Privacy Policy
- Introduction
- Scope of This Policy
- Information We Collect
- How We Use Your Information
- Legal Bases for Processing
- Data Storage and Security
- Data Sharing and Third-Party Service Providers
- GLBA Privacy Notice
- Your Privacy Rights
- California Privacy Rights (CCPA/CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Michigan Privacy and Data Protection
- Other State Privacy Laws
- Data Retention and Deletion
- Cookies and Tracking Technologies
- Data Breach Notification
- Children’s Privacy
- International Data Transfers
- Changes to This Privacy Policy
- Contact Information
1. Introduction
1.1. NEXUS Systems LLC (“NEXUS,” “Company,” “we,” “us,” or “our”) operates the NEXUS Platform, a Software-as-a-Service (“SaaS”) mortgage loan origination management system accessible at platform.nexus (the “Platform” or “Service”).
1.2. This Privacy Policy describes how we collect, use, store, protect, share, and dispose of information in connection with the Platform. This Policy applies to all users of the Platform, including Licensed Loan Officers, Organization administrators, and other authorized personnel (“Users” or “you”).
1.3. Because the Platform processes Consumer Data — including nonpublic personal information (“NPI”) of mortgage loan applicants and borrowers — this Privacy Policy is designed to satisfy the notice requirements of the Gramm-Leach-Bliley Act (“GLBA”), the California Consumer Privacy Act/California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Michigan Identity Theft Protection Act (MCL 445.61 et seq.), and other applicable state and federal privacy laws.
1.4. By using the Platform, you consent to the collection, use, and sharing of information as described in this Privacy Policy and in accordance with our Terms of Service.
2. Scope of This Policy
2.1. What This Policy Covers:
- The NEXUS Platform at platform.nexus;
- NEXUS APIs and integrations;
- Communications between you and NEXUS (including email); and
- Consumer Data entered into the Platform by authorized Users.
2.2. Dual Role Disclosure. NEXUS acts in two capacities:
- Data Controller — for User account information (registration data, usage patterns, billing information); and
- Data Processor — for Consumer Data that Users enter into the Platform on behalf of mortgage loan applicants and borrowers.
2.3. What This Policy Does Not Cover: Third-party websites, information collected by Users outside the Platform, or the privacy practices of Users themselves.
3. Information We Collect
3.1. Information You Provide Directly
3.1.1. Account Registration Information
| Data Element | Purpose | Required |
|---|---|---|
| Full name | Account identification, communications | Yes |
| Email address | Authentication, notifications, account recovery | Yes |
| Password | Authentication (stored as bcrypt hash, 12 rounds — never in plaintext) | Yes |
| Organization name | Multi-tenant data isolation | Yes |
| NMLS number | Professional verification | Recommended |
| Phone number | Account recovery, notifications | Optional |
| Subscription tier | Service entitlement, billing | Yes |
3.1.2. Consumer Data — High-Sensitivity PII
The following data is classified as Restricted and receives the highest level of protection:
| Data Element | Protection | Storage |
|---|---|---|
| Social Security Number (SSN) | AES-256-GCM encrypted at rest; masked by default (***-**-6789); full value revealed only via audit-logged endpoint; per-value random IV; tamper detection via authentication tag | PostgreSQL (encrypted column) |
| Date of Birth (DOB) | AES-256-GCM encrypted at rest; same protections as SSN | PostgreSQL (encrypted column) |
3.1.3. Consumer Data — Standard PII
| Data Element | Purpose |
|---|---|
| Borrower full name | Loan identification, communications |
| Mailing address | Property identification, loan processing |
| Email address | Borrower communications, follow-up campaigns |
| Phone number | Borrower communications |
| Credit score / credit data | Loan qualification assessment |
| Employment information | Income verification, loan qualification |
| Income and asset data | Loan qualification, DTI calculations |
| Marital status | Loan application requirements |
| Co-borrower information | Joint application processing |
3.1.4. Financial and Business Data
| Data Element | Purpose |
|---|---|
| Loan amounts and terms | Pipeline management, production tracking |
| Loan status and pipeline stage | Workflow management |
| Commission and compensation data | Production analytics, financial reporting |
| Property information | Loan processing, market analysis |
| IRRRL (VA refinance) flags | Specialized loan tracking |
| Campaign and marketing data | Client outreach management |
| Email templates and content | Campaign execution |
| Client follow-up schedules | Beacon relationship management |
| Proposal documents | Blueprint document generation |
3.2. Information Collected Automatically
3.2.1. Technical and Usage Data
| Data Element | Purpose | Retention |
|---|---|---|
| IP address | Security, audit logging, rate limiting | Duration of audit log retention |
| Browser type and version | Compatibility, error diagnosis | Aggregated only |
| Operating system | Compatibility, error diagnosis | Aggregated only |
| Pages visited and features used | Service improvement, analytics | Aggregated and anonymized |
| Timestamps of access | Security, audit logging | Duration of audit log retention |
| Error and crash data | Platform stability (via Sentry) | Per Sentry retention policy |
| API request metadata | Security, rate limiting, troubleshooting | 90 days |
3.2.2. Sentry Error Monitoring. We use Sentry for application error monitoring and stability tracking. Sentry does NOT receive: SSNs, DOBs, financial data, borrower names, or any other Consumer Data.
3.3. Information We Do NOT Collect
- Credit card numbers, bank account numbers, or payment instrument data (handled exclusively by Stripe);
- Biometric data;
- Geolocation data (beyond IP-derived approximate location);
- Browsing activity outside the Platform;
- Data from social media accounts; or
- Any information from minors under the age of 18.
4. How We Use Your Information
| Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Providing the Service | Account data, Consumer Data, financial data | Contract performance; legitimate interest |
| Authentication and Security | Account credentials, IP address, session data | Contract performance; legitimate interest; legal obligation |
| Audit and Compliance | Audit log data (user ID, timestamp, IP, action, entity) | Legal obligation; legitimate interest |
| Service Improvement | Aggregated and anonymized usage data, error reports | Legitimate interest |
| Communications | Email address, name | Contract performance; legitimate interest |
| Billing and Payments | Account data, subscription tier | Contract performance |
| AI Features | Anonymized/aggregated pipeline data, campaign data | Consent; legitimate interest |
| Data Export | All User Data as requested | Contract performance; legal obligation |
| Legal Compliance | As required by the specific legal process | Legal obligation |
4.2. We do NOT use your information for: selling or renting personal information; advertising or behavioral targeting; building consumer profiles for third-party marketing; any incompatible purpose; or training AI models on Consumer Data without explicit consent.
5. Legal Bases for Processing
- Contract Performance — Processing necessary to perform our obligations under the Terms of Service;
- Legal Obligation — Processing required by law (GLBA compliance, responding to legal process, breach notification);
- Legitimate Interest — Processing necessary for our legitimate business interests (security, fraud prevention, service improvement); and
- Consent — Where required by applicable law, we obtain your affirmative consent for specific processing activities.
6. Data Storage and Security
6.1. Data Storage Infrastructure
| Component | Provider | Location | Security |
|---|---|---|---|
| Application Database | PostgreSQL 16 on Railway | United States | SSL/TLS connections, encrypted at rest |
| Application Hosting | Railway | United States | SOC 2 compliant, automatic HTTPS |
| DNS and CDN | Cloudflare | Global (edge), US (origin) | DDoS protection, SSL/TLS, WAF |
| Backups | Watchdog automated backups | Railway (US) | Encrypted, rotated (20-backup retention) |
6.2. Security Measures
6.2.1. Encryption
| Layer | Standard | Implementation |
|---|---|---|
| Data at Rest (High-Sensitivity PII) | AES-256-GCM | Per-value random IV, 128-bit authentication tag for tamper detection |
| Data in Transit | TLS 1.2+ / HTTPS | Enforced on all connections |
| Password Storage | bcrypt (12 rounds) | Salted, adaptive-cost hashing; plaintext never stored |
| Session Tokens | SHA-256 | JWT tokens hashed before storage; originals never persisted |
6.2.2. Access Controls
- JWT Authentication — All API requests require valid JSON Web Token (HS256, 24-hour expiration);
- Live Session Validation — Every request performs a live database check; revoked sessions are rejected immediately;
- Role-Based Access Control (RBAC) — Admin, Manager, and Loan Officer roles with granular permissions;
- Organization-Level Data Isolation — Multi-tenancy enforced at the database query level; every query scoped to org_id;
- TOTP Two-Factor Authentication (2FA) — Available and recommended for all users;
- Rate Limiting — Login: 5 attempts/15min per IP; API: 100 req/min per user; SSN Reveal: 10/hour per user.
6.2.3. Monitoring and Incident Response
- Watchdog — Automated health monitoring every 30 seconds with auto-restart on failure;
- Sentry — Error monitoring for application stability (no PII transmitted);
- Audit Logging — Complete audit trail for all sensitive data access;
- Security Headers — Helmet.js enforcing CSP, HSTS (preload), X-Frame-Options, X-Content-Type-Options, Referrer-Policy;
- Input Sanitization — DOMPurify strips all HTML/JS from user inputs to prevent XSS attacks;
- CI/CD Security — GitHub Actions pipeline with syntax validation, dependency auditing, and health checks.
6.2.4. Key Management
- Encryption keys stored exclusively in environment variables — never committed to source code, logs, or disk;
- Separate keys for distinct purposes (encryption, JWT signing, Stripe, API integrations);
- Key rotation procedures documented and tested;
- Compromise of one key does not grant access to other systems.
7. Data Sharing and Third-Party Service Providers
7.2. Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Railway | Cloud hosting, database hosting | All Platform data (stored on their infrastructure) |
| Cloudflare | DNS, CDN, SSL/TLS, DDoS protection | IP addresses, HTTP request metadata (routing only) |
| Anthropic (Claude API) | AI-powered email drafting, campaign content, analytics | Non-sensitive borrower data only. No SSNs, DOBs, or financial account numbers. |
| Sentry | Application error monitoring | Error stack traces, browser metadata. No PII. |
| Google Workspace | Company email | Email communications with Users |
| FRED API | Public economic data for Workbench | No user data transmitted |
| Stripe, Inc. | Payment processing | Billing name, email, subscription tier — no financial Consumer Data |
| Microsoft 365 (planned) | Email send/read via OAuth2 | Outbound email content, inbox reply detection. Scoped to individual user mailbox only. |
7.3. Legal Disclosures. We may disclose personal information if required by law, subpoena, court order, or to protect the rights, property, or safety of NEXUS, its Users, or the public.
7.4. Business Transfers. In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction with prior notice.
7.5. No Other Sharing. We do not share personal information with any parties other than those described in this Section 7.
8. GLBA Privacy Notice
8.1. NEXUS is a service provider that processes nonpublic personal information (“NPI”) on behalf of financial institutions.
8.2. Categories of NPI Collected:
- Information provided on loan applications — Names, addresses, SSN, DOB, income, employment, assets, liabilities, credit information;
- Information from transactions — Loan amounts, payment history, pipeline status, closing data; and
- Information from third-party sources — Credit reports and scores, property valuations (as entered by Users).
8.3. Information Sharing Practices. We do not disclose NPI to non-affiliated third parties except as permitted by GLBA. We do not sell NPI. We share NPI only with the service providers listed in Section 7.2.
8.4. Opt-Out. Because we do not share NPI with non-affiliated third parties for marketing purposes, no opt-out is required. However, Users and consumers may exercise their rights as described in Section 9.
8.5. Safeguards. We maintain comprehensive safeguards consistent with the GLBA Safeguards Rule and the FTC’s Revised Safeguards Rule, as detailed in Section 6.2.
9. Your Privacy Rights
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of the personal information we hold about you | Email admin@platform.nexus |
| Correction | Request correction of inaccurate personal information | Platform UI or email admin@platform.nexus |
| Deletion | Request deletion of your personal information, subject to legal retention requirements | Email admin@platform.nexus |
| Data Export / Portability | Export your data in MISMO 3.4 XML, CSV, JSON | Platform export features or email admin@platform.nexus |
| Opt-Out of Communications | Unsubscribe from non-essential communications | Unsubscribe link in emails or email admin@platform.nexus |
| Account Termination | Close your account and request data deletion | Email admin@platform.nexus |
9.2. We will acknowledge requests within ten (10) business days and fulfill them within thirty (30) days (or forty-five days for complex requests with notice).
9.3. We may verify your identity before fulfilling a request.
9.4. We will not discriminate against you for exercising your privacy rights.
10. California Privacy Rights (CCPA/CPRA)
10.1. If you are a California resident, the CCPA/CPRA provides you with specific privacy rights.
10.2. Categories of Personal Information Collected:
| CCPA Category | Examples | Collected | Source |
|---|---|---|---|
| A. Identifiers | Name, email, SSN, NMLS number, IP address | Yes | User registration, loan applications |
| B. Financial Information | Loan amounts, income, employment, credit data | Yes | User input (Consumer Data) |
| C. Protected Classifications | Age (DOB), marital status | Yes | Loan applications |
| D. Commercial Information | Subscription tier, payment history | Yes | Account activity |
| F. Internet/Network Activity | IP address, browser info, pages visited | Yes | Automatic collection |
| G. Geolocation | Approximate location from IP address | Yes | Automatic collection |
| I. Professional Information | NMLS number, organization affiliation | Yes | User registration |
10.3. We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
10.4–10.7. You have the right to know/access, delete, correct, and limit use of sensitive personal information.
10.8. Submit requests to admin@platform.nexus with the subject line [CCPA Request].
10.9. We will not discriminate against you for exercising your CCPA rights.
11. Virginia Consumer Data Protection Act (VCDPA)
11.1. If you are a Virginia resident, the VCDPA provides you with the right to access, correct, delete, data portability, and opt out. (NEXUS does not engage in targeted advertising, data sales, or profiling.)
11.3. Submit requests to admin@platform.nexus with the subject line [VCDPA Request].
11.4. If we decline your request, you may appeal by emailing admin@platform.nexus with the subject line [VCDPA Appeal]. We will respond within sixty (60) days.
12. Michigan Privacy and Data Protection
12.1. NEXUS Systems LLC is organized under the laws of the State of Michigan.
12.2. Michigan Identity Theft Protection Act (MCL 445.61 et seq.). We implement reasonable security measures, provide timely breach notification, notify the Michigan Attorney General if more than 1,000 residents are affected, and properly dispose of records containing personal information.
12.3. Michigan SSN Privacy Act (MCL 445.81 et seq.). We do not publicly display or embed SSNs; do not transmit SSNs over unsecured connections; do not print SSNs on mailed materials; and store SSNs in encrypted form with access restricted and audit-logged.
12.4. Submit requests to admin@platform.nexus with the subject line [Michigan Privacy Request].
13. Other State Privacy Laws
13.1. NEXUS serves mortgage loan originators across approximately 40 states. We comply with applicable state privacy laws including:
- Colorado Privacy Act (CPA);
- Connecticut Data Privacy Act (CTDPA);
- Texas Data Privacy and Security Act (TDPSA);
- Oregon Consumer Privacy Act (OCPA);
- Montana Consumer Data Privacy Act (MCDPA);
- New York Department of Financial Services (NYDFS) 23 NYCRR 500;
- New Jersey Data Privacy Act;
- Delaware Personal Data Privacy Act; and
- Other state laws as enacted and applicable.
