Privacy Policy of Purelend Technologies Inc.

1. Overview; Scope of This Policy

This Privacy Policy describes the manner in which Purelend Technologies Inc., an Alberta corporation ("Purelend," "we," "us," or "our"), collects, uses, discloses, safeguards, stores, transfers, and otherwise processes Personal Information in connection with the Purelend Mortgage Assistant software‑as‑a‑service underwriting operations platform, including the web properties located at purelend.ai and any related mobile, desktop, API, or integrated services (collectively, the "Service"). The Policy is intended to satisfy core transparency and notice obligations imposed under Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), Alberta's Personal Information Protection Act ("Alberta PIPA"), and applicable United States privacy and financial‑sector laws, including the Gramm‑Leach‑Bliley Act ("GLBA") and consumer privacy statutes such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), to the extent those laws apply to our activities. Where laws in a particular jurisdiction impose requirements that are more stringent than those described here, we will comply with those heightened standards for individuals in that jurisdiction.

Because U.S. privacy regulation is evolving through a patchwork of state laws with differing consent, opt‑out, and sensitive‑information rules, and because our platform supports participants across North American mortgage markets, we design our privacy program to accommodate baseline requirements common across these laws while implementing additional, jurisdiction‑specific controls where mandated. We will update jurisdiction‑specific notices as new state laws take effect.

2. Key Definitions

"Personal Information" (also referred to as "personal data" or, in some U.S. financial laws, "nonpublic personal information") means information about an identifiable individual under PIPEDA and Alberta PIPA; information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household under the CCPA/CPRA; and nonpublic personal information relating to a consumer financial product or service under GLBA. Where this Policy uses the term Personal Information, it should be read broadly to encompass these definitions to the extent necessary to satisfy applicable law.

"Processing" means any operation or set of operations performed on Personal Information, including collection, use, disclosure, storage, transfer, analysis, modification, and disposal, whether by automated or manual means. The term is used for convenience and encompasses the concepts of "collect, use, and disclose" found in Canadian law and "collect, use, share, sell, or otherwise process" found in U.S. consumer privacy statutes.

"Financial Institution" and "Nonpublic Personal Information (NPI)" have the meanings assigned in GLBA and its implementing regulations. Purelend acts solely as a service provider.

3. Categories of Personal Information We Process and Sources

We process Personal Information that you or your organization submit to the Service; information generated by your use of the Service; information obtained from participating lenders, brokers, service providers, credit reporting agencies, and other counterparties engaged to support underwriting and related workflows; and information collected automatically through log files, cookies, or similar technologies. Subject to data minimization principles described below, the categories of Personal Information we may process include identifiers such as name and professional contact information; commercial and financial information such as loan application data, down‑payment source documentation, account and transaction information, and related metadata; professional or employment‑related information such as company affiliation, licensing or credential information relevant to mortgage operations; internet or network activity such as log data, device/browser characteristics, and IP‑derived location data; and communications records such as support requests, feedback, and audit trails generated through the Service. Sensitive data elements—such as government identification numbers, full financial account numbers, or information about minors—are handled with heightened safeguards and, where required by law, additional consent or limitation requirements.

Data Minimization and Upload Responsibility

Purelend seeks to collect and process only the Personal Information reasonably necessary to provide and improve the Service and to meet legal and regulatory obligations associated with mortgage and financial‑sector activities. Users, administrators, and subscribing organizations are responsible for ensuring that any information they upload or otherwise submit to the Service is relevant to the underwriting or related workflow for which the Service is being used, and that they have the lawful authority—including all required notices, consents, client authorizations, broker mandates, and contractual rights—to provide such information to Purelend for processing by or on behalf of their organization. If you upload information about third parties (for example, borrower financial records, joint applicant data, or guarantor information), you represent and warrant that doing so is compliant with all applicable privacy, confidentiality, contract, licensing, professional conduct, and data protection obligations that apply to you. Please do not upload unnecessary, unrelated, or excessive Personal Information.

4. Purposes for Which We Process Personal Information

We collect and process Personal Information only for purposes that a reasonable person would consider appropriate in the circumstances, for uses identified at or before the time of collection, and for additional uses that are compatible with those original purposes or otherwise permitted or required by law. Principal purposes include establishing, authenticating, and administering user accounts; enabling team‑based collaboration among authorized users on mortgage applications and related financial documentation; facilitating intake, validation, underwriting, decisioning, and lifecycle management of mortgage and other credit applications; generating audit trails, compliance artifacts, and broker notes required by lenders and regulators; communicating with you about accounts, system updates, compliance alerts, and support; improving, securing, and developing the Service; meeting legal, regulatory, reporting, and record‑keeping obligations in the mortgage and financial services sectors; detecting, preventing, and investigating fraud, money laundering, and security incidents; and enforcing agreements, including terms of service and acceptable use policies. We do not use borrower‑level content or user‑submitted documents for advertising or for training generalized artificial intelligence models unrelated to providing the Service unless you have expressly authorized such use in a written agreement.

