Coming soon: Mortgage360 mobile app for iOS & Android — Client portal + Broker portal in your pocket.
Mortgage360
Legal

Privacy Policy

Effective: 2026-01-01 · Last updated: 2026-05-29

This Privacy Policy explains how Mortgage360 Inc. (“Mortgage360,” “we,” “us”) collects, uses, discloses, and protects personal information in connection with the Mortgage360 platform, websites, APIs, calculators, AI assistants, and related services (collectively, the “Services”).

We operate primarily under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation. Where we process personal information of residents of Quebec, the EU/EEA, the United Kingdom, California, or other jurisdictions with applicable privacy law, we apply those frameworks (Quebec Law 25, GDPR, UK GDPR, CCPA/CPRA) as appropriate. This Policy is informed by the ten privacy principles set out in Schedule 1 of PIPEDA.

1. Roles — controller vs processor

We act in two distinct roles depending on the context:

  • Controller for personal information we collect directly about you in connection with operating our business — such as the contact information of broker, lender, or MIC manager users, billing contacts, marketing prospects, calculator users on our public site, and visitors to mortgage360.ai.
  • Processor / service provider for personal information you and your users upload to the platform in the course of operating your mortgage, lending, or investor-relations business — including borrower applications, financial documents, KYC records, AML risk ratings, deal correspondence, and investor records. For this category, your organization is the controller. Our processing of this data is governed by our Data Processing Addendum, which supplements this Policy.

2. Personal information we collect

2.1 Information you provide directly

  • Account and profile data: name, email, phone, role (broker, agent, principal broker, underwriter, MIC manager, investor relations, etc.), employer, license number where applicable, photo (optional).
  • Billing and tax data: billing contact, billing address, GST/HST registration, payment-method tokens (we never store full card numbers — see Section 6).
  • Support and communications: messages you send to support, sales, security, and privacy channels, including attachments and any personal information embedded in those messages.
  • Calculator inputs (public calculators): the numerical and categorical inputs you enter into our public calculators are processed in your browser by default and are not persisted to our servers unless you explicitly save a scenario to a Mortgage360 account.

2.2 Information collected automatically

  • Usage data: IP address, device type, browser, operating system, language, time zone, pages viewed, features used, referring URL, navigation pattern, error events.
  • Audit data: for platform tenants, we record authentication events, privileged operations, data exports, configuration changes, and access requests. Audit logs are retained for 7 years to support regulator standards (FSRA, FINTRAC, and equivalent).
  • Cookies and similar technologies: see our Cookie Policy.

2.3 Information we receive from third parties

  • Identity verification services and credit bureaus, where you authorize integration for KYC, KYB, AML, or borrower-credit retrieval (Equifax, TransUnion, identity-verification providers)
  • Lender connectivity partners (Filogix, lender APIs) for synchronization of deals you authorize to share
  • Payment processor (Stripe) for transaction confirmations
  • Marketing platforms where you have consented to receive Mortgage360 communications
  • Public sources, such as FSRA / BCFSA / RECA / OACIQ license registries, for verification of regulated-user eligibility

3. Why we use personal information (lawful purposes and bases)

We process personal information for these purposes:

3.1 To deliver and operate the Services

Authentication, multi-factor authentication, account provisioning, tenant separation, customer-data hosting, transaction processing, AI assistant inference, document storage, lender connectivity, calculator operation, and billing.

PIPEDA basis: performance of contract with you, and our legitimate business interest in operating the Services.
GDPR Articles 6(1)(b) and 6(1)(f).

3.2 To meet legal and regulatory obligations

Compliance with FSRA, BCFSA, RECA, OACIQ, FCAA and equivalent provincial mortgage regulators; FINTRAC reporting where Mortgage360 is a reporting entity; CRA and Revenu Québec tax obligations; PIPEDA and substantially similar provincial law; CASL; court orders, subpoenas, and lawful production demands.

PIPEDA basis: compliance with legal obligations.
GDPR Article 6(1)(c).

3.3 To improve and benchmark the platform

Aggregated and de-identified analytics on calculator usage, AI assistant performance, error frequency, feature adoption, and platform reliability. We do not use identifiable Customer Data to train third-party AI models, and we do not use identifiable Customer Data to train our own AI models without your express written consent.

PIPEDA basis: legitimate business interest, balanced against privacy impact, with strong de-identification controls.
GDPR Article 6(1)(f).

3.4 To detect, prevent, and respond to security incidents

Fraud detection, abuse detection, audit logging, intrusion detection, breach investigation, and response.

PIPEDA basis: protection of our and customers’ legitimate interests.
GDPR Article 6(1)(f).

3.5 To communicate with you

Transactional notifications about your account and the Services; product update announcements; service incidents; security advisories; and (with your consent under CASL or other applicable law) marketing communications.

PIPEDA basis: performance of contract for transactional communications; consent (express or implied as permitted under CASL) for marketing communications.
GDPR Articles 6(1)(a) and 6(1)(b).

4. How we share personal information

4.1 With sub-processors

We share personal information with sub-processors that help us operate the Services. The current list, including each sub-processor’s purpose and processing location, is maintained in our Data Processing Addendum. We bind each sub-processor by contract to confidentiality, security, and processing-limit obligations no less protective than this Policy and the DPA.

