Curter
Legal

Privacy Policy

This Privacy Policy explains what information Curter collects, how we use and protect it, what we do not do with it, and your rights as a user.

Effective date: May 18, 2026 · Version 1.0 · curter.ai/privacy

1. Who We Are & How to Contact Us

Curter, Inc. ("Curter," "we," "us," or "our") operates the Curter platform — an AI-powered software service that helps SBA lenders and banking professionals generate loan briefs and identify refinancing opportunities within their existing loan portfolios. The Service is available at curter.ai.

This Privacy Policy governs how Curter collects, uses, stores, discloses, and protects information in connection with the Service. It applies to all users of the Service, including individual loan officers, banking professionals, Team Leaders, and Subordinate Users operating under a Team Account.

For privacy-related questions or requests, contact us at:

This Privacy Policy is incorporated by reference into and forms part of Curter's User Agreement. Defined terms used in this Privacy Policy that are not separately defined herein have the meanings given to them in the User Agreement, available at curter.ai/terms.

2. The Two Categories of Information — A Critical Distinction

Everything that exists in the Curter platform falls into one of two categories. Understanding this distinction is fundamental to understanding how privacy works on our platform:

Category 1 — Service Information Category 2 — User Data & Submitted Content
Source Retrieved by Curter from publicly available government, regulatory, and financial sources. Input, uploaded, or transmitted by you or your Authorized Users.
Examples SBA SOPs; federal interest rate benchmarks; eligibility criteria; regulatory guidance; industry underwriting standards; government-published financial data. Borrower names & financials; loan portfolio data; client contact information; sales leads; deal terms; account credentials; payment information.
Privacy responsibility Curter. We control what public sources we retrieve and how we present them. Yours primarily. You choose what to input. You are responsible for having the right to submit it. Curter protects it as described in this Policy.

3. Information We Collect

3.1 Information You Provide to Us Directly

When you create an account, use the Service, or communicate with us, we collect:

3.2 Information We Collect Automatically

When you access and use the Service, we automatically collect certain technical and usage information:

3.3 Service Information — What We Retrieve from Public Sources

To generate Outputs, Curter's platform retrieves and synthesizes information from publicly available sources including SBA publications and SOPs, federal agency guidance and rulemaking, publicly available interest rate benchmarks and financial data, and industry-standard underwriting references. This is Service Information as defined in the User Agreement. Curter controls what public sources we access and how we present that information. Service Information does not constitute personal data about any individual and is not subject to this Privacy Policy's protections for User Data.

3.4 Information We Do Not Collect

Curter does not:

4. How We Use Information

4.1 To Provide and Operate the Service

We use the information we collect primarily to provide the Service you have subscribed to. Specifically:

4.2 To Improve, Secure, and Maintain the Service

4.3 To Comply with Legal Obligations

4.4 What We Do NOT Do with Your Information

Curter will NEVER: (1) sell User Data to any third party for any purpose; (2) use User Data for advertising or marketing to your clients, borrowers, or prospects; (3) share User Data with competitors of yours or with other Curter customers; (4) use your borrower data or loan portfolio data for any purpose beyond providing the Service to you; or (5) use Submitted Content to train AI models without your explicit written consent.

5. User Data — How We Handle What You Submit

5.1 Your Ownership; Our Limited License

You retain full ownership of all User Data you submit to the Service. By submitting User Data, you grant Curter a limited, non-exclusive, non-transferable license to process your User Data solely for the purpose of providing the Service to you. This license terminates when your account is closed or User Data is deleted in accordance with Section 5.4.

5.2 Your Responsibility for What You Submit

You are solely responsible for the content, accuracy, legality, and appropriateness of User Data you submit. Specifically, you represent and warrant that:

If you choose to submit sales leads, prospect data, client contact lists, pipeline information, or other competitively sensitive business development information, you do so entirely at your own risk. See Section 6.3 of the User Agreement for the full scope of Curter's disclaimers regarding such Submitted Content.

5.3 How We Protect User Data — Security Safeguards

Curter implements commercially reasonable administrative, technical, and physical safeguards designed to protect User Data against unauthorized access, disclosure, alteration, and loss. Our current security practices include:

IMPORTANT LIMITATION: No security system is perfect. Curter cannot guarantee that security measures will prevent all unauthorized access, breaches, or data loss. Internet-based data transmission involves inherent risks that are beyond Curter's ability to fully eliminate. See Section 8 of the User Agreement for the full scope of Curter's limitation of liability for security incidents.

5.4 Data Retention and Deletion

Curter retains User Data for the following periods:

To request deletion of your User Data, contact [email protected] with subject line 'Data Deletion Request.' Curter will acknowledge your request within 10 business days and complete deletion within a commercially reasonable timeframe, not to exceed 45 days, except where retention is required by law.

5.5 Proprietary and Sensitive Information — Your Assumption of Risk

If you submit to the Service any Proprietary Information — including trade secrets, non-public financial data, client lists, sales leads, M&A plans, deal terms, or other information you or a third party considers confidential — you do so entirely at your own risk. Curter is not responsible for the consequences of you inputting Proprietary Information into the Service beyond the security safeguards described in Section 5.3. See Section 6 of the User Agreement for the complete scope of your assumption of risk with respect to Submitted Content.

6. Third-Party AI Providers — Data Processing Disclosure

6.1 How AI Technology Works in the Service

The Service uses artificial intelligence technology, including large language models (LLMs) and generative AI systems, to process User Data and generate Outputs. To function, the AI Technology underlying the Service transmits certain User Data to third-party AI model providers whose systems perform the AI processing and return results to Curter's platform.

