Last updated: June 7, 2026
This Privacy Policy describes how LenderAnalyzer ("LenderAnalyzer," "we," "our," or "us") collects, uses, stores, and discloses information about you when you use our platform, APIs, and related services (collectively, the "Service"). Because our core business is the AI-powered extraction of structured data from documents — invoices, contracts, identity documents, medical records, and more — we have written this policy to be specific to that context rather than relying on generic boilerplate. Please read it carefully.
LenderAnalyzer is an enterprise software-as-a-service platform that enables organisations to upload documents and receive structured, machine-readable data in return. We are the data controller for account and billing information. For the documents you upload and the data extracted from them, we act as a data processor on your behalf — you remain the controller of that data.
This policy applies to all visitors to our website, registered users, API consumers, and enterprise customers. It does not cover third-party services that you may connect to LenderAnalyzer; those services are governed by their own privacy policies.
When you register, we collect your name, work email address, password hash, company name, job title, and the IP address used to create the account. For SSO/SAML users, identity attributes are passed from your identity provider.
The files you upload — PDFs, scanned images, photographs — are the core input to our Service. These may include commercially sensitive or personally identifiable information such as names, addresses, tax identifiers, financial figures, and, on healthcare or identity documents, special-category data. We treat all uploaded content as confidential customer data. The structured fields our AI extracts from those documents are stored alongside the source file and are subject to your chosen retention policy (see Section 6).
We collect log data including pages visited, API endpoints called, response times, error codes, browser type, operating system, and referring URL. We also collect aggregate feature-usage metrics (e.g., how many documents processed per session) to improve the product. This data does not include the content of your documents.
All payment transactions are handled by Stripe, Inc. We do not store full card numbers or CVV codes. We receive and retain billing address, last four card digits, card brand, and subscription status from Stripe for invoicing and fraud prevention purposes.
When you contact our support team by email or live chat, we collect the content of that communication and any attachments you share to resolve your query.
When you submit a document, LenderAnalyzer's pipeline performs the following operations: (a) optical character recognition (OCR) to convert image pixels to text, (b) layout analysis to identify blocks, tables, and fields, and (c) AI-model inference to classify and extract the specific fields you have requested. All three steps occur within our secured infrastructure (see Section 7). Documents are not used to train or fine-tune shared AI models without your explicit written consent.
Extraction results — structured JSON containing field names and values — are stored in your account workspace so that you can review, export, or push them to your downstream systems. Our human-review queue, when activated, allows members of your own team to inspect and correct low-confidence fields; LenderAnalyzer staff do not access document content during normal operations and do so only with your explicit authorisation when investigating a support issue.
We process your data for the following purposes and, where GDPR applies, rely on the following legal bases:
By default, uploaded source files and their extracted results are retained in your workspace until you delete them or close your account. You can configure an automatic purge policy — for example, deleting source files immediately after extraction or purging all data after a set number of days — directly from your account settings.
Enterprise plans include a zero-retention mode: source files are discarded from our systems immediately after extraction completes and results are delivered, with only a hashed job identifier and metadata log retained for audit purposes. When you close your account, all workspace data is deleted within 30 days. Account records and billing history are retained for a further seven years to satisfy financial and tax reporting obligations.
All data transmitted between your browser or API client and our servers is encrypted using TLS 1.2 or higher. Documents and extracted data at rest are encrypted using AES-256. Encryption keys are managed using an industry-standard key management service and are rotated on a scheduled basis.
Access to production systems is restricted to authorised personnel via multi-factor authentication and time-limited credentials. We maintain a SOC 2 Type II programme covering security, availability, and confidentiality; audit reports are available to enterprise customers under NDA. Full activity and access logs are retained for forensic purposes and are available to you through the audit-log feature on qualifying plans.
We engage the following categories of sub-processors to deliver the Service. We require all sub-processors to maintain security standards consistent with our own and, where applicable, to sign data processing agreements:
Where personal data is transferred from the European Economic Area to a country without an adequacy decision, we rely on Standard Contractual Clauses approved by the European Commission, supplemented by appropriate technical safeguards.
Depending on where you are located, you may have the following rights with respect to your personal data. To exercise any of them, contact us at support@lenderanalyzer.com. We will respond within 30 days.
If you are located in the EEA, you also have the right to lodge a complaint with the supervisory authority in your member state.
Certain document types processed through LenderAnalyzer — such as claims forms, explanation-of-benefits documents, and patient intake records — may constitute Protected Health Information (PHI) under the U.S. Health Insurance Portability and Accountability Act (HIPAA). Enterprise plan customers who process PHI may request a Business Associate Agreement (BAA) from our sales team before submitting any such documents. Operating without an executed BAA when processing PHI is a violation of our Acceptable Use Policy.
We use the following categories of cookies and similar technologies on our website and in the application:
We do not use advertising or cross-site tracking cookies.
The Service is designed for business use and is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a minor has registered an account, please contact us and we will promptly delete the account and associated data.
We may update this Privacy Policy periodically as our practices evolve or as required by law. When we make material changes, we will post the revised policy on this page with an updated effective date and, where appropriate, notify registered users by email. Continued use of the Service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page regularly.
For privacy-related questions, data subject requests, or to request a copy of our sub-processor list or DPA, please contact us at:
LenderAnalyzer — Privacy Team
Email: support@lenderanalyzer.com
We aim to acknowledge all privacy requests within 5 business days and resolve them within 30 days.
This document is provided for informational purposes only and does not constitute legal advice. If you have specific legal questions about data protection, please consult a qualified legal professional.