5. Legal Bases; Consent and Other Permitted Grounds

Under PIPEDA and Alberta PIPA, we rely on knowledge and consent—express or implied, depending on sensitivity and context—to collect, use, and disclose Personal Information, except where exemption or other legal authority permits processing without consent (for example, to comply with subpoenas or regulatory investigations, to collect debts, to prevent or investigate fraud or security incidents, or in other circumstances authorized by law). Individuals may withdraw consent, subject to legal or contractual restrictions and reasonable notice, and we will inform individuals of the implications of such withdrawal where material.

Under the CCPA/CPRA and similar U.S. state consumer privacy laws, we provide notice of categories collected and purposes, honor verifiable consumer requests to know, access, correct, delete, and opt out of sales or sharing of Personal Information for cross‑context behavioral advertising, and limit the use and disclosure of sensitive Personal Information when required. Purelend does not sell or share Personal Information as those terms are defined by California law. Should that practice change, we will provide legally required notice and opt‑out mechanisms before any such activity.

Where Purelend acts as, or on behalf of, a financial institution subject to GLBA, we provide initial and, where required, annual privacy notices describing our information‑sharing practices and any applicable consumer opt‑out rights with respect to sharing certain categories of nonaffiliated third‑party disclosures; exceptions apply for service providers, processing, and other permitted disclosures.

6. Disclosure of Personal Information

Purelend will not disclose, license, sell, rent, or otherwise make available Personal Information, user content, or borrower documentation to any third party except as necessary to operate the Service, as you (or your organization's authorized administrator) expressly instruct or authorize, or as required or permitted by applicable law. We do not disclose Personal Information for third‑party marketing purposes.

Disclosures necessary to operate the Service include: (i) making submitted information visible to authorized members of your organization's Purelend workspace—such as brokers, underwriters, compliance officers, processors, and administrators—so they can collaborate on applications and documents; (ii) transmitting, at your direction or pursuant to the documented workflows you configure, relevant application and supporting documentation to lenders, investors, insurers, settlement agents, credit reporting agencies, or other counterparties involved in evaluating, funding, insuring, purchasing, securitizing, or servicing mortgage and related credit transactions; (iii) engaging contracted service providers (sometimes referred to as subprocessors) that supply hosted infrastructure, secure document storage, authentication, communication delivery, logging, auditing, analytics necessary to measure system performance (configured to minimize Personal Information), and other operational support functions essential to delivering the Service; and (iv) other disclosures you authorize in writing.

We may also disclose Personal Information when we believe, in good faith, that the disclosure is authorized or required by applicable law, regulation, court order, subpoena, lawful request of law enforcement or regulatory authorities, or to protect the rights, property, safety, or security of Purelend, our users, or the public. If Purelend enters into a merger, acquisition, financing, reorganization, receivership, bankruptcy, or sale of some or all assets, Personal Information may be transferred as part of the transaction, subject to applicable legal requirements governing notice and consent (where required) for business transfers that result in materially different processing.

7. Cross‑Border Storage and Transfers

Purelend hosts and processes Personal Information using secure cloud and related technical infrastructure located in North America (currently within Canada and the United States). Your Personal Information may therefore be transferred to, stored in, or accessed from servers in either country and may be subject to the laws and lawful access requests of courts, law enforcement, and national security authorities in those jurisdictions. We require service providers to maintain appropriate safeguards and to process Personal Information only for authorized purposes.

8. Safeguards; Security of Personal Information

We maintain a written information security program that includes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Personal Information, taking into account the sensitivity of the data, the risks of unauthorized access or use, the technologies available, and the cost of implementation. Program elements include the designation of qualified personnel to coordinate security; documented risk assessments and periodic reassessments; access controls and the principle of least privilege; strong user authentication (including multi‑factor authentication for privileged or remote access); encryption of data in transit and at rest (or, where encryption is not feasible, compensating controls that provide a comparable level of protection); secure software development and change management practices; vendor and service provider due diligence and ongoing oversight; vulnerability management, penetration testing, and continuous monitoring proportional to risk; employee security awareness and role‑based training; and policies and technical measures to prevent, detect, and respond to unauthorized access.

9. Incident Response; Breach Notification

We maintain procedures to detect, investigate, contain, remediate, and document actual or suspected unauthorized access, acquisition, use, or disclosure of Personal Information. Where a breach of security safeguards creates a real risk of significant harm to an individual, we will report the breach to the appropriate privacy regulator(s) and notify impacted individuals as required by the PIPEDA Breaches of Security Safeguards provisions, Alberta PIPA breach reporting requirements, and applicable U.S. federal and state data breach and consumer notification laws.

