Privacy Policy

Last Updated: March 10, 2026

1. Introduction

ServeYourNote, LLC (“ServeYourNote,” “we,” “us,” or “our”) operates the ServeYourNote platform (the “Service”), a software-as-a-service technology platform that provides tools for managing seller-financed real estate notes.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

ServeYourNote is a technology platform, not a financial institution, loan servicer, or financial advisor. This distinction affects how we handle your data: we process data to provide software tools, not to make financial decisions or provide financial services.

For questions about this Privacy Policy, contact us at:

ServeYourNote, LLC
Email: support@serveyournote.com
Address: 13320 Morse St, Cedar Lake, IN 46303

2. Information We Collect

2.1 Information You Provide Directly

Account Information (all users):

Data	Purpose	Required?
Full name (first, last)	Account identification, display	Yes
Email address	Login, notifications, transactional emails	Yes
Password	Authentication (stored as salted hash, never in plaintext)	Yes
Phone number	Account contact, optional 2FA	No

Organization Information (note holders):

Data	Purpose	Required?
Organization name	Multi-tenant scoping, document generation	Yes
Entity type (individual, LLC, etc.)	Document formatting, compliance context	Yes
EIN / Tax ID	1098 tax form generation	For 1098s
NMLS ID	Regulatory compliance tracking	No
Business address (line1, line2, city, state, zip)	Document generation, correspondence	Yes
Business phone and email	Borrower-facing documents	Yes

Borrower Information (entered by note holders about their borrowers):

Data	Purpose	Required?	Sensitivity
Full name (first, last)	Loan records, document generation	Yes	PII
Email address	Borrower portal access, communications	No	PII
Phone number	Contact records	No	PII
Mailing address (line1, line2, city, state, zip)	Correspondence, document generation	Yes	PII
Social Security Number (SSN)	1098 tax form generation only	For 1098s	HIGH — encrypted
Verification code	Borrower portal authentication	Auto-generated	Credential

Loan and Financial Data (entered by note holders):

Data	Purpose
Loan terms (principal, interest rate, term, payment amount)	Amortization calculations, payment tracking
Property address	Loan identification, document generation
Payment records (amounts, dates, methods)	Payment tracking, waterfall allocation, ledger
Escrow details (balances, obligations, disbursements)	Escrow management, RESPA analysis tools
Insurance policy details (provider, agent, coverage, policy numbers)	Escrow tracking, mortgagee clause verification
Late fee assessments	Delinquency tracking
Default/foreclosure events	Default management workflow

Documents:

Data	Purpose
Uploaded documents (deeds of trust, insurance policies, etc.)	Document repository
Generated documents (statements, 1098s, notices, escrow analyses)	Servicing records

2.2 Information Collected Automatically

Server and Access Logs:

Data	Purpose	Retention
IP address	Security, abuse prevention, audit trail	Per audit log retention
User agent (browser/device info)	Compatibility, security	Per audit log retention
Timestamps (login, page access, actions)	Audit trail, security monitoring	Per audit log retention
Pages visited and actions taken	Audit trail (who changed what, when)	Per audit log retention

Cookies and Similar Technologies:

Cookie/Technology	Type	Purpose	Duration
Session cookie	Essential	Maintains your authenticated session	Browser session
CSRF token	Essential	Prevents cross-site request forgery attacks	Browser session
JWT access token	Essential	API authentication (stored in localStorage)	Short-lived (minutes)
JWT refresh token	Essential	Token renewal (stored in localStorage)	Days

We do not use third-party advertising cookies or cross-site tracking cookies.

Analytics:

We use privacy-focused analytics tools that collect minimal data. Our analytics approach varies by context:

Marketing/public pages: Privacy-first, cookieless analytics
Authenticated app: Product analytics with anonymous identifiers (no PII in events)
Internal dashboards: Operational monitoring (not user-facing)

2.3 Third-Party Services and Data Sharing

We use the following third-party services. Each is limited to the data necessary for its function:

Payment Processing:

Service	Data Shared	Purpose	Privacy Docs
Stripe, Inc.	Borrower payment details (bank account, payment amounts), note holder payout details	Payment processing via Stripe Connect	stripe.com/privacy

Stripe is PCI DSS Level 1 compliant. We do not store full bank account numbers — Stripe tokenizes payment methods. We store only: Stripe customer IDs, payment method IDs, bank name, and last four digits of the account number.

