Privacy Policy

1. Who We Are

This Privacy Notice is issued by AI Consulting Ventures LLC ("we", "us", "our"), trading as MCA Broker Stack, the operator of mcabrokerstack.com and the MCA Broker Stack platform (the "Service"). AI Consulting Ventures LLC is the data controller responsible for the personal information described below and acts as a data processor for data submitted by Tenants and their merchants.

2. Information We Collect

A. Information You Provide Directly

• Account data (name, email, password hash, organization, role) — to create and secure your account. Legal basis: contract.
• Merchant application data — business legal name, DBA, EIN/Tax ID, SSN (last 4 or full where required), business address, phone, revenue, time in business, ownership information.
• Financial documents — bank statements (PDF/image uploads), voided checks, tax returns, and other stipulation documents.
• Communications — messages sent within the Platform's messaging module, email drafts, support tickets, SMS/call logs. Legal basis: contract / consent for marketing.
• Deal and offer data — funding amounts, factor rates, commission structures, funder submission packages.
• Billing data — collected and processed by our billing provider; we receive only limited transaction metadata. Legal basis: contract / legal obligation.

B. Information Collected Automatically

• Log data: IP addresses, browser type, pages visited, timestamps, referrer URLs.
• Authentication events: login attempts, OTP verifications, device trust records, session tokens.
• Usage data: feature interactions, workflow completions, AI feature usage, OCR processing events.
• Cookies and local storage (see Section 8).

C. Information from AI & OCR Processing

• Bank statement data extracted via Anthropic vision OCR and AI models: account numbers (masked), transaction histories, average daily balances, deposit counts, NSF/overdraft patterns.
• AI-generated intelligence summaries, risk scores, and pre-qualification assessments.
• AI usage metadata per Tenant for billing purposes.

D. Information from Third-Party Integrations

When you authorize connections to Salesforce, Gmail, Microsoft Outlook, Plaid, or ACH Works, we receive data as described in the integration-specific sections below (Sections 4–8).

3. How We Use Your Information

• Operate the Platform: process funding applications, analyze bank statements, generate deal packages, manage funder submissions.
• Authenticate users: verify identity via OTP, manage trusted devices, issue and revoke session tokens.
• AI-powered features: generate pre-qualification assessments, intelligence summaries, email drafts, and deal calculators using uploaded financial data.
• Communications: send transactional emails (application confirmations, OTPs, abandonment reminders, renewal notifications) via Gmail or Outlook integrations and our email delivery system.
• Billing & subscription management: track AI token usage, calculate billing charges, manage subscription plans.
• CRM sync: push deal and merchant data to connected Salesforce orgs per Tenant-configured field mappings and sync rules.
• Analytics: monitor OCR health, AI usage, integration health, and funder performance metrics — aggregated and internal only.
• Compliance: maintain audit logs, detect fraud, fulfill legal obligations.
• Support: respond to tickets, diagnose technical issues.

We do not sell your personal information or use it to train third-party AI models without your explicit consent. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes; SMS-related data sharing is limited to subcontractors supporting the messaging service and is prohibited for any other use.

4. Salesforce Integration

When a Tenant enables the Salesforce integration, MCA Broker Stack connects to the Tenant's Salesforce org via OAuth 2.0. We access and write data to Salesforce objects (Leads, Opportunities, Accounts, Contacts, and custom objects) according to field mappings and sync rules configured by the Tenant administrator.

• Outbound (MCA Broker Stack → Salesforce): merchant/deal records, application status updates, offer details, commission data — based on Tenant-configured mapping rules.
• Inbound (Salesforce → MCA Broker Stack): record pulls on scheduled cron cycles to keep deal and merchant records in sync.
• Access controls: Salesforce OAuth tokens are stored encrypted. Tenants can revoke access at any time from Settings → Integrations, which immediately invalidates stored tokens.

Data synced to Salesforce is governed by the Tenant's own Salesforce data governance policies. AI Consulting Ventures LLC is not responsible for how data is handled within a Tenant's Salesforce org once synced. Salesforce's privacy policy: salesforce.com/company/legal/privacy/

5. Plaid Integration

MCA Broker Stack integrates with Plaid Technologies, Inc. to enable bank account verification and financial data retrieval for merchant applicants.

