowers who use StatementPull.

Our registered business address and contact information are provided in Section 13.

2. Data We Collect

From Mortgage Brokers

Full name, email address, phone number
Brokerage name and NMLS number
States licensed and estimated monthly loan volume
Payment information (processed and stored by Stripe — we do not store raw card data)
Branding preferences (logo, colors, brokerage name for white-label portal)
Login credentials (email and password, stored as a salted hash via Supabase Auth)

From Borrowers

Name and email address (provided by the broker when initiating a request)
Bank connection data via Plaid (see Section 4)
IP address and browser metadata (standard server logs)

Automatically Collected

Server access logs (IP address, timestamp, request path)
Vercel platform analytics (aggregate, anonymized)

3. How We Use Your Data

We use the data we collect solely to provide the StatementPull service:

Authenticating broker accounts and managing access
Generating secure, one-time borrower connect links
Facilitating Plaid bank connections on behalf of Brokers
Generating and transmitting verified bank statement PDFs to the requesting Broker
Processing subscription and per-pull payments via Stripe
Sending transactional emails (connect link delivery, statement delivery notifications)
Maintaining service security and fraud prevention

We do not use your data for advertising, profiling, data brokering, or any purpose unrelated to the direct delivery of StatementPull services.

4. Plaid & Bank Data

🔒 Key fact: StatementPull uses Plaid solely to generate an asset report (bank statement PDF). We request read-only access to transaction and balance history. We do not access, store, or transmit your bank login credentials at any time.

StatementPull uses Plaid Inc. ("Plaid") to connect Borrowers' bank accounts. When a Borrower completes the Plaid Link flow:

The Borrower authenticates directly with their bank via Plaid's secure interface
Plaid generates an asset report (bank statement PDF) on StatementPull's behalf
StatementPull retrieves this PDF and transmits it directly to the requesting Broker's email
The Plaid access token used to generate the report is not stored after the report is retrieved
The PDF is not stored on StatementPull servers — it passes through in-memory and is immediately emailed

Plaid's collection and use of data is governed by Plaid's own Privacy Policy, available at plaid.com/legal/privacy-policy. By using StatementPull's connect flow, Borrowers also agree to Plaid's End User Privacy Policy.

StatementPull requests the minimum data scope necessary: the Plaid Assets product only, limited to the number of months requested by the Broker (typically 2–3 months).

5. Our No-Storage Commitment

✅ StatementPull does not store borrower financial data. Bank statement PDFs are transmitted directly from Plaid to the Broker's email and are never written to disk, database, or any persistent storage on StatementPull infrastructure. This is a core architectural and compliance commitment.

Specifically, StatementPull does not store:

Bank account numbers or routing numbers
Transaction history or account balances
Bank statement PDFs or their contents
Plaid access tokens (deleted after single use)
Borrower bank login credentials (never received — handled entirely by Plaid)

What StatementPull does store (in our Supabase database):

Pull request metadata: borrower name, borrower email, requesting broker ID, date sent, date delivered, status (pending/delivered), whether the pull was free or paid
The Plaid asset report token (a reference identifier, not the financial data itself) — retained only until report delivery is confirmed, after which it is no longer needed

6. Data Sharing

We do not sell, rent, or trade personal data. We share data only with the following third-party service providers, strictly as necessary to operate the service:

Plaid Inc. — bank connection and asset report generation
Stripe Inc. — payment processing (Brokers only; subject to Stripe's Privacy Policy)
Supabase Inc. — cloud database hosting for broker accounts and pull request metadata
Vercel Inc. — serverless hosting and edge functions
Resend Inc. — transactional email delivery

All third-party providers are contractually bound to use data only as necessary to provide their services to us and are prohibited from using it for their own commercial purposes.

We may disclose data if required by law, court order, or to protect the rights, property, or safety of StatementPull, our users, or the public.

7. Security

We implement industry-standard security measures appropriate to the sensitivity of the data we handle:

All data in transit is encrypted via TLS 1.2+ (HTTPS enforced on all endpoints)
Broker passwords are hashed using bcrypt via Supabase Auth — never stored in plaintext
Database access controls use Row Level Security (RLS) — brokers can only access their own data
API endpoints are rate-limited to prevent brute force attacks
Borrower connect links expire after 7 days and are single-use after completion
Stripe handles all card data — StatementPull never receives or stores raw payment card information
Plaid handles all bank credential entry — StatementPull never receives or stores bank login credentials

Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at the address in Section 13.

8. Data Retention

Broker accounts: Retained for the duration of the account and for 7 years after closure (for financial recordkeeping compliance)
Pull request metadata: Retained for 7 years (required for financial services compliance and audit purposes)
Bank statement PDFs: Not retained — transmitted immediately and never stored
Plaid access tokens: Deleted after report retrieval (single use)
Server logs: Retained for 90 days, then purged

Brokers may request deletion of their account and associated metadata at any time by contacting us. Note that certain records may be retained where required by law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data (subject to legal retention requirements)
Portability: Request your data in a machine-readable format
Objection: Object to certain uses of your data
Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at the address in Section 13. We will respond within 30 days.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information is collected, used, shared, or sold
The right to delete personal information held by us
The right to opt-out of the sale of personal information
The right to non-discrimination for exercising your CCPA rights

Note: StatementPull does not sell personal information to third parties. We do not engage in cross-context behavioral advertising.

To submit a CCPA request, contact us at the address in Section 13 with "CCPA Request" in the subject line.

11. Children's Privacy

StatementPull is intended exclusively for use by licensed mortgage brokers and adult borrowers (18 years of age or older) in connection with mortgage applications. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. For material changes, we will notify Brokers via email at least 14 days before the changes take effect. Continued use of StatementPull after changes take effect constitutes acceptance of the updated policy.

We encourage you to review this policy periodically.

13. Contact Us

For privacy-related questions, data subject requests, or to report a security concern, please contact us:

Company: Lexcrypta LLC
Product: StatementPull
Email: privacy@statementpull.com
Website: statementpull.com

We aim to respond to all privacy inquiries within 5 business days.