LandDrive Borrower Portal Privacy Policy

This Privacy Policy applies to borrowers who use the LandDrive NoteServ borrower portal to view and service an owner-financed note. If you are an operator using LandDrive CRM at app.landdrive.io, see /privacy/crm. If you are visiting the LandDrive marketing site, see /privacy/marketplace.

This policy explains what personal information LandDrive processes when you use the borrower portal, how we use it, who we share it with, how long we keep it, and the rights you have over your data. It is written to satisfy the transparency requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy regulations.

1. Information We Collect

When your lender or servicer (the “Tenant” — typically the company that originated or holds your note) sets up your account in the borrower portal, the following information is created from the Contact record on your note: your name, email address, phone number, and mailing address. You may update some of these fields from the portal; others are managed by your Tenant.

When you use the portal, we may also process: payment history and scheduled payments, autopay enrollment status, bank account linkage details from Stripe Financial Connections (account fingerprint, bank name, last four digits — LandDrive does not see your raw account or routing number), ACH return codes when a payment fails, documents you upload (for example, insurance certificates), portal messages you exchange with your servicer, vacation-hold history, payment-plan history, and the payment receipts and tax forms generated for your note.

We also collect usage telemetry — login times, pages viewed, and error events — so we can operate the portal, detect abuse, and improve the product. A limited set of essential cookies are used to maintain your login session and security tokens. LandDrive does not directly collect or store payment card numbers; card data is handled by Stripe under their own PCI-compliant infrastructure.

2. How We Use Your Information

We use your information to operate the borrower portal on behalf of your Tenant, including: processing ACH and card payments on your note, servicing scheduled and autopay payments, communicating with you and your servicer through portal messages and transactional notifications, managing vacation holds and payment plans you request, generating tax forms (such as IRS Form 1098 and year-end statements) and payment receipts, complying with our and your Tenant’s legal obligations (tax reporting, consumer-protection rules, anti-fraud rules), and detecting and preventing fraud or abuse on the platform.

We do not use your borrower content — your payment history, messages, documents, or note details — to train machine-learning models or advertising systems, and we do not sell or rent your personal information to third parties.

3. Roles — Controller and Processor

Your relationship with LandDrive in the borrower portal is structured as follows:

• Your Tenant is the data controller. The lender or servicer of record for your note — the company you make payments to — determines what personal data is processed about you and why. They are your primary point of contact for questions about your account, payments, statements, and tax documents.
• LandDrive is the data processor. LandDrive operates the portal software, the payment rails, and the storage systems on behalf of your Tenant under a Data Processing Addendum. We only process your data on documented instructions from your Tenant, the requirements of applicable law, or to keep the service running securely.

If you want to exercise data-subject rights (see Section 7), the primary path is to contact your Tenant first — they have direct control over your account. LandDrive provides a backup direct path at privacy@landdrive.io; we will verify your identity and forward your request to your Tenant for decision when we are acting only as their processor.

4. Lawful Basis for Processing (GDPR)

For borrowers in the European Economic Area, the lawful bases under Article 6 of the GDPR for processing your data through the borrower portal are:

• Contract performance (Art. 6(1)(b)): servicing the owner-financed note you have with your Tenant — collecting payments, producing statements, managing vacation holds and payment plans.
• Legal obligation (Art. 6(1)(c)): complying with tax reporting requirements (such as Form 1098 issuance), anti-money laundering rules, consumer-protection rules, and other applicable law.
• Legitimate interest (Art. 6(1)(f)): security monitoring, fraud and ACH-return detection, product improvement, and business analytics — balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)): optional communications beyond the required servicing notices, which you can withdraw at any time.

5. How We Share Your Information

We do not sell your personal information. We share data only in the following cases:

• Service providers (sub-processors) necessary to operate the portal. This includes Stripe Connect for payment processing, Stripe Financial Connections for linking your bank account for ACH (Stripe receives the linkage details under its own privacy policy), Supabase for PostgreSQL database hosting, Render.com for our API server, Cloudflare Pages for frontend hosting and CDN, Cloudflare R2 for document storage (receipts, tax forms, uploaded coverage certificates), Cloudflare Browser Rendering for PDF generation, Redis Cloud for session caching, SendGrid for transactional email, and Twilio for SMS notifications. Each sub-processor processes only the minimum data necessary for its function.
• Your Tenant. Everything you do in the portal — payments, messages, document uploads, vacation-hold requests, and payment-plan authorizations — is visible to your Tenant. That is the point of the portal: it is the communications and servicing channel between you and your lender.
• Legal disclosure when required by valid legal process, court order, or applicable law, or to protect the rights, property, or safety of LandDrive, your Tenant, our customers, or the public.
• Business transfers in the event of a merger, acquisition, reorganization, or sale of LandDrive assets. You will be notified before your data is transferred and becomes subject to a different privacy policy.

