1. Introduction & Scope

Lendmire, LLC ("Lendmire," "we," "us," or "our") is a multi-state licensed mortgage broker headquartered in Boone, North Carolina. Lendmire acts as a mortgage broker in all of our states of licensure. While we hold certain lender licenses, we are not currently acting as a lender and are not funding loans; we operate solely as a broker at this time. We help consumers locate suitable mortgage products from third-party lenders.

This Privacy Policy explains how we collect, use, disclose, protect, and retain Personal Information ("PI") across all channels — website, mobile, phone, email, SMS/MMS, social media, advertising, electronic signatures/records, and in-person communications — nationwide. Continued use of our services indicates acceptance of this Policy.

2. Key Definitions

Personal Information ("PI")

Information that identifies, relates to, describes, or could reasonably be linked to an individual.

Non-Public Personal Information ("NPI")

Consumer financial information protected under the Gramm-Leach-Bliley Act (GLBA).

Sensitive Personal Information ("SPI")

SSN, driver-license/ID number, precise geolocation, financial-account credentials, biometric identifiers, and similar data governed by state privacy laws.

Sale

Disclosure of PI for monetary or other valuable consideration as defined by applicable state law.

Sharing / Targeted Advertising

Cross-context behavioral advertising or disclosure for targeted ads as defined by applicable state law (even if no monetary exchange).

Profiling

Automated processing of PI to evaluate personal aspects (e.g., economic situation, interests) for marketing or similar purposes.

3. Information We Collect

• Identifiers — name, postal address, email, phone, date of birth, SSN, driver-license or government-ID
• Financial & Loan-Application Data — income, employment, credit reports, bank statements, assets, liabilities, property addresses, loan terms sought
• Biometric & Identity-Verification Data — selfie/liveness checks or facial templates captured by trusted vendors for KYC; collected only with written consent and destroyed per law
• Technical & Usage Data — IP address, device IDs, browser/OS, cookies, pixels, clickstream
• Approximate Geolocation & Analytics — derived from IP/device
• Third-Party Data — credit-bureau data, verification services, public records, referral partners
• Communication Records — call recordings (with notice), voicemail, email, SMS/MMS, chat logs, e-signature audit trails, consent histories

We collect SPI only when required for mortgage processing or fraud prevention and never for unrelated purposes. We do not knowingly sell or share PI of minors under 16.

4. Sources of Information

• Directly from you — forms, uploads, calls, texts, and electronic signatures (E-SIGN Act)
• Automatically — cookies, pixels, device analytics
• Identity-Verification Vendors — selfie/ID match tools, fraud databases
• Third Parties — credit bureaus, referral partners, government agencies

5. How We Use Information

• Mortgage Brokerage Services: evaluate eligibility, submit applications to lenders, obtain credit approvals, provide loan-status updates
• Identity, Fraud & Security: KYC checks, sanctions screening, cybersecurity monitoring, regulatory reporting
• Marketing (with Consent): email newsletters, SMS alerts, retargeted ads, referral campaigns
• Compliance & Legal: GLBA, FCRA (Adverse-Action Notices), ECOA, TCPA, CAN-SPAM, state privacy laws
• Operations & Improvement: analytics, site performance, quality assurance, staff training

6. Communications, Marketing & Consent

6.1 SMS/Text Messaging Program

Opt-in by checkbox or keyword; messages may be sent via autodialer. Frequency varies. Standard message & data rates may apply. Text STOP to opt-out; HELP for help. No purchase required. Carriers are not liable for delayed/undelivered messages.

6.2 Email Marketing & CAN-SPAM

All commercial emails include clear sender ID, truthful subject lines, our postal address, and a functional unsubscribe link (active ≥ 30 days) or email brandonmiller@lendmire.com.

6.3 Telephone Calls & Telemarketing

Calls are made only with prior express written consent (TCPA/TSR). When recording in two-party consent states, we provide notice at the start of the call. Pre-screened credit offers: opt-out nationwide at 1-888-5-OPT-OUT (1-888-567-8688). Join our internal Do-Not-Call list via any method in §19; consents are retained for ≥ 4 years.

6.4 Electronic Signatures & Records (E-SIGN)

You may receive disclosures and sign electronically. Withdraw E-SIGN consent or request paper copies anytime (see §19). Withdrawal won't affect prior actions.

7. Compliance Framework

We follow GLBA (Privacy/Safeguards/Pretexting), FTC Safeguards Rule, FCRA/Reg V, ECOA/Reg B, E-SIGN, TCPA/TSR, CAN-SPAM, COPPA, MAP Rule (Reg N), biometric laws (IL BIPA, TX CUBI), and state privacy statutes including CA CPRA, CO CPA, CT DPA, DE PDPA, TX DPSA, UT UCPA, VA VCDPA, NV, VT, and others as enacted, and the New York SHIELD Act.

8. Your Privacy Rights

Depending on your state, you may:

• Access and obtain a copy of your PI
• Correct inaccurate PI
• Delete PI (subject to legal exceptions)
• Opt-out of: (a) sale of PI, (b) sharing for cross-context behavioral advertising, and (c) profiling in furtherance of decisions for marketing/ads
• Limit use and disclosure of SPI
• Port your data to another provider
• Withdraw consent for marketing or profiling where processing is based on consent

We will not discriminate against you for exercising your rights.

