Skip to content
RateStack
Legal · Privacy

Privacy policy

The legal companion to our engineering posture page at /trust/privacy. They are consistent; this is the controlling document.

Last updated:

1. Scope

This Privacy Policy describes how RateStack handles personal data in connection with the marketing site at ratestack.com and the platform service. For data we process on behalf of customers (i.e., your borrowers' data submitted via the platform), the Data Processing Addendum at /legal/dpa controls.

2. Information we collect

From visitors

  • Server-side logs (IP, user agent, request URL, status, latency).
  • Cookie-based theme preference (no advertising cookies).
  • Privacy-respecting analytics (page views, referrer) — no cross-site identifiers.

From operators (account holders)

  • Account profile (email, display name, phone, title, company, primary state).
  • Authentication credentials (bcrypt password hash or OAuth identity).
  • RBAC role assignments and permission grants.
  • Audit log entries describing actions taken in the platform.

From customers (your borrower-related data)

The platform consumes the minimum borrower attributes required to price. Where MISMO imports include broader fields (SSNs, identification numbers), they are stripped at ingest by the PII redactor and never persisted.

3. How we use information

  • To provide, secure, and improve the service.
  • To authenticate operators and authorize their actions.
  • To compute pricing, eligibility, and lock state for your loans.
  • To communicate service-related transactional messages (verification, password reset, approval, security notices).
  • To maintain the audit chain that supports compliance and dispute resolution.

We do not use customer data for advertising. We do not use customer data to train cross-tenant AI models. Mapping templates learned from your sheets remain scoped to your tenant.

4. How we share

With subprocessors listed at /trust/subprocessors under written agreements that bind them to confidentiality and to using the data only for the purposes we direct. With law enforcement only as required by law, with notice to you where legally permitted. With acquirers in connection with a merger, acquisition, or asset sale, under standard transition-services protections.

5. Retention

See the retention windows at /trust/privacy#retention. In summary: API request logs are kept for 90 days; ratesheet rows and audit entries are kept indefinitely (subject to retention policy on Business and Enterprise); webhook deliveries and event streams are kept for 30-180 days depending on type.

6. Your rights

Operators have the right to access, correct, and delete the personal data associated with their account. Borrowers' rights are exercised through you (the data controller); we support deletion within 30 days of an authorized request.

California residents have additional rights under the CCPA / CPRA, including the right to know, the right to delete, and the right to opt out of the sale or sharing of personal information (which we do not do). Email security@ratestack.com with the subject line "CCPA Request" to exercise these rights.

EU/UK residents have rights under GDPR / UK GDPR. We act as a processor for borrower data; you act as the controller. For our processing of your account data (operator data), we act as a controller, and the standard GDPR rights apply directly.

7. Children

The service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has submitted data, contact us and we will delete it.

8. Changes

We may update this Policy. Material changes will be announced in the changelog at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

9. Contact

Privacy contact: security@ratestack.com. For California residents, our designated CCPA agent is the same address.

Privacy policy | RateStack