• Bank account and routing numbers (used solely for verification and ACH processing).
• Account balances, transaction histories, and income data.
• Institution names and account ownership details.

Consent: Merchants authorize Plaid access through the Plaid Link consent flow, which requires explicit agreement to Plaid's End User Privacy Policy. We do not access bank credentials — only tokenized data Plaid provides after consent.

Purpose limitations: Plaid data is used exclusively for (a) verifying bank account ownership, (b) generating financial analysis summaries to support underwriting, and (c) ACH payment processing. We do not use Plaid data for marketing or resale. Merchants may revoke Plaid access at any time at my.plaid.com. Plaid's privacy policy: plaid.com/legal/#end-user-privacy-policy

6. Google API Services — Gmail (Limited Use)

MCA Broker Stack lets brokers and reps connect their Google account (Gmail) so that applicant follow-up emails and deal packages are sent from the rep's own mailbox. We request only the gmail.send scope — we never read, list, modify, or delete messages in your mailbox without explicit additional authorization.

Limited Use disclosure. MCA Broker Stack's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Gmail data only to send 1-to-1 emails that the rep initiates or schedules from within the Service. We do not use Gmail data for advertising, training AI/ML models, or any purpose unrelated to the Service.
• We do not sell or share Gmail data with third parties except as needed to provide the Service (cloud hosting), to comply with applicable law, or with the user's explicit consent.
• We do not allow humans to read Gmail data unless (a) we have your explicit consent, (b) it is necessary for security purposes, (c) it is required by applicable law, or (d) data is aggregated for internal operations in line with Limited Use requirements.
• OAuth tokens are stored encrypted at rest (AES-256-GCM) and used only to send mail on behalf of the connected rep. Revoke access at any time from your Google Account permissions page or by clicking Disconnect in Settings → Mailbox within MCA Broker Stack.

7. Microsoft Outlook Integration (Microsoft Graph API)

Tenants may connect Microsoft 365 / Outlook accounts via OAuth 2.0 to enable Platform-based email sending and funder inbox parsing. We request Mail.Send, Mail.ReadWrite (where inbox parsing is enabled), and offline_access permissions.

• Outlook data is used only to send deal packages, receive and parse funder responses, and manage Tenant outreach workflow. We do not use Outlook message content for advertising, profiling, or resale.
• Microsoft OAuth tokens are stored encrypted. Automated cron jobs refresh tokens before expiration and renew Microsoft Graph webhook subscriptions. Subscriptions are immediately cancelled upon disconnection.
• Revoke access at any time from Settings → Integrations or at account.microsoft.com/permissions.

The same Limited Use principles described in Section 6 apply to data accessed through Microsoft Graph. Microsoft's privacy policy: privacy.microsoft.com/en-us/privacystatement

8. ACH Works Integration

The Platform integrates with ACH Works to facilitate ACH (Automated Clearing House) electronic payment processing for funding transactions and related financial flows.

• Bank account numbers, routing numbers, and ACH authorization data (account holder name, authorization date, IP address) are collected for payment processing only.
• NACHA compliance: ACH transactions comply with NACHA Operating Rules, including the Supplementing Data Security Requirements for WEB debits. Bank account data is encrypted at rest and in transit; we do not store full account numbers in plaintext at any layer of the application stack.
• ACH debit entries are only initiated with proper signed authorization from the account holder.

ACH Works privacy notice: ww3.achworks.com/consumer-privacy-notice/

9. How We Share Information

We share personal data only with:

• Tenants: Brokers/ISOs have access to merchant data submitted through their branded application forms.
• Funders (at Tenant direction): Deal packages including merchant financial data are sent to funders explicitly chosen by the Tenant via the submission desk.
• Integration partners: Salesforce, Plaid, Google (Gmail), Microsoft (Outlook), and ACH Works — solely as described in Sections 4–8.
• Infrastructure providers / subprocessors: Supabase (database and auth), AWS (S3 document storage), Anthropic (OCR and AI), Vercel (hosting), Resend (transactional email), Cloudflare (DNS/security) — each bound by data processing agreements.
• Professional advisers (legal, accounting, auditors) under duties of confidentiality.
• Authorities where required by law, regulation, court order, or to protect our rights.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

We do not sell your personal information or use it for cross-context behavioral advertising.