8.1 Authorized Agents

Agents may submit requests with notarized authorization or a valid power-of-attorney. We verify the agent and your identity before acting.

8.2 Appeals

If we deny your request, email brandonmiller@lendmire.com with "Appeal" in the subject. We respond within 45 days; unresolved appeals may be escalated to your state Attorney General.

How to Exercise Rights: Email brandonmiller@lendmire.com, call (828) 256-2183, or mail us (see §19).

9. Information Sharing & Disclosures

Disclosures occur only as permitted/required:

• Service Providers & Vendors: credit bureaus, CRM, cloud/analytics (SOC-2 Type II; breach notice duty)
• Lenders & Investors: underwriting/closing partners
• Regulators/Law Enforcement: audits, subpoenas, fraud prevention
• Corporate Transactions: merger/acquisition with notice

GLBA Notices: We provide an initial privacy notice at relationship start and an annual privacy notice thereafter when required by Regulation P.

10. Third-Party Websites & Links

External sites follow their own policies; Lendmire is not responsible for their practices. When you click third-party links, those providers may independently collect information via cookies, pixels, or other tracking technologies. We do not control those third-party practices.

11. Vendor Oversight & International Transfers

Vendors must sign DPAs with GLBA-level safeguards, provide annual audits, notify breaches, and use Standard Contractual Clauses (SCCs) or similar for offshore processing. Where required by state law, residents may request a list of foreign jurisdictions and safeguards used.

12. Security Measures

• AES-256 encryption at rest; TLS 1.2+ in transit
• MFA, least-privilege, role-based access controls
• 24/7 SOC, log monitoring
• Annual pen-tests; quarterly vulnerability scans
• Employee background checks & training
• Board-level review of risk assessments
• Incident Response Plan & 50-state breach-notification matrix

Our safeguards program is designed to meet or exceed GLBA, the FTC Safeguards Rule, and applicable state standards, including Massachusetts 201 CMR 17.00 where relevant.

13. Data Retention & Secure Disposal

• Mortgage records: ≥ 5 years post-closing (RESPA/state law)
• Biometric templates: destroyed when purpose fulfilled or ≤ 3 years after last interaction (e.g., IL BIPA)
• Consents & audit logs: ≥ 4 years post-opt-out (TCPA safe harbor)
• Business records: as needed or per legal hold

We retain PI only for as long as reasonably necessary and proportionate to the purposes described, and we delete or anonymize PI when no longer needed unless a legal hold applies. Secure destruction follows NIST SP 800-88 methods.

14. Automated Decision-Making & Profiling

Automated tools may expedite eligibility review; a human underwriter reviews final credit decisions. You may request manual reconsideration. You may also opt-out of profiling used for targeted advertising (see §8).

15. Cookies, Pixels & Global Privacy Control

We use essential, analytics, and advertising cookies. Our banner enables granular opt-in/opt-out for targeted ads and profiling. If your browser sends a Global Privacy Control (GPC) signal, we treat it as a valid opt-out in states that recognize such signals. We retain cookie-consent choices for at least 12 months and propagate your opt-out selection to downstream advertising partners through industry-standard mechanisms.

16. Children & Minors

Services are for adults 18+. We do not knowingly collect, sell, or share PI of anyone under 16.

17. Arbitration & Governing Law

Except where prohibited or restricted by state law, disputes are resolved by binding arbitration in Boone, NC (AAA rules). If applicable state law limits or invalidates mandatory arbitration for consumer contracts, this clause will not apply and your state-specific rights and forum will govern. North Carolina law governs to the extent not preempted by federal or applicable state law.

18. Non-Discrimination & Financial Incentives

We do not offer financial-incentive or loyalty programs tied to PI. We will not discriminate against you for exercising privacy rights.

19. Contact Us

Unresolved concerns? Contact the Consumer Financial Protection Bureau (855-411-2372), Federal Trade Commission, Federal Communications Commission, or your state Attorney General.

20. State-Specific Disclosures & Future Updates

Rights vary by state. We maintain a continuously updated State Disclosures & Licensing page showing where we operate as a broker and the states where we are licensed. We review this Policy at least annually and update it as laws change. Material changes will be posted with a new "Last Updated" date and, where required, additional notice.

21. CPRA / Multi-State Categories, Purposes, Recipients & Retention

The following summaries list typical categories of Personal Information, why we use them, who we disclose them to, whether they are sold/shared, and typical retention periods. We do not sell or share Personal Information.

• Identifiers (name, address, email, phone, SSN, DL/ID) — Mortgage processing; identity verification; compliance — Disclosed to: lenders, credit bureaus, CRM, cloud-hosting — Retention: 5 years post-closing (RESPA)
• Financial & Loan-Application Data — Underwriting/eligibility; regulatory reporting — Disclosed to: lenders, AUS/DU/LP engines, auditors — Retention: 5 years post-closing
• Biometric & ID-Verification Data — Fraud prevention; KYC — Disclosed to: ID-verification vendors only — Retention: per law (e.g., IL BIPA ≤ 3 years)
• Technical & Usage Data — Site analytics; security — Disclosed to: analytics/cloud vendors — Retention: 12–24 months
• Communication Records — Quality assurance; compliance; TCPA safe harbor — Disclosed to: CRM, cloud storage — Retention: ≥ 4 years post-opt-out