Privacy Policy

Last updated: February 25, 2026

Zenith Repo, LLC ("we," "us," or "our") operates QuoteBooster.app and is committed to protecting the privacy of our customers. This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect Personal Information collected through our website (QuoteBooster.app), web platform(s), mortgage marketing, rate comparison, and loan quote software, and any additional Quote Booster products or services (collectively, the "Services"). This Policy applies to all users of the Services, including paid subscribers such as loan officers ("Users") and homeowners or other individuals whose information is uploaded to the platform by Users ("Clients").

PLEASE READ THIS POLICY CAREFULLY. By creating an account or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree, do not use the Services. Please also read our Terms of Service. The privacy commitments set forth in this Policy are independently enforceable and are not superseded by the Terms of Service.

1. What Is Personal Information?

2. Information We Collect

3. How We Use Personal Information

4. No Compete Guarantee

5. Disclosure of Personal Information

6. Financial Privacy Notice (GLBA)

7. Protection of Personal Information

8. Your Privacy Rights

9. Data Retention

10. International Data Transfers

11. Opting Out of Electronic Communications

12. Children's Privacy

13. Third-Party Websites and Links

14. Changes to This Policy

15. How to Contact Us

1. What Is Personal Information?

"Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) to a particular individual or household. Personal Information does not include de-identified, aggregated, or lawfully publicly available information.

The categories of Personal Information we collect include:

• Identifiers: Name, email address, mailing address, phone number, IP address, account username, and similar identifiers.

• Financial and mortgage information: Loan amounts, interest rates, loan-to-value ratios, loan terms, property addresses, property valuations, income figures, asset balances, debt obligations, and other mortgage or real estate data entered or uploaded into the platform.

• Commercial information: Subscription and billing records, transaction history, and Services usage.

• Internet and network activity: Browsing and interaction history within the Services, log file information, and email engagement data.

• Geolocation data: Approximate location inferred from IP address.

• Employment information: Job title, company affiliation, and professional license information provided at registration.

• Inferences: Profiles derived from the above categories reflecting usage patterns and business activity.

We do not collect racial or ethnic origin, political opinions, or religious or philosophical beliefs. We do not knowingly collect government identification numbers (such as Social Security Numbers) unless voluntarily provided as part of loan documentation uploaded to the platform, in which case they are treated as Sensitive Personal Information subject to heightened protection.

2. Information We Collect

A) Information You Provide to Us

We collect information you provide directly when you register, request a demo, manage your account, or upload data. This includes:

• Name, email address, and phone number

• Mailing or business address

• Employment information (company name, title, NMLS ID)

• Billing and payment information (processed by our third-party payment processor; we do not store full payment card numbers)

• Mortgage, real estate, and financial data you enter or upload

• Client Data you upload on behalf of your clients (contact details, loan data, preferences, and interaction history) — see Section 4 for our Client Data commitments

We will indicate whether a field is mandatory or optional. If you choose not to provide required information, we may not be able to provide the requested Services.

B) Information We Automatically Collect

Cookies and Tracking Technologies

We use cookies, device identifiers, pixels, web beacons, and local storage to operate and improve the Services. These technologies serve the following purposes:

• Strictly necessary: Authentication, session management, and security. These cannot be disabled without impairing core functionality.

• Functional: Remembering your preferences and settings.

• Analytics: Understanding how users interact with the Services. You may opt out of analytics cookies (see Google Analytics below and Section 8).

Most browsers allow you to block or delete cookies. Disabling strictly necessary cookies will impair core platform functionality. Disabling analytics cookies will not affect your ability to use the Services.

Google Analytics

We use Google Analytics to analyze traffic and usage patterns. Google Analytics collects data such as pages visited, time on site, and referring URLs. This data is associated with your IP address and may be used by Google consistent with Google's Privacy Policy. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

We do not respond to browser Do Not Track ("DNT") signals. Where the Global Privacy Control ("GPC") opt-out signal is legally required to be honored in your jurisdiction (including California and Colorado), we will treat it as a valid opt-out of sale or sharing of Personal Information for targeted advertising purposes.

