Privacy Policy
This Privacy Policy describes how Tupeer ("Tupeer", "we", "us") collects, uses, and shares personal information in connection with our peer-to-peer lending platform (the "Service"). It applies to borrowers, lenders, and visitors who interact with our Service in the United States.
1. Information we collect
From borrowers
- Account information: email address, password (hashed), state of residence
- Application information: requested loan amount, requested term, borrower-supplied financial profile (income, employment indicators)
- Cash-flow underwriting data: bank-account-derived signals (when bank-link integration is enabled — currently disabled)
- Loan-servicing information: payment dates, payment amounts, allocation breakdown, delinquency status
- Disclosure-acceptance evidence: the exact text of disclosures shown, IP address, user-agent, timestamp
- Communications: emails or messages you send to us
From lenders
- Account information: email, password (hashed)
- KYC information: legal name, contact email, mailing address, last 4 digits of tax ID, accreditation-investor status
- Investment-activity information: commitments, statements, tax documents, loan portfolio
Automatically collected
- Authentication tokens stored in your browser session and rotated on tab close
- Audit metadata for every administrative action (actor, action, IP, timestamp, request ID)
- Cookies: only essential cookies for authentication and CSRF protection. We do not use advertising or analytics cookies.
2. How we use information
- To evaluate loan applications and decide eligibility
- To facilitate funding between borrowers and lenders
- To service active loans (payments, schedules, statements)
- To detect fraud and comply with applicable law
- To communicate with you about your account, applications, loans, statements, and tax documents
- To generate adverse-action notices required by ECOA / Reg B if your application is declined
3. How we share information
We share personal information only with these parties:
- Lenders: when a borrower's loan is funded, the lender sees the loan ID, status, and servicing-state information necessary to evaluate their position. Borrower identity (name, contact info) is not disclosed to lenders.
- Bank-partner originator (when the bank-partner rail is enabled): the partner bank receives the application and any data necessary for the bank to make an underwriting decision and originate the loan.
- Service providers under contract: cloud hosting, email delivery, AI-summary generation. Each provider is bound by a Data Processing Agreement.
- Government and law-enforcement requests: when required by valid legal process.
We do not sell or share personal information for cross-context behavioral advertising (CCPA Sec. 1798.140).
4. Your rights
You have the following rights regarding your personal information:
- Right to know: ask what categories of personal information we have collected, used, or disclosed
- Right to access: receive a copy of your personal information in a portable format
- Right to deletion: request deletion (subject to legal retention requirements — see Section 6)
- Right to correct: ask us to correct inaccurate personal information
- Right to opt out of "sale" or "sharing" (CCPA): we do not sell or share for cross-context behavioral advertising, but you may still opt out
To exercise any of these rights, sign in and visit Data rights in the app sidebar, or email privacy@tupeer.com. We respond within 45 days under CCPA.
5. Adverse action and credit reporting
If we decline your application, we will provide a notice of adverse action within 30 days describing the principal reasons for the denial, as required by the Equal Credit Opportunity Act (ECOA / Regulation B). If our decision was based on information from a consumer reporting agency, the notice will identify the agency and inform you of your right to a free copy of your report.
6. Data retention
We retain personal information only as long as necessary to:
- Provide the Service
- Comply with applicable law (lending recordkeeping requirements typically extend several years past loan payoff)
- Enforce our Terms of Service
- Defend against legal claims
When you close your account, we delete information that is not subject to a legal retention requirement and securely archive the rest.
7. Security
We implement administrative, technical, and physical safeguards consistent with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule:
- Encryption in transit (TLS) for all API traffic
- HMAC-signed partner webhooks with replay protection
- Append-only audit logs for every administrative action
- Idempotency-Key middleware on money-flow endpoints to defeat duplicate transactions
- Maker-checker controls on high-risk administrative actions
- Optional two-factor authentication (TOTP) on every account
No system is perfectly secure. If you believe an account has been compromised, contact security@tupeer.com immediately. See our security disclosure policy for researchers.
8. Children's privacy
The Service is not directed to anyone under 18. Borrowers must be at least 18 years old to enter into a credit contract under most state laws. We do not knowingly collect information from children.
9. Changes to this policy
We will post any changes to this policy on this page and update the "Last Updated" date. For material changes, we will notify users by email at least 30 days before the changes take effect.
10. Contact us
| Topic | |
|---|---|
| General privacy questions | privacy@tupeer.com |
| Data subject rights requests | privacy@tupeer.com |
| Security incidents | security@tupeer.com |
| Legal notices | legal@tupeer.com |