Privacy Policy

This Privacy Policy describes how [LEGAL ENTITY NAME] ("Mend," "we," "us") collects, uses, discloses, and protects information when you use letmend.com, our subscription service, and any related software (the "Service").

Because Mend handles non-public personal financial information (your credit reports and related data), we are subject to the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. §6801 et seq. As required by GLBA, you have the right to opt out of having your non-public personal information shared with non-affiliated third parties, except where required for the Service or by law. Mend does not share your non-public personal information with non-affiliated third parties for their marketing purposes.You don't need to opt out because we don't do this in the first place.

We collect only what we need to provide the Service:

Information you give us

• Profile: name, address, email, phone (optional), date of birth, last 4 of SSN
• Credit reports you upload (PDF) or screenshots you provide
• Answers to the free-audit quiz (if you use it)
• Payment information (handled by Stripe — we never see your full card number)
• Letters you approve and any notes you add

Information collected automatically

• Device info: browser type, operating system, IP address
• Usage info: pages visited, features used, time of access
• Cookies and similar (essential cookies for login; analytics cookies you can opt out of)

Information from third parties

• If you connect your credit bureaus via Array (post-paywall): your three-bureau credit data
• If you authorize ongoing monitoring: alerts when new items appear on your reports

We use your information for these specific purposes:

• Provide the Service: run audits, draft letters in your name, send you alerts, track dispute rounds
• Improve the Service: aggregate, anonymized analytics to identify what features work
• Communicate with you: account notices, billing receipts, dispute updates, optional product news (you can opt out)
• Comply with law: respond to subpoenas, court orders, and regulatory requests as required

We never: sell your data, share it with advertisers for retargeting, train external AI models on your credit data, or use your data for any purpose not described in this policy.

We share your information only with these categories of service providers, and only as needed to provide the Service:

• Anthropic: we send your credit report data to Anthropic's Claude API to perform the AI audit. Anthropic processes data per their API terms; they do not train models on your data when used through the API. (anthropic.com/legal/aup)
• Stripe: billing and payment processing. Stripe stores your card data per PCI-DSS; we never store it ourselves.
• Clerk: authentication. Stores your login credentials, not your credit data.
• Neon (Postgres): our database provider. Encrypts your data at rest.
• Resend: sends our transactional emails (welcome, receipts, alerts). Sees your email address only.
• Vercel: hosts our website. Sees standard server logs (IP, request paths).
• Array (post-paywall, optional): if you authorize bureau connections, Array handles bureau authentication and credit data retrieval.
• Sentry & PostHog (analytics): aggregated, anonymized usage data. You can opt out via the privacy banner.

We will also disclose your information when legally required (subpoena, court order, government request) or to protect rights, property, or safety. We will notify you of any such request unless legally prohibited.

Active account: we retain your data as long as your account is active, plus 12 months for legal compliance and dispute continuity.

Closed account: we delete your personal data within 30 days of account closure, except where retention is required by law (e.g., financial records under IRS recordkeeping rules) or legitimate business purpose (e.g., fraud prevention). You can request immediate deletion at any time by emailing hello@letmend.com.

Credit report PDFs you upload: deleted from our servers within 24 hours after the audit completes. We retain only the structured findings, not the original PDF.

You have the following rights regarding your information:

• Access: request a copy of your data we hold
• Correct: fix any inaccuracies
• Delete: ask us to delete your data
• Port: export your data in a machine-readable format
• Restrict / object: limit how we process your data
• Withdraw consent: for any processing based on consent

Exercise any of these by emailing privacy@letmend.com. We respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: what personal info we collect, sources, purposes, and recipients (all detailed above)
• Right to delete: request deletion (subject to legal exceptions)
• Right to correct: inaccurate personal info
• Right to limit: use of sensitive personal info (your credit data) to what's necessary to provide the Service — we already do this
• Right to opt out of sale or sharing: we do not sell or share your personal info for cross-context behavioral advertising
• Right to non-discrimination: we won't charge you more or provide a different Service for exercising these rights

Submit any request to privacy@letmend.com with subject line "CCPA Request." We verify your identity before fulfilling requests.

We use these types of cookies:

• Essential: required for the Service to work (login session, security). Cannot be disabled.
• Analytics: PostHog collects aggregated usage data. You can opt out via the cookie banner.
• Advertising: Meta Pixel and Meta Conversions API help us measure ad effectiveness. You can opt out via the cookie banner.

We honor Global Privacy Control (GPC) signals from your browser.

We encrypt your data in transit (TLS 1.3) and at rest (AES-256). We use industry-standard authentication and access controls. We minimize what we collect and store, especially for highly sensitive data like SSNs (we store only the last 4 digits, and only because some bureaus require it for identity verification).

No system is 100% secure. If a data breach affects you, we will notify you and the relevant authorities as required by applicable state law (typically within 72 hours under most state breach-notification statutes).

Mend is not for children under 18. We do not knowingly collect information from anyone under 18. If you become aware that a child has provided us with information, email hello@letmend.com and we will delete it.

Mend is for US residents only. If you access the Service from outside the US, your information will be transferred to and processed in the US.

We may update this Privacy Policy. Material changes will be announced by email and on this page at least 30 days before taking effect. The "Effective Date" at the top will always reflect the most recent version.

Privacy questions, data requests, complaints: privacy@letmend.com.

Notice address: [LEGAL ENTITY NAME], [BUSINESS ADDRESS].