Email:

Service	Data Shared	Purpose	Privacy Docs
Loops	Email address, first name, user events (signup, note created, etc.)	Transactional and lifecycle emails	loops.so/privacy

Product Analytics (authenticated app only):

Service	Data Shared	Purpose	Privacy Docs
PostHog (Cloud)	Anonymous user ID (UUID, not email), feature usage events	Product improvement, usage analytics	posthog.com/privacy

PostHog events never contain PII. User identification uses anonymous UUIDs linked to accounts internally. We do not send names, emails, financial data, or loan details to PostHog. PostHog is SOC 2 Type II certified.

Marketing Analytics (public/marketing pages only — never loaded on authenticated dashboard pages where financial data is displayed):

Service	Data Shared	Purpose	Privacy Docs
Plausible Analytics	None (cookieless, no PII)	Anonymous website traffic metrics	plausible.io/privacy
Microsoft Clarity	Anonymous session recordings (content masked)	UX improvement on marketing pages	clarity.microsoft.com/terms
HubSpot (Free CRM)	Tracking script on marketing pages	Lead tracking, CRM	hubspot.com/privacy

Internal Only (no user data shared externally):

Service	Purpose
Metabase (self-hosted)	Business intelligence dashboards — reads from our database directly, not exposed to public internet
Grafana (self-hosted)	Infrastructure monitoring — not exposed to public internet

2.4 Information We Do NOT Collect

We do not collect or store full bank account or routing numbers (Stripe handles this)
We do not collect credit card numbers
We do not collect biometric data
We do not purchase data from data brokers
We do not collect data from social media profiles
We do not use advertising cookies or participate in ad networks

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Legal Basis	Data Categories Used
Provide the Service — loan tracking, calculations, document generation, payment processing, borrower portal	Performance of contract (ToS)	Account info, loan data, financial data, documents
Authenticate and secure accounts — login, session management, access control	Performance of contract; legitimate interest (security)	Credentials, session data, IP addresses
Process payments — facilitate borrower payments to note holders via Stripe	Performance of contract	Payment details (via Stripe)
Generate documents — statements, 1098s, notices, escrow analyses	Performance of contract	Loan data, borrower info, financial data
Send transactional communications — account confirmations, payment receipts, system notifications	Performance of contract	Email address, name, relevant event data
Send lifecycle communications — onboarding emails, feature education, feedback requests	Legitimate interest (product improvement); consent where required	Email address, name, usage milestones
Improve the Service — usage analytics, bug detection, feature development	Legitimate interest (product improvement)	Anonymous usage events (PostHog), aggregate metrics
Maintain security — fraud detection, abuse prevention, audit logging	Legitimate interest (security); legal obligation	IP addresses, user agents, access patterns, audit logs
Comply with legal obligations — tax reporting, regulatory requirements, law enforcement requests	Legal obligation	As required by applicable law
Resolve disputes and enforce Terms — investigate violations, respond to legal process	Legitimate interest; legal obligation	Account info, usage data, communications

We do not use your information to:

Make lending, credit, or financial decisions
Sell your personal information to third parties
Build advertising profiles
Target you with third-party advertisements
Share your data with data brokers

4. How We Protect Your Information

4.1 Encryption

Layer	Method
Data in transit	TLS 1.2+ (HTTPS) for all connections
Data at rest (database)	PostgreSQL on encrypted storage volumes
Data at rest (documents)	AES-256 server-side encryption (S3)
Social Security Numbers	Application-level Fernet encryption (AES-128-CBC with HMAC) in addition to storage encryption
Passwords	Salted hash (Django's PBKDF2 with SHA-256)
Payment credentials	Tokenized by Stripe — we never store full account numbers

