Your data, your loan, your rules.

1. Who we are

“Voice to Mortgage” (also “we,” “us,” “our”) is an application-intake service operated by Freakyfast, Inc. (Delaware). We are not a mortgage lender. We help you complete a residential mortgage loan application and deliver it to a licensed mortgage lender of your choosing for underwriting, approval, and funding.

This policy explains the “non-public personal information” (NPI) we collect, how we protect it, who we share it with, and what rights you have. It satisfies the initial privacy notice obligation under 12 CFR § 1016.4.

2. The information we collect

In the course of preparing your application we collect the categories of non-public personal information listed below. Categories are described per CCPA § 1798.140 and the GLBA model privacy notice.

• Identifiers — full legal name, date of birth, Social Security Number or ITIN, email, phone, mailing address, citizenship/residency status, government ID.
• Financial information — annual and monthly income, employer, employment history, assets, liabilities, bank balances and transaction history (via Plaid), declared obligations, credit score range (self-stated only until a lender pulls credit with your authorization).
• Property information — address (if identified), purchase price, loan amount, occupancy, property type, intended down payment.
• Demographic information — ethnicity, race, sex (collected under HMDA, optional; refusing has no effect on your application).
• Voice recording & transcript — audio of your conversation with our AI scribe, and the text transcript we generate from it. Used only to prepare your application.
• Device & usage information — IP address, browser, operating system, time zone, pages viewed, actions taken.
• Communications — emails, calls, or messages you send us.

3. How we use it

We use your information only to:

• Take, complete, and submit your loan application.
• Match you with one or more licensed mortgage lenders and deliver your file to them.
• Verify the information you provide (e.g., via Plaid bank connection, identity check).
• Communicate with you about your application, including transactional emails, text messages, and calls.
• Operate, secure, and improve our service (excluding any use to train AI models — see § 6).
• Comply with our legal obligations under the Equal Credit Opportunity Act (ECOA), the Home Mortgage Disclosure Act (HMDA), Bank Secrecy Act / AML, and other laws applicable to mortgage application processing.

4. Who we share it with

We share your information with:

• The lender(s) you choose. Your completed application is delivered to the licensed mortgage lender(s) you select. They are independently regulated and have their own privacy practices.
• Service providers (sub-processors) listed below. Each is contractually required to safeguard your information and use it only for the purpose we engaged them for.
• Regulators & law enforcement when we are legally required to disclose information.
• Successors in connection with a merger, acquisition, or sale of assets — subject to the same privacy obligations.

We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not participate in any data broker arrangement.

5. Sub-processors

The following service providers process your information on our behalf. The list is current as of 2026-05-25.

• Cloudflare, Inc. — hosting, CDN, encrypted database (Cloudflare D1), object storage (R2). Data residency: United States.
• Clerk, Inc. — user authentication and session management.
• Plaid Inc.— secure bank-account linking and income/asset verification. You also agree to Plaid's privacy policy when you link your bank.
• OpenAI, L.L.C.— real-time speech-to-text and conversation orchestration. Per our agreement, your audio and transcripts are not used to train OpenAI's models and are retained only for the minimum necessary period.
• Resend, Inc. — transactional email delivery.
• Stripe, Inc. — payments (only if applicable in the future; we currently do not charge borrowers).

6. AI training and your voice

We do not use your voice recordings, transcripts, application data, or any non-public personal information to train any machine learning model — ours or anyone else's. Our contracts with our AI sub-processors prohibit them from training their models on your data. This is non-negotiable.

7. How we protect your information (GLBA Safeguards Rule)

• All sensitive fields are encrypted at rest using AES-256-GCM envelope encryption, with per-row data-encryption keys.
• All traffic uses TLS 1.3 in transit. We support HSTS.
• Access to production data is limited to authorized personnel, logged, and audited.
• We maintain an information-security program, including vulnerability scanning, dependency monitoring, incident response procedures, and an annual risk assessment, as required by 16 CFR § 314.4.
• In the event of unauthorized access to your personal information, we will notify you in accordance with applicable state breach-notification laws.

8. Retention and deletion

We retain your information for as long as your account is active. After deletion request, we soft-delete your data immediately and hard-delete encrypted blobs within 30 days, except where mandatory retention applies (e.g., five-year records-retention obligations on funded loans under 12 CFR § 1024.38(c) and related state laws). When that applies, we will tell you which records are retained and for how long.

Audit-log records of security-relevant events are retained for a minimum of 24 months and do not contain personal information values.

9. Your rights

Subject to applicable law, you have the right to:

• Know what personal information we hold about you.
• Receive a copy of your personal information in a portable format.
• Correct inaccurate personal information.
• Delete your personal information (subject to retention exceptions above).
• Opt out of any “sale” or “sharing for cross-context behavioral advertising” — though we do neither.
• Limit our use of sensitive personal information to that necessary to provide the service you requested.
• Be free from discrimination for exercising any of these rights.

To exercise any of these rights, sign in to your account and visit Settings → Privacy, or email [email protected]. We will respond within 45 days as required by CCPA, with one 45-day extension if necessary.

California residents:The categories of personal information we collected, used, and disclosed in the preceding 12 months are set out in § 2 and § 4 above. We did not “sell” or “share” personal information as those terms are defined under CCPA.

10. Children

Our service is intended for adults applying for a residential mortgage. We do not knowingly collect personal information from anyone under 18, and our service is not available to minors.

11. Cookies and tracking

We use only first-party, strictly-necessary cookies for authentication, security, and remembering your in-progress application. We do not use third-party advertising or analytics cookies. We do not respond to “Do Not Track” signals, because we do not engage in cross-site tracking that they would limit.

12. International users

Our service is intended for borrowers seeking to finance real estate located in the United States. All of our infrastructure and data processing is in the United States. If you access the service from outside the U.S., you consent to processing in the U.S.

13. Changes to this policy

We will post any material changes to this policy on this page and update the “Last updated” date. When required by law we will notify registered users by email at least 30 days before the change takes effect.

14. Contact us

Privacy questions: [email protected].
General questions: [email protected].
Postal: Freakyfast, Inc., attn: Privacy, 1209 Orange Street, Wilmington, DE 19801.

You may also file a complaint with the Consumer Financial Protection Bureau (CFPB) at consumerfinance.gov/complaint, or your state Attorney General.