Privacy Policy

Last updated: March 2026

Plain-English Summary

Your PDF and mortgage figures are sent to our secure server for processing — they are not stored afterwards.
We use a third-party document processing service to read your mortgage statement. Their data-processing terms apply.
If you choose to email your report, your figures pass through our email provider to reach you.
If you create an account and click "Save Analysis", your mortgage figures are stored in our database so you can revisit them.
We do not sell, share, or use your data for advertising.
We use no tracking cookies, analytics scripts, or session recording tools.

1. What data we collect and why

When you upload a mortgage statement PDF, the file is transmitted over HTTPS to our server. Our server forwards the document to a third-party document processing service to extract your mortgage details. That service processes the document under strict data-handling terms — training on customer data via API is prohibited by default.

After extraction, the raw PDF is not stored on any server. The extracted data (balance, rate, term, lender, etc.) lives in your browser session only — unless you explicitly choose to save or email it.

2. Third-party services we use

Service	Purpose	Data sent
Vercel	Website hosting & serverless functions	All traffic passes through Vercel's infrastructure
Document Processing Service	Extraction of mortgage details from your PDF	Your PDF content and extracted mortgage figures
Email Provider	Sending your email report (only if you request it)	Your email address and mortgage summary figures
Supabase	Storing saved analyses (only if you are logged in and click Save)	Balance, rate, term, lender, mortgage type

3. Data storage

No account / no save: Nothing is persisted. All data lives only in your browser tab and is gone when you close it.

Saved analyses (logged-in users): If you click "Save Analysis", the following fields are stored in our database linked to your user account: outstanding balance, monthly payment, interest rate, remaining term, lender name, and mortgage type. No property address, no account numbers, no personal identifiers beyond your user ID.

You can delete any saved analysis at any time from the Analyses page.

4. Cookies & tracking

We use no advertising cookies, no analytics trackers (no Google Analytics, Hotjar, Meta Pixel, or similar), and no session recording.

The only cookies set are authentication session cookies (if you create an account), which are HTTP-only, Secure, and SameSite=Strict.

5. Security measures

All connections use HTTPS / TLS — data is encrypted in transit.
Strict-Transport-Security (HSTS) header prevents downgrade attacks.
Content-Security-Policy header limits what scripts can run on the page.
X-Frame-Options: DENY prevents clickjacking.
Uploaded files are validated for size (max 10 MB) and magic bytes (must be a real PDF) before processing.
Filenames are sanitised before use.
API keys are stored as server-side environment variables — never exposed to the browser.

6. Contact

Questions about this policy? Email us at support@mortgageaicalc.com.

This policy may be updated from time to time. The "Last updated" date at the top will always reflect the most recent version.