Privacy Policy

TerraKode LLC ("TerraKode," "we," "us," or "our") operates the DocChaser platform, a secure document collection and management SaaS application for mortgage brokers and professional service firms. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in connection with the DocChaser Service. Data Controller: TerraKode LLC, a Florida limited liability company, doing business as DocChaser. Contact for privacy requests: privacy@docchaser.io. Qualified Individual / Security Officer: Scott Smith, Trustee of the Smith Family Revocable Trust.

We collect: Identifiers (name, email, phone, IP address, device fingerprint); Financial / NPI (loan amounts, property addresses, NMLS numbers, document metadata); Commercial Information (transaction history, service usage); Internet Activity (log data, access times, feature usage); Professional Information (job title, firm name, state licenses); Sensitive Personal Information (SSN or account numbers if voluntarily uploaded in documents); and Inferences (risk profiles, usage patterns). Under GLBA, all borrower financial information is treated as NPI.

We use collected information to: provide and improve our document collection services; send automated reminders to borrowers; maintain compliance with mortgage lending regulations (GLBA, TRID/RESPA, ECOA); generate audit trails and reports; improve platform security and performance; process payments; respond to customer support inquiries; and comply with legal obligations.

We do not sell your personal information. We share data only with: (a) subprocessors necessary to provide the service — Resend (email delivery), Stripe (payment processing, PCI DSS Level 1 certified), Vultr (cloud hosting); (b) when required by law or valid legal process; (c) with your explicit consent. All subprocessors are bound by data processing agreements with GLBA-compliant safeguards. TerraKode LLC does NOT sell personal information to third parties for monetary or other valuable consideration.

We implement industry-standard security measures including: AES-256-GCM encryption at rest; TLS 1.3 in transit; role-based access controls (5-tier RBAC); multi-factor authentication (TOTP and email-based); device fingerprint session binding; audit logging of all access; file upload validation (magic numbers, deep content inspection); regular security assessments and penetration testing; and employee security awareness training.

To ensure compliance with our Terms of Service and protect against unauthorized account sharing, DocChaser collects and analyzes device fingerprints and session activity. Device fingerprints are SHA-256 hashes of non-PII browser characteristics (screen resolution, timezone, language, installed fonts) and do not include cookies, IP addresses, or personal identifiers. Session data includes login timestamps, browser type, and approximate location (if available). This data is used solely for: enforcing per-user seat limits; detecting anomalous login patterns; and calculating an internal compliance score for account health. Compliance scores and raw session analytics are NOT visible to customers and are used exclusively by TerraKode LLC for account integrity purposes.

Each licensed user is permitted up to 3 concurrent active sessions across all devices. When this limit is reached, you will be prompted to end your oldest active session before signing in from a new device. Session data is stored in encrypted Redis caches for the duration of the active session (maximum 24 hours) and in PostgreSQL audit logs for 7 years. You may view and revoke your active sessions at any time from Settings > Security.

Completed loans: 7 years (GLBA / IRS requirement). Incomplete/abandoned loans: 90 days then auto-archive. Audit logs: 7 years. Uploaded documents: Life of loan + 7 years. Deleted accounts: 30-day grace period then cryptographic erasure. Payment records: 7 years. Support tickets: 3 years. Device fingerprints: 90 days from last activity or until account deletion. Session snapshots: 30 days. You may request early deletion subject to legal retention requirements.

Depending on your jurisdiction, you have rights to: access your data; correct inaccurate data; delete your data (subject to retention requirements); receive a portable copy; opt out of sale/sharing (we do not sell); opt out of targeted advertising; opt out of profiling; and limit use of sensitive personal information. To exercise these rights, contact privacy@docchaser.io. We respond within 45 days. We verify identity before processing requests. You may designate an authorized agent with signed written authorization.

We use Essential cookies (required for authentication and security), Functional cookies (preferences), and Analytics cookies (anonymized usage statistics). We honor the Global Privacy Control (GPC) signal — if detected, we automatically suppress non-essential data collection and display an "Opt-Out Request Honored" badge. You can manage preferences through our cookie consent banner.

DocChaser is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact privacy@docchaser.io immediately and we will delete it promptly.

DocChaser operates exclusively within the United States. All data is stored in US-based data centers. We do not transfer personal data outside the United States. By using our service, you consent to data processing in the United States.

We may update this Privacy Policy periodically. Material changes will be communicated via email to registered users and through in-app notification banners at least 30 days before taking effect. Your continued use after changes constitutes acceptance.

For privacy-related inquiries, contact our Data Protection Officer at privacy@docchaser.io. For security incidents: security@docchaser.io. For legal matters: legal@terrakode.io. We respond to all inquiries within 30 days.