Log File Information

Our servers automatically record information when you use the Services, including: IP address, browser type and version, operating system, referring URLs, pages viewed, time and date of access, and error logs. We also collect similar data from emails we send, including which emails are opened and which links are clicked. We use this information to operate, secure, and improve the Services.

3. How We Use Personal Information

We use your Personal Information only for the specific purposes listed below. Where indicated, we identify the lawful basis for processing under the EU/UK General Data Protection Regulation ("GDPR"):

• Providing and managing the Services — to create and manage your account and deliver the platform features you subscribe to. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

• Billing and payment processing — to process subscription fees and manage your billing relationship. Legal basis: Contract performance (Art. 6(1)(b) GDPR).

• Transactional communications — to send account confirmations, security alerts, billing notices, and operational updates required for your account. Legal basis: Contract performance and legitimate interests (Art. 6(1)(b) and (f) GDPR).

• Analytics and service improvement — to understand usage patterns, diagnose technical issues, and improve platform features. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). EU/UK residents may object to this processing (see Section 8).

• Security and fraud prevention — to detect, investigate, and prevent unauthorized access, abuse, or illegal activity. Legal basis: Legitimate interests and legal obligation (Art. 6(1)(f) and (c) GDPR).

• Legal and regulatory compliance — to comply with applicable laws, respond to lawful requests, and enforce our agreements. Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

• Marketing communications — to send promotional emails about new features or offers, only where you have affirmatively opted in at registration or in your account settings. Legal basis: Consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time (see Section 11).

• Aggregate analytics (de-identified B2B customer data)— for paid subscriber accounts (e.g., loan officers), we may use de-identified, aggregated data derived from your use of the Services for internal product development, improvement, and operational benchmarking. This use continues for up to twenty-four (24) months following termination or expiration of your subscription. Before any such use, we apply de-identification techniques consistent with NIST SP 800-188, including aggregating data across no fewer than five unrelated customer accounts so that no individual customer's patterns can be singled out or attributed. We do not sell, externally publish, or share this de-identified data with third parties for commercial purposes, and we do not use it to train third-party machine learning or artificial intelligence models. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Because the data is de-identified prior to use, it is no longer Personal Information under GDPR and most U.S. state privacy laws. EU/UK residents who wish to object to this processing prior to de-identification may do so (see Section 8).

We do not use Personal Information for purposes materially different from those listed above without providing prior notice and, where required by law, obtaining your consent.

4. No Compete Guarantee

When using our platform, you may upload information about your clients, including contact details, preferences, loan data, and interaction history (collectively, "Client Data"). We understand the sensitive nature of Client Data and are committed to protecting it.

Our No-Compete Guarantee means we will not use Client Data for any marketing, solicitation, or competitive purposes directed at your clients — whether on our own behalf or on behalf of any third party. We will process Client Data only as necessary to provide the Services to you and your clients and to comply with legal obligations. We will not sell or share Client Data with third parties for marketing purposes.

Account Termination Notifications. If you terminate your account, we will send up to three notifications to your clients informing them that: (a) your account is no longer active, and (b) their data will be deleted within thirty (30) days unless they independently elect to create their own account and retain their data. These notifications are operational in nature but do include the option for clients to continue using the platform independently. You acknowledge and agree to this practice by using the Services.

If a client elects to create an independent account, you will no longer have access to that client's data. If you later return to the platform, access to that client's data requires the client's affirmative consent.

We acknowledge that clients have independent privacy rights. Any client may request to access, correct, or delete their Personal Information regardless of which User originally uploaded it. These rights take precedence over any User's claims to Client Data.

You represent and warrant that: (a) you have obtained all necessary rights and consents to share Client Data with us, (b) your use of Client Data complies with applicable law and any agreements with your clients, and (c) you will maintain accurate records of client consents and preferences.

5. Disclosure of Personal Information

We do not sell your Personal Information for monetary consideration. We disclose Personal Information only as described below:

Service Providers. We share Personal Information with third-party vendors who perform services on our behalf, including: cloud hosting and infrastructure providers, payment processors, email delivery services, analytics providers (including Google Analytics), customer support tools, and security and monitoring services. These providers are contractually required to process Personal Information only to perform services for us and to implement data protection measures consistent with this Policy and applicable law.

