Privacy Policy

Effective Date: May 12, 2026

1. Scope and Relationship to the Terms

This Privacy Policy ("Policy") describes how oCoRM ("oCoRM," "we," "us," or "our") collects, uses, stores, discloses, protects, retains, and deletes information in connection with our websites, broker portal, client portal, document automation tools, workflow tools, communications tools, storage integrations, calendar integrations, e-signature workflows, artificial intelligence features, support services, and related services (collectively, the "Service").

This Policy applies to Broker Users, Client Users, website visitors, account administrators, support contacts, and other individuals whose information is submitted to or processed through the Service. Capitalized terms not defined in this Policy have the meanings given in our Terms of Service.

2. Our Role in Financial-Document Workflows

oCoRM provides software that helps brokers and authorized users manage mortgage, accounting, and financial-document workflows. In many cases, a Broker User decides why information is collected, what documents are requested, who may access them, which providers are connected, and how long records are retained. In those cases, oCoRM processes information on behalf of, and under instructions from, the Broker User.

If you are a Client User, the Broker User who invited you is often the best first contact for questions about document requests, application processing, corrections, deletion, retention, lender disclosures, consent withdrawal, or regulatory notices. We may route privacy requests to the responsible Broker User where appropriate.

This Policy does not replace any privacy notice, financial privacy notice, consumer disclosure, authorization, retention notice, lender disclosure, or regulatory disclosure that a Broker User, brokerage, lender, accountant, or other financial institution may be required to provide.

3. Accountability and Privacy Program

We maintain administrative, technical, and organizational measures intended to support privacy accountability, including purpose limitation, access controls, authorization checks, security logging, retention practices, vendor review, and internal controls for sensitive financial information. Broker Users remain responsible for their own privacy programs and client-facing notices.

4. Categories of Information We Collect

Depending on how the Service is used, we may collect and process the following categories of information:

• Account and profile information: names, email addresses, phone numbers, business names, roles, login identifiers, authentication records, connected account identifiers, user preferences, and account settings.
• Brokerage and team information: organization details, assistant relationships, administrator settings, permissions, team roles, branding, connected provider choices, and workflow configuration.
• Client and applicant information: names, contact details, addresses, employment information, income details, asset details, liability details, property information, marital or household information where submitted for a mortgage workflow, and related application data.
• Financial and identity documents: bank statements, tax documents, income documents, pay stubs, identification documents, accounting receipts, mortgage forms, lender forms, signed documents, uploaded images, PDFs, extracted text, mapped fields, generated packets, audit certificates, and document metadata.
• Workflow and communications data: document requests, reminders, task records, message content, email delivery logs, recipient addresses, calendar event details, signing packet details, audit records, timestamps, status changes, support requests, and customer service communications.
• Connected-account and integration data: connected Google or Microsoft account identifiers, account email addresses, OAuth tokens, cloud file IDs, folder metadata, email send status, calendar event or availability data, cloud storage status, AI provider configuration, provider responses, and similar data from third-party services you connect or authorize.
• Technical, security, and usage data: IP addresses, device and browser information, session identifiers, access logs, authentication events, permission changes, error logs, audit events, cookie data, diagnostics, feature usage, and similar security or operational records.
• Payment and commercial data: plan information, invoices, billing contacts, payment status, tax information, transaction records, and chargeback or collection information where paid services are used.

5. Sources of Information

We collect information directly from Users, from Broker Users who invite or administer other Users, from Client Users who upload or submit documents, from connected Third-Party Services, from service providers, from authentication providers, from cookies and similar technologies, from support communications, and from automated logs generated when the Service is used.

6. Purposes for Collection, Use, and Processing

We collect, use, and process information only for identified and limited purposes, including to:

• Create, authenticate, secure, and manage accounts, sessions, roles, permissions, broker-client relationships, and administrator controls.
• Request, upload, store, encrypt, retrieve, organize, parse, classify, map, rename, transmit, share, export, and delete financial documents and application materials.
• Generate draft forms, document packets, document checklists, reminders, summaries, extracted fields, mapped fields, audit certificates, and other automation outputs.
• Send emails, create calendar items, check availability, route files to selected storage locations, authenticate connected accounts, and operate connected integrations at the User's direction.
• Provide support, troubleshoot issues, investigate errors, verify system status, monitor performance, maintain backups, and improve reliability.
• Maintain audit records for authentication, permission changes, document access, sensitive downloads, token changes, user actions, and other security-sensitive activity.
• Detect, investigate, prevent, and respond to fraud, abuse, unauthorized access, security incidents, service misuse, and violations of our Terms.
• Administer subscriptions, billing, taxes, payments, collections, account notices, and customer communications.
• Comply with legal obligations, respond to lawful requests, preserve claims or defenses, enforce agreements, and protect the rights, safety, and security of Users, clients, oCoRM, and third parties.