10. Data Retention

We retain personal data only as long as necessary for the purposes described above or as required by law (typically the life of your account plus up to 7 years for financial and tax records).

• Active applications and deal records: retained for the Tenant subscription life plus a minimum 7-year financial recordkeeping period.
• Deleted/trashed applications: 30-day recovery window; permanently purged after 30 days.
• Authentication and device logs: 90 days for security auditing.
• AI processing logs: 12 months for billing verification.
• Generated PDFs and temporary exports: automatically cleaned up within 24–72 hours per our scheduled cleanup process.

To request deletion of your data, email team@mcabrokerstack.com. We will fulfill verifiable requests within 30 days except where retention is required by law.

11. Security

We use appropriate technical and organizational measures to protect personal data, including:

• TLS/HTTPS for all data in transit (enforced via Strict-Transport-Security headers).
• Encrypted storage of OAuth tokens, API keys, and banking credentials (AES-256-GCM).
• Row-level security (RLS) policies in Supabase to enforce Tenant data isolation.
• Multi-factor authentication (OTP) required for platform login.
• Trusted device management with device revocation capabilities.
• Security headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy no-referrer.
• Role-based access controls across broker, rep, funder, underwriter, and admin roles.

No system is perfectly secure; please notify us immediately of any suspected compromise at team@mcabrokerstack.com.

12. Financial Privacy — GLBA

Because MCA Broker Stack facilitates financial services, certain data we handle may be subject to the federal Gramm-Leach-Bliley Act (GLBA) and applicable state financial privacy laws. We treat merchant financial information — including SSNs, EINs, bank account data, income information, and credit-related data — as Nonpublic Personal Information (NPI) subject to heightened protection.

• We do not share NPI with unaffiliated third parties for marketing purposes without authorization.
• NPI is shared only as necessary to service and process the merchant's funding application.
• We maintain a written Information Security Program consistent with the GLBA Safeguards Rule (including FTC 2023 amendments), covering encryption, access controls, incident response, and vendor oversight.

Tenants operating as financial institutions subject to GLBA are responsible for providing their own privacy notices to consumers as required by the Act.

13. Your Rights & Choices

Subject to applicable law, you have the right to access, rectify, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent at any time. UK/EEA residents also have the right to lodge a complaint with their supervisory authority.

California residents (CCPA/CPRA) have additional rights including: the right to know what personal information we collect; the right to delete; the right to correct inaccurate information; the right to opt-out of sale or sharing (we do not sell or share for advertising); the right to limit use of sensitive personal information; and the right to non-discrimination for exercising these rights. Categories of personal information collected in the past 12 months: Identifiers (name, email, IP), commercial information (financial records, deal data), financial information (bank account data, income), internet activity (usage logs), and professional information (business name, role).

To exercise any right, email team@mcabrokerstack.com with the subject "Privacy Request." We will respond within 30 days.

14. International Transfers

We process and store data in the United States. Where data is transferred from the UK/EEA we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

15. Cookies

We use strictly necessary cookies for authentication and security, and limited analytics cookies to improve the Service. We do not use third-party advertising cookies (no Google AdSense, Facebook Pixel, or similar ad-tracking technologies). You can manage cookies in your browser settings; disabling session cookies will prevent Platform login.

16. Children's Privacy

MCA Broker Stack is a business-to-business financial services platform intended solely for adults (18+). We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has provided personal data, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, notify users via email or an in-app notification. Prior versions are available upon request.

18. Contact

AI Consulting Ventures LLC (MCA Broker Stack) — questions about this policy:

© 2026 AI Consulting Ventures LLC. All rights reserved. MCA Broker Stack is a trademark of AI Consulting Ventures LLC.