4.2 Access Controls

Role-based access: organization owners, admins, and viewers have different permissions
Multi-tenant isolation: all data is scoped to organizations; users can only access data belonging to organizations they are members of
Borrower isolation: borrowers can only see their own loan data, not other borrowers within the same organization
Administrative access to production systems is limited to essential personnel
All data access is logged in our audit trail (user, action, timestamp, IP address)

4.3 Infrastructure

Application hosted in containerized environments with network isolation
Database access restricted to application servers (not publicly accessible)
Document storage (S3) configured as private — no public access, presigned URLs with 15-minute expiry for downloads
Regular dependency auditing for known vulnerabilities
Incident response plan maintained (see internal security documentation)

4.4 Third-Party Security

All third-party services that process personal data are selected based on their security posture:

Stripe: PCI DSS Level 1 compliant
PostHog: SOC 2 Type II certified
Plausible: GDPR-compliant by design (cookieless, no PII)
Loops: SOC 2

5. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

Data Category	Retention Period	Reason
Account information	Duration of active account + 30 days after termination	Service provision; 30-day export window per ToS
Loan records and financial data	Duration of active account + 30 days after termination	Service provision
Tax-related records (1098 data, EIN, SSN)	7 years from the tax year	IRS record-keeping requirements (IRC § 6001)
Payment transaction records	7 years from transaction date	Financial record-keeping; dispute resolution
Audit logs (who did what, when)	7 years	Compliance, dispute resolution, security
Generated documents (statements, 1098s)	Duration of active account + 30 days	Service provision; user can export
Uploaded documents	Duration of active account + 30 days	Service provision; user can export
Server/access logs	90 days (rolling)	Security monitoring, incident investigation
Anonymous analytics data	Indefinite	Aggregate product improvement (no PII)

After account termination:

You have 30 days to export all your data (see ToS Section 10.3)
After 30 days, we delete your data from active systems
Tax-related records and audit logs are retained for 7 years per legal requirements
Backups containing your data are purged on a rolling basis (within 90 days)
Anonymous/aggregate analytics data is retained indefinitely

Documents under legal hold: If a document has been placed under legal hold (e.g., in connection with litigation or a regulatory inquiry), it will be retained until the hold is released, regardless of account termination or standard retention schedules.

6. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

Right	Description	How to Exercise
Access	Request a copy of your personal data	Account settings (data export) or email us
Correction	Update inaccurate or incomplete data	Edit directly in the Service, or email us
Deletion	Request deletion of your personal data	Email us (subject to legal retention requirements)
Portability	Receive your data in a structured, machine-readable format	Account settings (data export to CSV/PDF/ZIP)
Opt-out of marketing	Stop receiving non-essential marketing emails	Unsubscribe link in emails, or email us
Withdraw consent	Withdraw consent for optional data processing	Email us

Important limitations on deletion:

We cannot delete data that we are required by law to retain (e.g., tax records for 7 years)
We cannot delete immutable audit log entries (these are required for financial record integrity)
Deleting your account does not delete data that your borrowers may independently have access to through the borrower portal (borrower accounts are separate)
If you are a borrower, your note holder controls the loan data — contact them for questions about data entered on their behalf

To exercise your rights: Email us at support@serveyournote.com with the subject line “Privacy Rights Request.” We will respond within 30 days.

6.1 Colorado Privacy Act (CPA)

If you are a Colorado resident, the CPA (C.R.S. § 6-1-1301 et seq., effective July 1, 2023) provides you with additional rights, including the right to opt out of targeted advertising and the right to appeal our decisions regarding your privacy requests.

Current applicability: The CPA applies to entities that control or process personal data of 100,000 or more Colorado residents per year, or 25,000 or more Colorado residents if the entity derives revenue from the sale of personal data. We do not currently meet these thresholds, but we voluntarily extend CPA-equivalent rights to all users regardless of jurisdiction.

To appeal a privacy decision: If we deny a privacy rights request, you may appeal by emailing support@serveyournote.com with the subject line “Privacy Appeal.” We will respond within 45 days.

