Privacy Policy

1.1 Information Brokers provide directly

• Account information. Name, email address, business name, phone number, business address, and password (we never store passwords in plaintext).
• Billing information. Payment card details (handled by our payment processor; we do not store card numbers ourselves).
• Configuration. AI agent scripts, calling campaigns, cloned voice samples (only when you explicitly upload them with attestation of consent), pipeline stages, and team member access settings.
• Communications. Support requests, emails to us, and feedback you provide.

1.2 Information about Applicants

Brokers upload, or cause to be collected, information about their Applicants. This may include:

• Contact and business identity. Name, phone, email, business legal name, DBA, industry, state, time in business.
• Application data. Monthly revenue, requested amount, use of funds, owner information (full legal name, date of birth, last 4 of Social Security Number, home address, ownership percentage), and similar information collected on the application form.
• Bank and transaction data via Plaid. When an Applicant connects their bank account through Plaid Inc. ("Plaid"), we receive bank account verification data (account holder name, account and routing number, account type) and historical transaction data (typically 3–6 months). We use Plaid as a service provider; Plaid's own use of the data is governed by Plaid's End User Privacy Policy.
• Identity verification. Images of government-issued identity documents (driver's license, passport, state ID) and selfie images used to verify identity, processed through Plaid Identity Verification.
• Call recordings and transcripts. When an Applicant speaks with one of our AI calling agents on a Broker's behalf, the call is recorded and transcribed. The recording, transcript, and an AI-generated summary are stored in the Service and accessible to the Broker.
• Uploaded documents. Bank statements, voided checks, and any other documents the Applicant uploads through the application flow.
• Signed agreements. Application disclosures, authorizations, and e-signatures.

1.3 Information collected automatically

• Usage and device information. IP address, browser type, operating system, device identifiers, pages viewed, actions taken, timestamps, and referrer URL.
• Cookies and similar technologies. Session cookies for authentication, security cookies for fraud prevention, and analytics cookies to understand how the Service is used. You can control cookies through your browser settings.

We use information for these purposes:

• Provide and operate the Service — including account creation, authentication, calling and messaging, application processing, document storage, and dashboard analytics.
• Verify identity and prevent fraud — including identity verification through Plaid, watchlist screening, anomaly detection, and risk scoring.
• Communicate — including service announcements, security alerts, billing notices, and support responses. With consent, we may also send marketing or product updates; you can opt out at any time.
• Improve the Service — including analytics, A/B testing, debugging, and AI-model evaluation, using aggregated or de-identified data where possible.
• Comply with law and protect rights — including responding to legal process, enforcing our Terms of Service, and protecting against fraud, security incidents, or harm to ourselves or others.

We do not sell personal information. We do not use Applicant personal information to train general-purpose AI models, to offer products to Applicants directly, or for any purpose other than providing the Service to the Broker who collected it.

We share information only as necessary to operate the Service and as described below. We do not sell personal information.

• With the Broker who collected it. Applicant information is shared with the Broker on whose behalf it was collected. The Broker's use of that information is governed by the Broker's own privacy policy and the laws applicable to them.
• With subprocessors who help us run the Service. See Section 4 for the current list. Each subprocessor is bound by a contract that restricts their use of data to providing services to us.
• With lenders, banks, and funders — but only when the Broker explicitly initiates a submission of an Applicant's file. Brokers control which lender receives which file.
• For legal reasons. We may disclose information in response to subpoenas, court orders, or other legal process; to protect our rights, property, or safety; or in connection with an investigation of suspected fraud or unauthorized access.
• In a corporate transaction. If we are acquired, merged, or sell all or substantially all of our assets, your information may be transferred as part of that transaction, subject to this Privacy Policy.
• With your consent. For any other purpose disclosed at the time of collection, with your explicit consent.

We use the following third parties to provide the Service. We update this list when we add or change subprocessors.

• Supabase Inc. — managed Postgres database, file storage, and authentication infrastructure (United States).
• Vercel Inc. — application hosting, edge network, and serverless compute (United States).
• Plaid Inc. — bank account verification, transaction history, identity verification, and KYC compliance (United States).
• Twilio Inc. — outbound and inbound telephony, SMS delivery, and call recording (United States).
• ElevenLabs Inc. — voice synthesis, voice cloning, and conversational AI for outbound calls (United States).
• Anthropic PBC — large language model used for post-call analysis and call summary generation (United States).
• Resend Inc. — transactional email delivery (United States).
• Stripe Inc. — payment processing for Broker subscriptions (United States).

We retain personal information only as long as needed for the purposes it was collected and to comply with our legal obligations.

• Funded deal records: seven (7) years from the date of funding, consistent with standard MCA recordkeeping and federal recordkeeping rules.
• Non-funded applications and inquiries: two (2) years from the date of the last activity, then permanently deleted or de-identified.
• Call recordings and transcripts: the same period as the underlying application record (above). Brokers may request earlier deletion of specific records subject to legal hold rules.
• Broker account data: for as long as the Broker maintains an active account, plus thirty (30) days after account closure to permit data export.
• Backups and disaster-recovery copies are retained on a rolling basis and overwritten or aged out within ninety (90) days.

Where law requires longer retention (for example, anti–money laundering recordkeeping), we will retain the data only as long as required and then delete it.

We use industry-standard security practices to protect information:

• Data encrypted at rest using AES-256.
• Data encrypted in transit using TLS 1.2 or higher.
• Row-level security on our Postgres database so application code cannot read data outside the scope of the authenticated user.
• Secrets and API keys stored exclusively in encrypted environment variable systems; never in source code.
• HMAC signature verification on inbound webhooks.
• Multi-factor authentication required on every administrative account.
• Least-privilege API scopes for all third-party integrations.
• Private source code repositories with branch protection.

No method of electronic storage or transmission is 100% secure. If we become aware of a security incident that materially affects your data, we will notify you and the appropriate authorities in accordance with applicable law.

7.1 All users

You may access, correct, export, or delete your personal information at any time. Brokers can do most of this directly in the Service. Applicants can request access, correction, or deletion by emailing privacy@mainline-op.com; we may route your request to the Broker who controls the data.

7.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you.
• Receive a copy of your personal information.
• Request deletion of your personal information (subject to certain exceptions, such as completing a transaction you initiated or complying with a legal obligation).
• Correct inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information. Mainline does not sell or share personal information for cross-context behavioral advertising.
• Limit the use of sensitive personal information.
• Not be discriminated against for exercising any of these rights.

To exercise these rights, email privacy@mainline-op.com. We may need to verify your identity before responding to a request.

7.3 Other state privacy laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights of access, correction, and deletion. Send requests to privacy@mainline-op.com.

7.4 Marketing communications

You can opt out of marketing emails at any time using the unsubscribe link in any marketing email, or by emailing us. Transactional emails (security alerts, billing notices, account messages) will continue because they are part of the Service.

The Service is intended for businesses and is not directed at children under sixteen (16). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.

Mainline is operated in the United States, and all data is processed and stored in the United States. If you access the Service from outside the United States, you are transferring your information to the United States, where data-protection laws may differ from those in your jurisdiction.

We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or by posting a notice within the Service before the change becomes effective. The "Last updated" date at the top of this page reflects the latest version.

For any privacy question, request, or complaint, contact our privacy team at:

AGN Services LLC
21346 Saint Andrews Blvd
Boca Raton, FL 33433
Email: privacy@mainline-op.com