Privacy Policy

1. Introduction

DebtPrepAI ("we," "us," or "our") is committed to protecting your privacy and handling your personal information with care and respect. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI-powered debt management preparation platform.

This policy complies with:

• Gramm-Leach-Bliley Act (GLBA) - Financial privacy requirements
• Fair Credit Reporting Act (FCRA) - Credit information handling
• California Consumer Privacy Act (CCPA) - Consumer privacy rights
• General Data Protection Regulation (GDPR) - For EU users

2. Information We Collect

2.1 Personal Information You Provide

• Identity Information: Name, email address, phone number, date of birth, Social Security Number (SSN)
• Financial Information: Income, employment status, monthly expenses, debt amounts, creditor information
• Hardship Information: Job loss, medical emergencies, or other financial hardship details you share
• Account Credentials: Username, password (encrypted)

2.2 Information We Collect from Third Parties

• Credit Reports: Credit score, tradelines, payment history, delinquencies (with your consent via soft pull)
• Bank Data: Transaction history, account balances, income deposits (via Plaid integration with your authorization)

2.3 Automatically Collected Information

• Usage Data: Pages visited, time spent, features used, interaction patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies: See our Cookie Policy for details

3. How We Use Your Information

We use your information for the following purposes:

3.1 Core Services

• Analyze your financial situation using AI/ML models
• Calculate hardship scores and payment capacity
• Estimate potential DMP payment amounts
• Generate budget sheets and hardship letters
• Create document preparation packages

3.2 Account Management

• Create and maintain your account
• Authenticate and verify your identity
• Communicate with you about your account and our services
• Provide customer support

3.3 Compliance & Security

• Comply with legal obligations (FCRA, GLBA, CFPB requirements)
• Detect and prevent fraud or unauthorized access
• Maintain audit logs for regulatory compliance
• Verify credit pull authorization and consent

3.4 Improvement & Analytics

• Improve our AI models and algorithms
• Analyze usage patterns to enhance user experience
• Conduct research and development (using anonymized data)
• Generate aggregate statistics for business insights

4. How We Share Your Information

We DO NOT sell your personal information to third parties.

We may share your information in the following limited circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us:

• Credit Bureaus: To obtain your credit report (with consent)
• Plaid: To access your bank transaction data (with authorization)
• Cloud Hosting: AWS, Vercel for infrastructure and data storage
• Email Services: SendGrid for transactional emails
• AI Services: OpenAI or Anthropic for conversational AI (data is not used for training)
• Analytics: For usage analytics (anonymized where possible)

All service providers are contractually required to protect your data and use it only for specified purposes.

4.2 Credit Counseling Agencies (With Your Consent)

If you choose to share your preparation package with a certified credit counseling agency, we will transmit your documents only with your explicit permission.

4.3 Legal Requirements

We may disclose information when required by law:

• In response to subpoenas, court orders, or legal processes
• To comply with FCRA adverse action requirements
• To enforce our Terms of Service or protect our rights
• To protect the safety of users or the public

4.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity (you will be notified).

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: AES-256 encryption for sensitive data (SSN, bank tokens) at rest
• TLS/SSL: All data transmitted over HTTPS with TLS 1.3
• Access Controls: Role-based access with multi-factor authentication for staff
• Audit Logging: All credit pulls and data access logged for compliance
• Security Monitoring: 24/7 monitoring with Sentry for anomalies and threats
• Regular Audits: Periodic security assessments and penetration testing

Important: While we use industry-standard security measures, no method of transmission over the Internet is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention

We retain your information for specific periods based on legal requirements and business needs:

• Credit Reports: Automatically deleted after 90 days (FCRA requirement), unless you opt-in for extended storage
• Bank Data: Deleted after 90 days or when you disconnect your bank account
• Account Information: Retained until you request deletion or 2 years of inactivity
• Audit Logs: Retained for 5 years for regulatory compliance (CFPB requirements)
• Anonymized Analytics: Retained indefinitely for research and improvement

7. Your Privacy Rights

You have the following rights regarding your personal information:

7.1 Access & Portability

• Request a copy of all personal information we hold about you
• Download your data in a machine-readable format (JSON/CSV)

7.2 Correction

• Correct inaccurate or incomplete information
• Update your profile and financial details at any time

7.3 Deletion

• Request deletion of your account and all associated data
• Visit /privacy/delete-data to submit a deletion request
• We will delete data within 30 days except where retention is required by law

7.4 Opt-Out

• Opt-out of marketing communications (click unsubscribe in emails)
• Opt-out of analytics cookies (see Cookie Policy)
• Withdraw consent for bank data access (disconnect via Plaid)

7.5 CCPA Rights (California Residents)

California residents have additional rights:

• Know what personal information is collected and how it's used
• Know if personal information is sold or shared (we do not sell data)
• Opt-out of sale (not applicable as we don't sell data)
• Non-discrimination for exercising privacy rights

7.6 GDPR Rights (EU Residents)

EU residents have additional rights under GDPR:

• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

To exercise your rights: Email us at support@debtprepai.com or visit our Data Deletion Request page.

8. Cookies & Tracking Technologies

We use cookies and similar technologies for authentication, preferences, and analytics. For detailed information, see our Cookie Policy.

9. Third-Party Links

Our service may contain links to third-party websites (e.g., credit counseling agencies). We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing information.

10. Children's Privacy

DebtPrepAI is not intended for individuals under 18 years of age. We do not knowingly collect information from children. If we discover we have collected information from a child, we will delete it immediately.

11. International Data Transfers

Your information may be stored and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers (Standard Contractual Clauses for EU data).

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Email notification to your registered address
• Prominent notice on our website
• In-app notification upon next login

Continued use of our services after changes indicates acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or our privacy practices: