Anilize logoAnilize
Sign upSign up

Legal

Privacy Policy

This repo-authored draft is pending legal review before production publication. It describes how Anilize collects, uses, stores, and protects personal information.

Version 1.0.0 · Last updated 2026-04-30

For questions or rights requests, email privacy@anilize.com, or use the contact page.

Information we collect

  • Account and workspace information, including name, email, company, role, NMLS license records, and authentication metadata.
  • Mortgage workflow information entered by Customer or end users into Anilize, including borrower contact, loan application, document, rate, and communication details.
  • Integration data from connected services, including CRM, Loan Origination System, email, calendar, analytics, and Plaid Link when an end user chooses to connect a financial account.
  • Security and usage data, including device, browser, IP address, session, audit, and event records.
  • Inferences and insights generated by Anilize through Customer-directed AI features, where outputs are persisted to the Customer workspace.

GLBA and borrower nonpublic personal information

  • Anilize is subject to and supports Customer's compliance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Anilize maintains administrative, technical, and physical safeguards reasonably designed to protect borrower nonpublic personal information.
  • Borrower nonpublic personal information collected through the Services is processed solely for the loan-origination workflow Customer directs. Anilize does not sell borrower personal information.
  • Anilize encrypts third-party credentials at rest using AES-256-GCM and uses TLS for data in transit. Production database access is gated by row-level security and a least-privilege role model.

Plaid Link data

  • When Plaid Link is used, Anilize may receive financial account, balance, transaction, income, employment, asset, identity, and account-owner information depending on the verification product Customer has enabled (Plaid Check, Plaid Income, Plaid Layer, or Plaid Monitor).
  • Plaid credentials are never shared with or stored by Anilize. Plaid collects credentials directly from the borrower through Plaid Link and returns authorized data to Anilize through Plaid services.
  • Plaid data is used to verify income, assets, identity, and application readiness for the mortgage origination workflow Customer directs. Anilize does not use Plaid data to construct or substitute for a Fair Credit Reporting Act 'consumer report'.
  • Borrowers may review their connected accounts and request deletion of Plaid-managed data through Plaid Portal at https://my.plaid.com/. Borrowers may also disconnect accounts or request deletion through Anilize support, subject to legal, fraud-prevention, audit, and mortgage compliance retention requirements.
  • Plaid's End User Privacy Policy is available at https://plaid.com/legal/#end-user-privacy-policy and Plaid's End User Services Agreement governs the borrower's relationship with Plaid.

How we use information

  • Provide, secure, support, and improve the Anilize platform.
  • Operate mortgage origination, CRM, borrower verification, rate, document, communication, and analytics workflows Customer has configured.
  • Prevent fraud, enforce access control, monitor security events, and comply with legal obligations.
  • Communicate product, support, billing, security, and administrative notices.
  • Develop aggregated, deidentified analytics. Anilize does not use Customer Data to train AI models without an executed Training Consent Form covering the specific tenant scope.

How long we keep information

  • Account and workspace identity records: retained for the active term of the customer relationship plus a reasonable period to satisfy audit, legal, and tax obligations.
  • Mortgage workflow records: retained per applicable mortgage origination retention requirements (typically the greater of three years from loan funding or the period required by the originating jurisdiction).
  • Plaid-derived borrower data: retained per Anilize's processing instructions from Customer, subject to legal, fraud-prevention, and audit retention.
  • AI agent run logs and tool-permission audit records: 90 days, then aggregated.
  • Application usage events: 365 days, then aggregated.
  • Encrypted third-party credentials: retained for the active integration; deleted on disconnection.

How we protect information

  • Access is limited by role, tenant, resource ownership, and business need. Production data access is logged and reviewed.
  • Production systems use TLS in transit, provider-managed encryption at rest, application-level AES-256-GCM encryption for third-party credentials, vulnerability scanning, and access reviews.
  • Security lifecycle changes are audited, including suspension, reactivation, transfer, and credential revocation.
  • Vendors that process personal information must support appropriate confidentiality, security, and compliance obligations. The current Anilize subprocessor list is published at /legal/subprocessors.

Your rights

  • Depending on location and relationship to Anilize, individuals may request access, correction, deletion, restriction, portability, or withdrawal of consent for their personal information.
  • Borrower requests are routed through Customer where Customer is the controller of borrower data. Anilize will support Customer in fulfilling verified borrower requests, subject to legal, fraud-prevention, audit, and mortgage compliance obligations.
  • Requests can be sent to privacy@anilize.com. Anilize may verify identity and may retain records where required by law, contract, security, or mortgage compliance obligations.

Subprocessors

  • Anilize uses trusted service providers for hosting, data storage, authentication, observability, communications, payments, AI inference, and financial verification. The current list of subprocessors is published at /legal/subprocessors and is updated as the vendor footprint changes.

International data transfers

  • Anilize is based in the United States. Customer Data is stored in U.S.-region cloud infrastructure operated by Anilize's hosting and database providers.
  • International data transfers, where applicable, rely on appropriate transfer mechanisms documented in the Anilize Data Processing Addendum, available at /legal/dpa.

Changes

  • Anilize may update this Privacy Policy as products, legal requirements, or security controls change. Material updates will be published on this page and, where required, communicated through the contact on file.

Contact

  • Anilize, Inc.
  • 1608 Metropolitan Circle, Ste. A, Tallahassee, FL 32308
  • Email: privacy@anilize.com
Privacy Policy | Anilize | Anilize