We do not use the Service to make creditworthiness, lending, eligibility, affordability, underwriting, tax, legal, or financial-advice decisions.

7. Consent, Authority, and Broker Instructions

Where consent is required, the User or Broker User responsible for collecting the information must obtain, document, and maintain that consent before submitting information to the Service. Broker Users are responsible for ensuring they have authority to request documents, invite Client Users, submit information, connect providers, send communications, and disclose information to recipients configured in the Service.

If consent is withdrawn or authority is disputed, the affected User should contact the responsible Broker User and may also contact oCoRM. We may need to preserve certain information for security, legal, audit, accounting, dispute-resolution, backup, or recordkeeping purposes.

8. Connected Account APIs, Google, and Microsoft

When a User connects Google, Microsoft, email, calendar, storage, AI, or other third-party services, oCoRM requests only the permissions reasonably needed for the enabled feature. Exact permissions may vary by provider, account type, tenant policy, and enabled feature, and will be shown during the provider's authorization flow where required.

Depending on the feature, Google permissions may include:

• Google Sign-In: identity and email scopes are used to authenticate Broker Users. Raw Google subject identifiers are not needed for public display and may be stored only in protected hashed form.
• Google Drive: drive.file access is used to create, locate, upload, manage, and retrieve files and folders created or selected for oCoRM workflows in the connected Drive account.
• Gmail: gmail.send is used to send messages from a connected Gmail account at the User's direction; userinfo.email is used to confirm the true connected sending address.
• Google Calendar: calendar.app.created is used to create or manage oCoRM-created calendar events; calendar.freebusy is used to check availability for scheduling and reminder workflows.

Depending on the feature, Microsoft permissions may include identity, email, calendar, OneDrive, SharePoint, or Microsoft Graph permissions needed to authenticate the User, send messages from a connected Outlook or Exchange mailbox, create or manage oCoRM-related calendar items, check availability, or create, locate, upload, manage, and retrieve files in a connected OneDrive or SharePoint location. We aim to use the least-privileged Microsoft Graph permissions that support the enabled workflow.

oCoRM's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. oCoRM's use of Microsoft APIs is governed by the Microsoft APIs Terms of Use and applicable Microsoft documentation. We do not sell connected-account data, use it for advertising, transfer it to data brokers, or use it to make creditworthiness, lending, eligibility, or underwriting decisions.

OAuth tokens are used to operate the connected feature and may be stored in encrypted form. Users may revoke connected-account access through the provider's account settings or through oCoRM where supported. Revocation may stop related features from working.

9. AI and Document Extraction

If AI-assisted extraction, mapping, classification, summarization, or document automation is enabled, documents, extracted text, prompts, schema information, metadata, and generated outputs may be transmitted to the selected or configured AI provider solely to perform the requested workflow. Broker Users are responsible for confirming that any selected AI provider is appropriate for their regulatory, contractual, provider, and client obligations.

AI outputs are not final professional advice and must be reviewed by an authorized person before use. We may keep limited operational logs for debugging, audit, reliability, and security where permitted by our internal controls and applicable law.

10. How We Disclose Information

We disclose information only as needed to operate the Service, follow User instructions, comply with law, enforce agreements, or protect rights and security. Disclosures may include:

• Broker Users and authorized team members: information submitted by Client Users may be made available to the Broker User, assistants, administrators, processors, or team members with appropriate permissions.
• Client Users and co-applicants: documents or workflow items may be visible to Client Users or co-applicants when permissions, sharing settings, packet settings, or broker instructions allow access.
• Service providers: hosting, storage, database, email delivery, security, logging, support, payment, analytics, AI, communications, and infrastructure providers that help us operate the Service under confidentiality, security, or data-processing obligations.
• User-connected services: Google Drive, Gmail, Google Calendar, Microsoft Sign-In, Outlook, OneDrive, SharePoint, Microsoft calendars, AI providers, or other systems connected, selected, or authorized by the User.
• Directed recipients: lenders, professionals, referral partners, accountants, lawyers, insurers, processors, administrators, or other third parties where a User directs, authorizes, or configures the Service to share information.
• Legal, safety, and enforcement recipients: regulators, courts, law enforcement, auditors, claim handlers, professional advisors, insurers, or other parties when we believe disclosure is required or appropriate to comply with law, enforce agreements, prevent fraud, protect security, or defend legal claims.
• Business transfer recipients: parties involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, due diligence review, or similar transaction, subject to appropriate confidentiality protections.

We do not sell personal information or share it for cross-context behavioral advertising. We do not monetize Financial Data.

11. Service Providers and Sub-Processors

We may use service providers and sub-processors to host infrastructure, store data, deliver email, process payments, provide support, monitor reliability, analyze system performance, secure the Service, process documents, and operate integrations. We require service providers to protect information using confidentiality, security, and use restrictions appropriate to their role.