10. Retention and Secure Disposal

We retain Personal Information only as long as necessary to fulfill the purposes for which it was collected, to meet legal, regulatory, audit, or reporting requirements, to resolve disputes, to enforce agreements, and to protect against fraud or abuse. Retention periods vary by record type; for example, mortgage underwriting records and related financial documentation are often subject to multi‑year statutory or regulatory retention mandates. When Personal Information is no longer required, we will anonymize, aggregate, or securely destroy it in accordance with industry standards and applicable law.

11. Your Privacy Rights

11.1 Rights Under Canadian Law

Subject to limited exceptions, individuals have the right to request access to Personal Information held by Purelend; to obtain information about how that data has been used and disclosed; to challenge the accuracy and completeness of the data and request corrections; and to withdraw consent to further use or disclosure (subject to legal or contractual restrictions and reasonable notice). Individuals may complain to Purelend's Privacy Officer about our practices. If concerns are not resolved, individuals may escalate complaints to the Office of the Privacy Commissioner of Canada (under PIPEDA) or, in Alberta, to the Office of the Information and Privacy Commissioner (under Alberta PIPA).

11.2 Rights for Residents of U.S. States With Consumer Privacy Laws (Including California)

Depending on your U.S. state of residence, you may have one or more of the following rights with respect to Personal Information: the right to know or access specific pieces and categories of Personal Information we have collected; the right to request correction of inaccurate Personal Information; the right to request deletion of Personal Information, subject to statutory exceptions (for example, completing transactions, detecting security incidents, or complying with legal obligations); the right to data portability; the right to opt out of the sale of Personal Information; the right to opt out of the sharing of Personal Information for cross‑context behavioral advertising; the right to limit the use or disclosure of sensitive Personal Information; and the right to be free from discrimination for exercising your privacy choices. Scope, definitions, request methods, response timelines, and appeal mechanisms vary by state; California law is currently among the most comprehensive and serves as a reference point for many multi‑state compliance programs.

To exercise your U.S. state privacy rights, please submit a verifiable consumer request by emailing privacy@purelend.ai with the subject line "Privacy Rights Request." We will respond within the timeframe required by applicable law and will explain any denial and available appeal rights.

11.3 GLBA Financial Privacy Opt‑Out (Where Applicable)

When Purelend establishes a customer relationship that is subject to GLBA, we will provide a separate initial privacy notice (and annual notice where required) describing the categories of NPI we collect, the categories of recipients with whom we share, and the consumer's right to opt out of certain disclosures of NPI to nonaffiliated third parties outside of permitted exceptions. Instructions for exercising any applicable GLBA opt‑out will accompany that notice.

12. Cookies and Similar Technologies

The Service uses cookies and similar technologies strictly necessary to enable core functionality such as secure login, session management, load balancing, and fraud prevention. We may also use measurement or analytics technologies to help us understand aggregate Service performance so that we can maintain reliability, security, and compliance; these analytics functions are configured to minimize the use of Personal Information, and where required we will provide appropriate notice and obtain any required consent or offer opt‑out choices. Consumers in certain jurisdictions (including California) may have rights to opt out of specific types of tracking; our in‑Service privacy settings and cookie controls are structured to support those requirements.

13. Children's Privacy

The Service is directed to professional and enterprise users in the mortgage and financial services ecosystem and is not intended for use by children. We do not knowingly collect Personal Information online from children under 13 years of age, and we require all registered users to represent that they are at least the age of majority applicable in their jurisdiction (18 in most provinces and states) when establishing an account. Where law imposes heightened standards for minors' Personal Information, we will comply with those requirements.

14. Changes to This Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes in legal requirements, industry standards, or our practices. When we make material changes, we will provide conspicuous notice (for example, via in‑Service banner, email notification, or other direct communication) and will update the "Last Updated" date at the top of the Policy. In cases where required by law—such as material retroactive changes to the categories of Personal Information collected or new purposes of use—we will obtain any required consent or provide additional notice at or before the time the change becomes effective.

15. Contacting Purelend's Privacy Officer

Questions, requests to exercise rights, complaints, and other communications regarding this Privacy Policy or our privacy practices may be directed to our designated Privacy Officer using the contact information below. Written inquiries are preferred for record‑keeping and to facilitate accurate response.

Individuals in Canada who are not satisfied with our response may contact the Office of the Privacy Commissioner of Canada (OPC) or, in Alberta, to the Office of the Information and Privacy Commissioner (OIPC) for further review. California residents and other U.S. state residents may also contact their state privacy regulator (for example, the California Privacy Protection Agency) if concerns remain unresolved.

16. Governing Law

Except to the extent a different law is mandatorily applicable, this Privacy Policy, and any disputes arising from or relating to it or to our handling of Personal Information, shall be governed by and construed in accordance with the laws of the Province of Alberta and the federal laws of Canada applicable therein, without regard to conflict of laws principles. Where U.S. federal or state laws (including GLBA and CCPA/CPRA) apply to specific processing or confer non‑waivable rights on individuals, those laws will control to the extent of any conflict. In construing this Policy, headings are for convenience only and do not affect interpretation.