Analytics Providers.We share usage and device data with Google Analytics for analytics purposes. Under California law, this sharing may constitute "sharing" of Personal Information for cross-context behavioral advertising purposes. California residents may opt out using the mechanism described in Section 8.

Mergers and Acquisitions. If we sell or transfer part or all of our business (including through merger, acquisition, bankruptcy, dissolution, or liquidation), Personal Information may be among the assets transferred. We will notify you via email or prominent in-product notice before your Personal Information becomes subject to a materially different privacy policy.

Law Enforcement and Legal Process. We may disclose Personal Information in response to lawful requests from law enforcement or government agencies; in response to subpoenas, court orders, or other legal processes; to establish, protect, or exercise our legal rights; to defend against legal claims; to protect the rights, property, or safety of any person; or as otherwise required by law.

With Your Consent. We may share Personal Information with third parties when you have affirmatively directed or consented to such sharing.

We do not share Client Data with any third party for marketing purposes. See Section 4 (No Compete Guarantee).

6. Financial Privacy Notice (Gramm-Leach-Bliley Act)

Because our Services facilitate mortgage origination, rate comparison, and loan management, we may be subject to the Gramm-Leach-Bliley Act ("GLBA") and the FTC's Safeguards Rule (16 C.F.R. Part 314). This section serves as our privacy notice to customers whose Nonpublic Personal Financial Information ("NPI") we handle.

What is NPI? NPI is personally identifiable financial information that is not publicly available, including: income, assets, loan amounts, credit information, loan application data, and mortgage transaction details that you or your clients provide in connection with obtaining or managing a financial product or service.

NPI We Collect: Loan details (amount, rate, term, loan type), property information, income and asset figures, debt obligations, and other financial data entered or uploaded into the platform.

NPI We Disclose: We share NPI with service providers as necessary to operate the platform (as described in Section 5). We do not share NPI with non-affiliated third parties for marketing purposes.

Your Opt-Out Right. You have the right to opt out of the sharing of your NPI with non-affiliated third parties for purposes beyond what is necessary to provide the Services. To exercise this right, contact us using the information in Section 15. Note that opting out of sharing with service providers required to operate the platform may limit our ability to deliver the Services.

Information Security Program. Consistent with the GLBA Safeguards Rule, we maintain a written Information Security Program that includes administrative, technical, and physical safeguards designed to protect NPI. Our service providers with access to NPI are contractually required to implement equivalent safeguards.

7. Protection of Personal Information

We maintain administrative, technical, and physical safeguards designed to protect Personal Information, including encryption of data in transit using TLS 1.2 or higher and encryption of sensitive data at rest. We conduct periodic security risk assessments and review our security practices on an ongoing basis.

No method of transmission over the internet or electronic storage is completely secure. While we implement commercially reasonable security measures, we cannot guarantee the absolute security of Personal Information and do not represent or warrant that Personal Information will be protected against all loss, misuse, or alteration by third parties.

Data Breach Notification. In the event of a security incident that compromises your Personal Information, we will notify affected users and applicable regulatory authorities as required by law, including applicable state data breach notification laws and GDPR Articles 33–34 where applicable. Notifications will be provided in the timeframes and manner required by law.

8. Your Privacy Rights

Depending on your location, you have the following rights regarding your Personal Information. To exercise any right, see "How to Submit a Request" below.

Rights Available to All Users

• Access: Request a copy of the Personal Information we hold about you.

• Correction: Request that we correct inaccurate or incomplete Personal Information.

• Deletion: Request deletion of your Personal Information, subject to our legal retention obligations (see Section 9).

• Opt-Out of Marketing: Opt out of marketing communications at any time (see Section 11).

California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights:

• Right to Know: Request disclosure of the specific pieces and categories of Personal Information we have collected about you, the sources of that information, the business or commercial purpose for collection, and the categories of third parties with whom we share it.

• Right to Portability: Receive your Personal Information in a portable, readily usable format.