12. Cookies and Similar Technologies

We use cookies and similar technologies for authentication, session management, security, fraud prevention, preferences, load balancing, diagnostics, and Service operation. Disabling cookies may prevent the Service from functioning correctly. We do not use cookies to sell Financial Data.

13. Security Safeguards

We use administrative, technical, and organizational safeguards designed to protect information processed through the Service. These safeguards may include access controls, encryption, tenant-isolation controls, session controls, audit logging, authorization checks, secure development practices, monitoring for suspicious activity, and restrictions on who may access sensitive operational records.

No system is perfectly secure. Unauthorized access, misconfiguration, malware, phishing, credential compromise, third-party outages, provider vulnerabilities, user error, and other events can affect confidentiality, integrity, or availability. Users are responsible for protecting their own devices, accounts, connected services, email accounts, API keys, credentials, and recovery methods, and for granting access only to authorized people.

14. Security Incidents

If we determine that a security incident involving personal information requires notice under applicable law or a signed agreement, we will provide notice in accordance with that law or agreement. We may also take steps to investigate, contain, remediate, preserve evidence, notify affected account administrators, suspend risky access, or require credential resets. Any incident response activity is not an admission of fault, liability, damages, or violation of law.

Broker Users may have separate notice obligations to clients, lenders, regulators, insurers, professional bodies, or other parties. Broker Users are responsible for those obligations unless a signed agreement states otherwise.

15. Retention, Deletion, and Backups

We retain information for as long as needed to provide the Service, satisfy User instructions, maintain security and audit records, comply with legal or contractual obligations, resolve disputes, enforce agreements, preserve backups, administer billing, support legitimate business purposes, and prevent fraud or abuse. Retention periods may vary by account type, document category, broker configuration, legal requirement, provider behavior, and backup cycle.

Where supported and legally permitted, Users may request deletion, export, correction, or account closure. We may decline, delay, or limit deletion where retention is required or permitted for security, fraud prevention, legal compliance, audit, accounting, tax, dispute resolution, backup restoration, provider recovery, or broker-controlled recordkeeping obligations. Deleted information may remain in backups for a limited period until overwritten or purged according to backup practices.

16. International and Cross-Border Processing

Information may be processed in the country where you are located and in other countries where oCoRM, its service providers, or User-connected services operate. Privacy and security laws may differ between jurisdictions. Where required, we use appropriate contractual, technical, and organizational safeguards for cross-border processing.

17. Access, Correction, Portability, and Other Rights

Depending on where you live and how the Service is used, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal information. You may also have rights to withdraw consent where processing is based on consent, subject to legal and contractual limits.

To exercise rights, contact us or the Broker User who controls the relevant workflow. We may need to verify your identity, authority, account relationship, and request scope before responding. If the request relates to information controlled by a Broker User, we may forward the request to that Broker User or act on their instructions.

18. Financial Privacy and Consumer Information

Mortgage and financial-document workflows may involve nonpublic personal information and other protected consumer financial information. Broker Users, brokerages, lenders, and other financial institutions are responsible for determining whether laws such as the Gramm-Leach-Bliley Act, state privacy laws, Canadian privacy laws, credit reporting laws, mortgage brokerage rules, or similar requirements apply to their activities.

Where oCoRM acts as a service provider, we process consumer financial information only to provide the Service, follow authorized instructions, maintain security, comply with law, prevent fraud, support the financial-document workflow, and enforce our agreements. We do not use consumer financial information for unrelated advertising or sale.

19. Communications and Anti-Spam Compliance

We may send transactional, administrative, security, account, support, and service-related communications. Broker Users are responsible for ensuring they have any required consent before using the Service to send commercial electronic messages, document requests, reminders, or other communications to Client Users or third parties.

20. Automated Processing and Decision-Making

The Service may automate document extraction, classification, mapping, reminders, packet generation, and workflow routing. The Service is not designed to make final creditworthiness, lending, underwriting, eligibility, affordability, tax, legal, or financial-advice decisions. Users are responsible for reviewing outputs before relying on them.

21. Aggregated and De-Identified Information

To the extent permitted by law, we may create aggregated, statistical, or de-identified information from Service usage and operational records for analytics, security, benchmarking, reliability, product improvement, and business purposes. We do not use aggregated or de-identified information to identify a specific individual.

22. Children

The Service is intended for adults and business use. It is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact us so we can take appropriate action.

23. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted on this page, through the Service, or by other reasonable notice. The updated Policy applies after the effective date shown above or the date otherwise communicated. Continued use of the Service after an updated Policy becomes effective means the Service will handle information under the updated Policy.

24. Contact

Questions, privacy requests, or security concerns may be submitted through our contact page or by email at support@ocorm.com.