3.2 With your authorization

When you direct us to share information with a third party — for example, by submitting a deal to a lender, integrating with Filogix, exporting data, or initiating a credit bureau pull — we share only what is necessary for the integration you have authorized.

4.3 For legal and safety reasons

We may disclose personal information to law enforcement, regulators, courts, or other third parties when we are legally required to do so, or where we have a good-faith belief that disclosure is necessary to protect rights, safety, property, or the integrity of the Services. Where lawful, we will give the affected customer prior notice and a reasonable opportunity to seek protective remedies.

4.4 In business transactions

In the event of a merger, acquisition, financing, restructuring, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity subject to obligations no less protective than this Policy. We will notify affected customers of any such transfer.

4.5 We do not sell personal information

We do not sell, rent, trade, or share personal information for cross-context behavioural advertising. This applies under CCPA / CPRA, Quebec Law 25, and equivalent frameworks.

5. International transfers

By default, Customer Data and audit logs are stored in Canada (AWS ca-central-1). Enterprise customers may select per-tenant data residency in Canada, the United States (AWS us-east-1 or us-west-2), or the EU (AWS eu-central-1), as documented in the order form.

Some processing necessarily occurs outside the selected residency region — most notably, AI assistant inference (Harvey), which is processed on infrastructure operated by our AI sub-processor located in the United States. We have contractual safeguards, including data processing agreements compliant with PIPEDA and GDPR Article 28, Standard Contractual Clauses (SCCs) where required for EU-to-non-adequate-country transfers, and supplementary technical measures such as in-transit and at-rest encryption.

For Quebec residents specifically, we conduct privacy impact assessments before transferring personal information outside Quebec, as required by Law 25.

6. Payment information

Payments are processed by Stripe Inc. We receive a tokenized reference and limited metadata (last 4 digits, brand) but never the full card number, CVV, or banking credentials. Stripe operates as an independent controller for payment processing per its own privacy notice and PCI-DSS compliance program.

7. Retention

  • Account profile data: for the duration of your subscription plus 30 days for export, after which it is purged or de-identified.
  • Customer Data (data your organization controls): retained for the duration of your subscription. On termination, you have 30 days to export. After the export window, Customer Data is deleted within 30 days, subject to retention required by law.
  • Audit logs: retained for 7 years to support regulator standards (FSRA, FINTRAC, OSFI). After 7 years, audit logs are deleted or aggregated.
  • Billing records: retained for the period required by the Canada Revenue Agency, Revenu Québec, and other tax authorities (typically 7 years).
  • Marketing data: retained until you withdraw consent or for 24 months without engagement, whichever comes first.
  • Support records: retained for 3 years from last interaction.

8. Your privacy rights

Subject to applicable law and our ability to verify your identity, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Delete personal information, subject to legal retention obligations
  • Withdraw consent for processing based on consent (subject to legal or contractual restrictions)
  • Object to or restrict processing based on our legitimate interests
  • Receive a copy of your personal information in a portable, machine-readable format
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the appropriate supervisory authority in the EU/UK, the California Attorney General, or other applicable regulator
  • Be informed of automated decision-making that produces legal or similarly significant effects — and to obtain meaningful information about the logic involved. Mortgage360 does not use automated decision-making for credit, mortgage approval, or hiring decisions. AI assistants generate recommendations and suggestions only; final regulated decisions are reserved for licensed human reviewers.

To exercise these rights, contact [email protected]. We will respond within 30 days, or sooner where required by law. If you are exercising a right that applies to data your organization controls (Customer Data), we will direct your request to that organization, since they are the controller of that data.

9. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include:

  • AES-256-GCM encryption at rest; TLS 1.3 in transit
  • Mandatory multi-factor authentication on all privileged operations
  • Least-privileged access controls and audit logging of all data access
  • Continuous vulnerability scanning, quarterly third-party penetration testing
  • SOC 2 Type II annual audit (report available to qualifying customers under NDA)
  • Background checks and confidentiality agreements for all personnel with data access
  • Documented incident response plan with 24/7 on-call coverage

See our security overview for additional detail. No security control is perfect; we will notify you in the event of a confirmed breach affecting your personal information per Section 10.

10. Breach notification

If we confirm a breach of security safeguards that creates a real risk of significant harm to an individual (the PIPEDA threshold) or that triggers notification under other applicable law, we will:

  • Notify affected customers (organizations) within 72 hours of confirmation, including current understanding of the breach, scope of affected data, root cause, and mitigation steps
  • For data we control directly, notify affected individuals as required by PIPEDA, Quebec Law 25, GDPR Article 34, or equivalent law
  • Report to the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, applicable EU supervisory authorities, and other regulators as required
  • Maintain a breach record for the period required by law

11. Cookies and similar technologies

We use first-party cookies for authentication, CSRF protection, MFA device memory, theme preferences, and first-party product analytics. We do not use third-party advertising cookies or cross-site tracking. See the Cookie Policy for the full catalogue.

12. Children

The Services are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact [email protected] and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated through in-product notice, email to your account contact, and a posting to this page at least 30 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact

Privacy questions: [email protected]
Data Protection Officer (acts as our PIPEDA accountability contact and our GDPR-style DPO): [email protected]
Mail: Mortgage360 Inc., Privacy Office, Toronto, Ontario, Canada

If you are a resident of the EU/EEA or UK and prefer to contact a representative within those jurisdictions, contact our DPO who will direct your inquiry appropriately.