• Right to Opt-Out of Sale or Sharing:We do not sell Personal Information for monetary consideration. We may share certain usage data with analytics providers in a manner that constitutes "sharing" for cross-context behavioral advertising under CCPA/CPRA. You may opt out by clicking the "Do Not Sell or Share My Personal Information" link in the footer of our website or by contacting us as described below.

• Right to Limit Use of Sensitive Personal Information: Where we process Sensitive Personal Information (such as financial account details or government identification numbers), you may direct us to limit its use to what is necessary to provide the Services.

• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different level of service because you exercised your privacy rights.

• Right to Appeal: If we deny your request, you may appeal our decision by contacting us and referencing your original request number. We will respond to appeals within 45 days.

We will respond to verifiable California consumer requests within 45 days of receipt. We may extend this period by an additional 45 days where reasonably necessary, with prior written notice.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Other State Residents

If you reside in Virginia, Colorado, Connecticut, or another state with applicable consumer privacy law, you may have the following rights:

• Access and Portability: Confirm whether we process your Personal Information and receive a copy in a portable format.

• Correction: Request correction of inaccurate Personal Information.

• Deletion: Request deletion of Personal Information we collected from or about you.

• Opt-Out of Targeted Advertising: Opt out of the processing of your Personal Information for targeted advertising.

• Opt-Out of Sale: Opt out of the sale of your Personal Information (we do not currently sell Personal Information).

• Appeal: If we decline to act on your request, you may appeal within 30 days of receiving our decision. We will respond to appeals within 60 days.

EU and UK Residents (GDPR / UK GDPR)

If you are located in the European Union or United Kingdom, you have the following rights:

• Access (Art. 15): Obtain confirmation of whether we process your Personal Information and receive a copy.

• Rectification (Art. 16): Request correction of inaccurate or incomplete Personal Information.

• Erasure (Art. 17): Request deletion of your Personal Information where it is no longer necessary for the purposes collected, where you withdraw consent, or where processing is unlawful.

• Restriction of Processing (Art. 18): Request that we restrict processing of your Personal Information in certain circumstances, such as while accuracy is contested.

• Data Portability (Art. 20): Receive your Personal Information in a structured, commonly used, machine-readable format and transmit it to another controller, where technically feasible.

• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing. We will cease such processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is for the establishment, exercise, or defense of legal claims.

• Withdraw Consent (Art. 7(3)): Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

• Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

We will respond to GDPR requests within 30 days of receipt. We may extend this period by up to two additional months for complex or multiple requests, with prior notice.

How to Submit a Request

You may submit a privacy rights request using either of the following methods:

• Email: info@quotebooster.app with the subject line "Privacy Rights Request"

• Phone: 801-000-0000 (Monday–Friday, 9 AM–5 PM MT)

To protect your information, we will verify your identity before processing your request. We may ask you to confirm the email address associated with your account or provide other identifying information. We will not discriminate against you for submitting a privacy rights request.

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by you, and we may require direct verification from you even when an authorized agent submits a request.

9. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes described in this Policy, to comply with legal and regulatory obligations, and to resolve disputes or enforce agreements. The following retention periods apply by data category:

• Account and profile data: Duration of your active account, plus 2 years following account closure for dispute resolution and legal compliance.

• Mortgage and loan data: 5 years from the date of the last loan activity, consistent with RESPA and related federal recordkeeping requirements.

• Client Data (active loan officer account):Duration of the loan officer's account, or until the client requests deletion.

• Client Data (terminated loan officer account): Loan officer accounts have sixty (60) days following termination to export their data; after that window, live client data is deleted. De-identified aggregates derived from the account may be retained for internal analytics purposes for up to twenty-four (24) months following termination, subject to the de-identification standard described below.

• Billing and transaction records: 7 years from the transaction date, consistent with tax and accounting requirements.

• Analytics and log data: 13 months from collection.

• Marketing and email engagement data: 3 years from last interaction, or until you opt out of marketing communications.

• Backup copies: Removed from backup systems within 90 days following deletion from primary systems.

Following the applicable retention period, we securely delete or de-identify Personal Information. In limited circumstances, we may retain Personal Information beyond these periods where required by law, to prevent fraud, for legitimate account recovery purposes, or as required by active legal proceedings. Where we retain data under such an exception, we limit its use to the purpose of the exception.