When you link a bank account via Stripe Financial Connections, Stripe receives the linkage details under Stripe’s privacy policy. LandDrive only stores a tokenized reference plus non-sensitive metadata (bank name, account fingerprint, last four digits of the account number).

6. Data Retention

Payment records, tax forms, and IRS reporting artifacts are retained for at least seven years to satisfy tax-compliance requirements. Portal messages between you and your servicer are retained while your note is active and for at least 90 days after the note is paid off, cancelled, or transferred. Document uploads (insurance certificates, signed forms) are retained per your Tenant’s retention policy — at minimum for the duration of your note. Audit logs (sign-in events, payment events, document accesses) are retained for the duration required by our SOC 2 program, generally a minimum of one year.

Some records — invoices, tax documentation, and security audit logs — are retained longer where required by law. Encrypted database backups are retained for up to 30 days for point-in-time recovery purposes and are subject to the same deletion timeline once the window rolls off. You may request early deletion through your Tenant or by contacting privacy@landdrive.io, subject to these legal obligations.

7. Your Rights

You have the right to access the personal information held about you, correct inaccurate data, request deletion of your data, export your data in a machine-readable format, object to or restrict certain processing, and opt out of marketing communications. Under GDPR these rights are the right of access, rectification, erasure, restriction, data portability, and objection. Under CCPA they include the right to know, the right to delete, the right to opt out of sale (LandDrive does not sell personal data), and the right to non-discrimination for exercising your privacy rights.

Primary path: contact your Tenant — the lender or servicer of record on your note — to exercise these rights. They are the data controller and can act directly on your account.

Secondary path: contact privacy@landdrive.io. We will verify your identity and either action the request ourselves (where LandDrive is acting as a controller — for example, around our own product analytics) or forward it to your Tenant for decision (where LandDrive is acting as a processor — for example, around your loan record). We respond within 30 days.

8. International Transfers

LandDrive operates the borrower portal from the United States. When personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States or other jurisdictions outside the EEA, we rely on Standard Contractual Clauses (SCCs) with relevant sub-processors and conduct transfer impact assessments for higher-risk transfers. Data storage regions for our primary database are documented and disclosed on request.

9. Children's Privacy

The borrower portal is intended for borrowers servicing owner-financed real-estate notes — adults entering into binding loan agreements. It is not directed to, and we do not knowingly collect personal information from, children under the age of 16 (GDPR) or 13 (COPPA). If you believe a child has provided us with personal information, contact privacy@landdrive.io and we will delete it promptly.

10. Security

We protect your data with encryption in transit (TLS 1.2 or higher) and at rest (AES-256), strict tenant isolation enforced at the database layer, role-based access control, centralized logging and monitoring, daily encrypted backups, and annual penetration testing. Access controls follow the principle of least privilege. Payment card data is handled by Stripe under its PCI DSS Level 1 program; ACH bank-account linkages are handled by Stripe Financial Connections so LandDrive does not see your raw account or routing numbers. LandDrive is working toward SOC 2 Type I readiness; our current security posture is documented at landdrive.io/security.

No system is perfectly secure. If you believe you have discovered a security vulnerability, please contact security@landdrive.io.

11. Cookies and Tracking

The borrower portal uses essential cookies only — to maintain your authenticated session, protect against cross-site request forgery, and remember basic preferences like theme. These cookies cannot be disabled because they are required for the portal to function. The borrower portal does not embed third-party advertising or behavioral tracking cookies. Where required by law, a cookie consent banner is displayed on your first visit. LandDrive honors Do Not Track browser signals where technically feasible.

12. Breach Notification

In the event of a personal data breach affecting your information, LandDrive will notify the relevant regulatory authorities within the timelines required by applicable law (including the 72-hour deadline under GDPR Article 33), notify your Tenant without undue delay, and — together with your Tenant — notify you without undue delay where the breach is likely to result in a risk to your rights and freedoms. Breach notifications will describe the nature of the incident, the categories of data affected, the likely consequences, and the steps we are taking in response. Our full incident response procedures are documented internally and tested regularly.

13. Contact and Complaints

Your first point of contact is your Tenant — the lender or servicer of record on your note. For questions specifically about LandDrive’s processing of your personal data, you can also reach us at:

• Email: privacy@landdrive.io
• Support: support@landdrive.io
• Mail: LandDrive LLC, 508 Pat Booker Rd. #5111, Universal City, TX 78148

If you are in the European Economic Area, United Kingdom, or Switzerland and believe your rights have not been respected, you also have the right to lodge a complaint with your local data protection supervisory authority.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced through the portal or by email to active borrowers at least 30 days before they take effect. The “Last updated” date at the top of the published version will reflect the most recent revision.