Cookie Policy
Effective: 2026-01-01 · Last updated: 2026-05-29
This Cookie Policy describes how Mortgage360 Inc. uses cookies, web storage, and similar technologies (collectively, “Cookies”) on the Mortgage360 marketing site, calculators, broker dashboard, lender workspace, and API consoles (collectively, the “Services”). It supplements our Privacy Policy and our Data Processing Addendum.
1. What are cookies?
A cookie is a small text file placed on your device by a website you visit. Cookies allow the site to remember your actions and preferences (such as login session, language, or theme) over time, so you do not have to re-enter them each time you return or navigate between pages. Some cookies remain on your device only for the duration of a single browsing session (“session cookies”); others persist for a defined period (“persistent cookies”).
Similar technologies — local storage, session storage, IndexedDB, pixels, and SDKs in our mobile apps — serve comparable purposes and are subject to this Policy.
2. How we categorize cookies
We follow the four-category model recommended by the UK Information Commissioner’s Office and substantively similar guidance from the Office of the Privacy Commissioner of Canada and the European Data Protection Board:
- Strictly necessary — required for the Services to function. Cannot be disabled without breaking core functionality. No prior consent required under most frameworks because these are essential to deliver the service the user has explicitly requested.
- Preference — remember non-essential choices that improve usability (language, theme, view density).
- Analytics — measure how the Services are used, in aggregate, to improve features and detect errors. Mortgage360 uses first-party analytics only.
- Marketing — used to deliver and measure advertising. Mortgage360 does not use marketing cookies, third-party advertising cookies, or cross-site tracking.
3. Cookie catalogue
The complete list of Cookies set by Mortgage360:
| Cookie / storage key | Purpose | Category | Type | Retention | Set by |
|---|---|---|---|---|---|
__Host-lf.session | Authenticated session token; identifies the logged-in user across requests | Strictly necessary | HttpOnly, Secure, SameSite=Lax | Session (cleared on sign-out or browser close) | Mortgage360 (first-party) |
__Host-lf.csrf | Cross-site request forgery token; prevents unauthorized state changes | Strictly necessary | HttpOnly, Secure, SameSite=Strict | Session | Mortgage360 (first-party) |
lf.mfa.device | Remembers a trusted device for MFA so you are not prompted for second factor each session | Strictly necessary | HttpOnly, Secure, SameSite=Strict | 30 days | Mortgage360 (first-party) |
lf.tenant | Active tenant (brokerage / lender / MIC) for users with multi-tenant access | Strictly necessary | HttpOnly, Secure | Session | Mortgage360 (first-party) |
lf.locale | Preferred language for UI and Harvey AI assistant responses | Preference | Secure | 1 year | Mortgage360 (first-party) |
lf.theme | Preserves light / dark / system theme preference | Preference | Secure | 1 year | Mortgage360 (first-party) |
lf.consent | Records your consent choices for analytics cookies | Strictly necessary | Secure | 1 year | Mortgage360 (first-party) |
lf.analytics | First-party product analytics — pages viewed, features used, error events. Aggregated and pseudonymized. | Analytics | Secure | 1 year | Mortgage360 (first-party) |
lf.calc.scratch | Stores your in-progress calculator inputs (in local storage) so refreshing the page does not lose them. Stored on your device only; not transmitted to Mortgage360 servers. | Preference | Local storage | 30 days | Mortgage360 (first-party) |
lf.sentry.tx | Error monitoring transaction ID for correlation when you report an issue | Strictly necessary | Secure | Session | Mortgage360 + Sentry (sub-processor) |
4. Lawful basis for setting Cookies
Where we are required by applicable law to establish a lawful basis for each Cookie, we rely on the following:
- Strictly necessary Cookies are set on the basis of our legitimate interest in providing the Services that you have requested. Under PIPEDA, the EU ePrivacy Directive (and national implementations), and the UK Privacy and Electronic Communications Regulations, consent is not required for strictly necessary Cookies.
- Preference Cookies are set after you explicitly choose a preference (e.g., changing theme or language), which we treat as implied consent under PIPEDA and explicit consent under GDPR.
- Analytics Cookies are set only after you accept analytics via the cookie banner shown on first visit. You may change this choice at any time via Cookie Settings (link in the footer) or by clearing the
lf.consentcookie.
5. Third-party Cookies — and why we don’t use them for marketing
Mortgage360 does NOT use:
- Third-party advertising or behavioural-targeting cookies (Google Ads, Meta Pixel, LinkedIn Insight, etc.)
- Cross-site tracking cookies
- Fingerprinting or other “cookieless” tracking techniques
- Data brokers or audience-enrichment services
Product analytics is first-party and pseudonymized. AI model usage is logged for service operation and abuse prevention, not for advertising.
A limited number of sub-processors we use to operate the Services (Sentry for error monitoring; Stripe for billing flows; SendGrid for transactional email) may set technical cookies on subdomains they control during their interaction with you. These are functional, not marketing. See our DPA for the full sub-processor list.
6. Do Not Track and Global Privacy Control
We honour the Global Privacy Control (GPC) signal: if your browser sends a GPC opt-out signal, we treat it as a withdrawal of consent for analytics cookies on mortgage360.ai. We do not currently rely on the legacy Do Not Track (DNT) signal because the W3C standardization effort was abandoned, but we will respect DNT if a standardized successor emerges.
7. How to manage Cookies
7.1 In Mortgage360
Click Cookie Settings in the footer of any Mortgage360 page to view your current preferences, change your analytics consent, or withdraw all non-essential cookies.
7.2 In your browser
All modern browsers let you view, restrict, or delete cookies on a per-site basis through Settings. Browser-specific guides:
- Chrome:
chrome://settings/cookies - Firefox:
about:preferences#privacy - Safari: Preferences → Privacy
- Edge:
edge://settings/content/cookies
Disabling strictly-necessary cookies will prevent you from signing in, switching tenants, or using authenticated features of the platform. Disabling preference or analytics cookies does not affect platform functionality but reduces our ability to remember your settings and improve the product.
7.3 Mobile apps
Where we offer mobile apps, the equivalent storage is system keychain (for credentials and tokens) and local app storage (for preferences and offline cache). You can clear these via your device’s app management.
8. Changes to this Policy
We may update this Policy if we add, remove, or change a Cookie or storage technology. The current list is always the authoritative source. Material changes are communicated via in-product banner; the “Last updated” date at the top of this page reflects the most recent revision.
9. Contact
Cookie questions: [email protected]