We may de-identify or aggregate Personal Information for the purposes described in Section 3. De-identification requires: (a) removal of all direct and indirect identifiers; (b) aggregation with data from no fewer than five unrelated customer accounts so that no single account's patterns can be singled out; and (c) application of technical safeguards against re-identification consistent with NIST SP 800-188 or a substantially equivalent standard. Data that meets this standard is no longer Personal Information and is not subject to this Policy. We do not sell, externally publish, license to third parties for commercial purposes, or use to train third-party AI or machine learning models any data derived from de-identified customer information.

10. International Data Transfers

We are headquartered in the United States. Personal Information collected from users outside the United States may be transferred to and processed in the United States, where data protection laws may differ from those in your home country.

For transfers of Personal Information from the European Economic Area or the United Kingdom to the United States, we rely on appropriate safeguards as required by GDPR Chapter V and UK data protection law, including Standard Contractual Clauses ("SCCs") approved by the European Commission and, for UK transfers, the International Data Transfer Agreement ("IDTA") or UK Addendum to SCCs, as applicable. To request a copy of the applicable transfer mechanisms, contact us using the information in Section 15.

If you are located outside the United States and use the Services, your information will be transferred to the United States for processing consistent with this Policy and the transfer safeguards described above.

11. Opting Out of Electronic Communications

Marketing Communications: We send marketing and promotional emails only to users who have affirmatively opted in at account registration or through their account settings. You may withdraw this consent and stop receiving marketing emails at any time by:

• Clicking the "Unsubscribe" link at the bottom of any marketing email

• Updating your notification preferences in your account settings

• Contacting us using the information in Section 15

Transactional Communications: Certain communications are necessary for the operation of the Services — including account confirmations, security alerts, billing notices, and account termination notifications described in Section 4. You may not opt out of these communications while maintaining an active account.

12. Children's Privacy

Our Services are directed to professionals in the mortgage industry and homeowners who are 18 years of age or older. We do not knowingly collect Personal Information from individuals under 18, whether directly or through third-party uploads.

If you believe Personal Information relating to a minor has been submitted to our Services — for example, if a client's loan file includes data about a minor co-borrower — please contact us immediately using the information in Section 15. We will promptly investigate and delete any such information to the extent required by applicable law, including the Children's Online Privacy Protection Act ("COPPA"), and will notify applicable parties as required.

If you are under 18, please do not provide Personal Information to us through the Services.

13. Third-Party Websites and Links

The Services may contain links to third-party websites or services, including social media platforms, that are not operated by us. This Policy does not apply to the data collection or processing practices of those third parties. A link to a third party's website does not constitute an endorsement of that party or its privacy practices. We encourage you to review the privacy policies of any third-party service you access through the Services before providing Personal Information.

14. Changes to This Policy

We may update this Policy from time to time. If we make material changes to how we collect, use, or share Personal Information, we will provide at least 30 days' advance notice by:

• Sending notice to the email address associated with your account, and/or

• Posting a prominent notice within the Services, with the effective date of the change.

For non-material changes, we will update the "Last updated" date at the top of this Policy. Continued use of the Services after the effective date of any change constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Services and may request deletion of your account.

15. How to Contact Us

For questions about this Policy, to exercise your privacy rights, or to submit a complaint, please contact us using any of the following methods:

Email: info@quotebooster.app

Phone: 801-000-0000

Mailing Address: Zenith Repo, LLC, PO Box 12345, SLC Utah

EU and UK residents may also contact their local data protection supervisory authority if they believe their data protection rights have been violated. See Section 8 for supervisory authority contact information.

Quote Booster, Zenith Repo, LLC is a marketing platform for mortgage professionals — not a lender, mortgage broker, or financial advisor. Rate data and comparisons may be sourced from third parties, are for informational purposes only, may be delayed, inaccurate, or incomplete, and do not constitute an offer or commitment to lend. Nothing here is binding or constitutes financial advice. Consult a licensed & qualified professional before making financial decisions. See our Terms of Service for more information.