13.2. Contact us at admin@platform.nexus with the subject line [Privacy Request — Your State].
14. Data Retention and Deletion
| Data Category | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30 days post-termination | Contract performance |
| Consumer Data (active accounts) | Duration of account or until User deletes | User direction (NEXUS as processor) |
| Consumer Data (terminated accounts) | 30 days post-termination for export, then deleted | Contract terms |
| SSN (full, encrypted) | Duration of active loan record; deleted upon closure/termination | AES-256-GCM encrypted at rest |
| Audit logs | Seven (7) years from date of logged event | GLBA compliance, regulatory examination |
| Billing records | Seven (7) years | Tax and legal requirements |
| Backup copies | Rotated (20-backup retention); purged within 90 days of production deletion | Disaster recovery |
| Error monitoring data (Sentry) | Per Sentry retention policy (typically 90 days) | Service improvement |
| Aggregated/anonymized data | Indefinite | No individual identification possible |
14.2. Deletion Process. Data is removed from production, backup copies purged on next rotation (within 90 days), encrypted data rendered irrecoverable, and confirmation provided.
14.3. Legal Holds. We may retain data beyond stated periods when required by law or pending litigation.
15. Cookies and Tracking Technologies
15.1. Minimal Cookie Usage. NEXUS uses a minimal cookie footprint. We do not use third-party tracking cookies, advertising pixels, or behavioral analytics tools.
| Cookie / Technology | Purpose | Type | Duration |
|---|---|---|---|
| JWT Authentication Token | Session management, user authentication | Functional (essential) | 24 hours |
| Session Preferences | User interface preferences (theme, layout) | Functional (essential) | Persistent (until cleared) |
15.3. No Third-Party Tracking. We do not use Google Analytics, Facebook Pixel, advertising cookies, cross-site tracking, or participate in ad exchanges.
15.4. Do Not Track. Because we do not track users across third-party websites, our Platform’s behavior does not change in response to DNT signals.
16. Data Breach Notification
16.1. In the event of a confirmed data breach, NEXUS will:
- Contain — Immediately revoke compromised sessions, rotate keys, and disable compromised endpoints;
- Assess — Determine scope using audit logs and system monitoring;
- Notify Affected Parties — Within seventy-two (72) hours of confirmation, or as required by applicable state laws;
- Notify Authorities — Including the Michigan Attorney General if more than 1,000 Michigan residents are affected; and
- Remediate — Address vulnerabilities, rotate keys, re-encrypt data, and document the incident.
16.2. Notifications will include: nature of the breach, categories of data affected, approximate number of records, steps taken, recommendations, and contact information.
17. Children’s Privacy
17.1. The Platform is a B2B service not directed at or intended for individuals under 18.
17.2. We do not knowingly collect personal information from children under 13 (COPPA) or minors under 16 (CCPA).
17.3. If we become aware of inadvertent collection from a child, we will immediately delete such information. Contact admin@platform.nexus to report concerns.
18. International Data Transfers
18.1. The Platform is hosted on US-based infrastructure and intended for US-based mortgage professionals.
18.2. All Consumer Data is stored and processed within the United States.
18.3. Certain service providers (e.g., Cloudflare) may process HTTP request metadata at global edge locations for CDN and DDoS protection. This involves only network routing data, not Consumer Data.
19. Changes to This Privacy Policy
19.1. We may update this Policy from time to time.
19.2. Material changes will be notified via email, Platform notice, or in-app notification.
19.3. Material changes take effect thirty (30) days after notice (or immediately if required by law).
19.4. A dated version will be maintained at platform.nexus/privacy.
19.5. Continued use after the effective date constitutes acceptance of changes.
20. Contact Information
NEXUS Systems LLC
Email: admin@platform.nexus
Website: https://platform.nexus
Privacy-Specific Requests: admin@platform.nexus — Subject Line: [Privacy Request]
Security Concerns: admin@platform.nexus — Subject Line: [SECURITY]
Regulatory Inquiries: admin@platform.nexus — Subject Line: [Regulatory Inquiry]