6.2 California Consumer Privacy Act (CCPA/CPRA)

The CCPA applies to businesses with annual gross revenue exceeding $25 million, that buy or sell personal information of 100,000+ consumers, or that derive 50%+ of revenue from selling personal information. We do not currently meet these thresholds.

Regardless, we do not sell personal information and do not share personal information for cross-context behavioral advertising. We voluntarily extend the right to know and the right to delete to all users.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

Cookie	Type	Purpose	Opt-out?
Session cookie (`sessionid`)	Strictly necessary	Maintains your login session	No (required for Service)
CSRF token (`csrftoken`)	Strictly necessary	Prevents cross-site request forgery	No (required for security)

We also store JWT tokens in browser localStorage for API authentication. These are not cookies but function similarly for session management.

7.2 Analytics Scripts

Script	Pages	Cookies?	Personal Data?	Opt-out?
Plausible Analytics	Marketing pages only	No (cookieless)	No	N/A (no tracking to opt out of)
Microsoft Clarity	Marketing pages only	Yes (first-party)	No (content masked)	Browser Do Not Track header respected
HubSpot tracking	Marketing pages only	Yes (first-party)	Email if you submit a form	Do Not Track header; cookie banner
PostHog	Authenticated app only	First-party	No PII (anonymous UUID only)	Respect `$opt_out` property

Privacy boundary: Plausible, Clarity, and HubSpot are loaded only on marketing and authentication pages. They are never loaded on authenticated dashboard pages where financial data is displayed. This architectural boundary protects your financial data from third-party analytics scripts.

7.3 Do Not Track

We respect the Do Not Track (DNT) browser signal for optional analytics (Clarity, HubSpot). Essential cookies and PostHog product analytics (which use no PII) are not affected by DNT.

8. Special Categories of Data

8.1 Social Security Numbers (SSNs)

We collect SSNs only for the purpose of generating IRS Form 1098 (Mortgage Interest Statement) and only when a note holder enters a borrower's SSN for that purpose. SSNs are:

Encrypted at the application level using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before storage in the database
Stored as ciphertext — the database never contains plaintext SSNs
Decrypted only when generating 1098 forms or when the note holder explicitly requests to view the full SSN
Displayed in masked form (last four digits only) in all other contexts
Included in data exports in decrypted form (the export is treated as a sensitive file)
Retained for 7 years from the applicable tax year per IRS requirements, even after account termination

Note holders are responsible for obtaining their borrowers' consent before entering SSNs into the Service. We process SSNs solely at the note holder's direction for tax form generation.

8.2 Financial Information

Loan terms, payment histories, escrow balances, and other financial data are entered by note holders and processed by the Service to provide calculation and tracking tools. This data is:

Stored in encrypted database volumes
Accessible only to authorized members of the note holder's organization and (where applicable) the borrower through the borrower portal
Never shared with third parties except Stripe (for payment processing) and as required by law
Never used for credit decisions, lending, or financial advisory purposes by ServeYourNote

9. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

Investigate promptly to determine the scope and nature of the breach
Contain the breach and take steps to prevent further unauthorized access
Notify affected users by email within the timeframes required by applicable law:
- Colorado: within 30 days of determining the breach occurred (C.R.S. § 6-1-716)
- Indiana: without unreasonable delay (IC 24-4.9-3-3)
- Other states: per applicable state breach notification law
Notify the Colorado Attorney General if the breach affects 500 or more Colorado residents (C.R.S. § 6-1-716(2)(b))
Provide details including: nature of the breach, types of information affected, steps we are taking, and steps you can take to protect yourself

Our incident response procedures are documented internally in our security policy.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information.

If you believe a child under 18 has provided us with personal information, please contact us at support@serveyournote.com.

11. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, you understand that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a revised “Last Updated” date
Sending an email notification to the address associated with your account

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after a change constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

ServeYourNote, LLC
Email: support@serveyournote.com
Address: 13320 Morse St, Cedar Lake, IN 46303

For privacy rights requests specifically, email support@serveyournote.com with the subject line “Privacy Rights Request.”

This Privacy Policy was last updated on March 10, 2026.