BY USING ANY AI-POWERED FEATURE OF THE SERVICE, YOU CONSENT TO THE TRANSMISSION OF YOUR USER DATA TO THIRD-PARTY AI MODEL PROVIDERS AS NECESSARY TO GENERATE OUTPUTS. This transmission is what makes the Service work. If you are not willing to have your User Data transmitted to third-party AI infrastructure, do not use AI-powered features of the Service.

6.2 What We Disclose to Third-Party AI Providers

Curter transmits to third-party AI providers only the User Data necessary to process your specific request and generate the requested Output. Curter does not transmit to AI providers:

6.3 Third-Party AI Providers' Own Terms

Third-party AI model providers operate under their own terms of service, privacy policies, and data handling agreements. Curter enters into data processing agreements with AI providers that require them to use transmitted data solely for the purpose of providing the requested AI service and not to use Customer data to train general AI models without consent. However:

To the extent you are prohibited by your institution's policies, applicable law, or client agreements from transmitting specific categories of data to third-party cloud AI services, it is your sole responsibility to ensure you do not submit such data to the Service. Curter has no obligation to independently enforce your institution's internal data governance policies.

6.4 Your Responsibility to Evaluate AI Provider Transmission

Before submitting any User Data to the Service, you are solely responsible for evaluating whether transmitting that data to third-party AI providers is permissible under: (i) your institution's information security and vendor management policies; (ii) applicable federal and state law, including GLBA and FCRA; (iii) any contractual obligations you have to your clients or borrowers; and (iv) any regulatory guidance from your institution's federal or state regulator regarding use of cloud-based AI services.

7. How We Share Information

7.1 We Do Not Sell Your Data

Curter does not sell User Data, Submitted Content, or any personal information about you to any third party for any purpose, including marketing, advertising, data brokerage, or any other commercial purpose. This is an absolute commitment, not a conditional one.

7.2 Limited Sharing for Service Operation

We share information only in the following limited circumstances:

7.3 Legal Disclosures

Curter may disclose information when required to do so by law or in good faith belief that such disclosure is necessary to:

Where legally permitted and practicable, Curter will notify you of a legal request for your data before disclosing it, so that you may seek a protective order or other relief.

7.4 Business Transfers

If Curter is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, User Data may be transferred as part of that transaction. If such a transfer occurs, Curter will provide notice via the Service or by email before your User Data becomes subject to a different privacy policy, and you will have the opportunity to delete your data prior to transfer if you do not consent to the new policy.

8. GLBA, FCRA & Financial Privacy Obligations

8.1 Curter's Role Under GLBA

The Service processes non-public personal financial information ("NPI") about your borrowers and clients as submitted by you. In this capacity, Curter acts as a service provider to you — a financial institution subject to GLBA. Curter processes NPI solely to provide the contracted Service to you, in accordance with GLBA's service provider provisions.

Curter maintains administrative, technical, and physical safeguards designed to protect NPI against unauthorized access and use, consistent with the FTC Safeguards Rule requirements applicable to service providers to GLBA-covered entities. Curter will not use NPI for any purpose inconsistent with providing the Service to you.

8.2 Your GLBA Obligations

You, as the GLBA-covered financial institution or service provider, retain independent obligations under GLBA, including:

Curter will cooperate with reasonable vendor due diligence requests, including providing responses to vendor questionnaires and making available a summary of relevant security and privacy practices.

8.3 FCRA

If User Data you submit includes consumer report information subject to the Fair Credit Reporting Act (FCRA), you represent that you have a permissible purpose under FCRA for obtaining and using that information, and that your use of the Service with such information complies with all applicable FCRA requirements. Curter does not function as a consumer reporting agency and does not generate consumer reports. Curter processes FCRA-regulated data solely as directed by you.

8.4 No HIPAA Coverage Without BAA

The Service is not designed for processing Protected Health Information (PHI) regulated under HIPAA. Curter is not a HIPAA Business Associate by virtue of this Privacy Policy or the User Agreement alone. If you intend to process PHI through the Service, you must first execute a separate, written Business Associate Agreement (BAA) with Curter. Submitting PHI to the Service without a BAA violates the User Agreement and may expose you and your institution to significant regulatory liability.

9. Data Breach — Detection, Response & Notification

9.1 What Constitutes a Data Breach Under This Policy

A data breach under this Policy means any confirmed unauthorized access to, acquisition of, disclosure of, or loss of User Data that compromises the security, confidentiality, or integrity of that data in a manner that triggers notification obligations under applicable law.

9.2 Our Detection and Response Commitment

Curter maintains a security incident response program that includes:

9.3 Notification to You

In the event of a confirmed data breach affecting your User Data, Curter will:

CRITICAL: Curter's notification obligation runs to you as the account holder — not directly to your borrowers, clients, or other third parties whose data you submitted to the Service. You are solely responsible for notifying your own customers, regulators, and other required parties under applicable data breach notification laws, including any notification obligations under GLBA, state breach notification statutes, and your institution's own incident response plan.

9.4 Notification Timeline Limitations

Curter cannot guarantee notification within any specific timeframe beyond what applicable law requires. Breach investigation takes time to confirm scope, identify affected users, and determine legal notification obligations. Curter will act with reasonable urgency and keep you informed as the investigation develops.

9.5 Your Reporting Obligation to Curter

If you become aware of any unauthorized access to your account, any suspected compromise of User Data, or any vulnerability in the Service, you must promptly notify Curter at [email protected]. Timely reporting by users helps Curter investigate and contain incidents more quickly.

10. Your Privacy Rights

10.1 Access and Correction

You have the right to access the account information Curter holds about you and to request correction of inaccurate information. To exercise this right, log into your account or contact [email protected]. Curter will respond to access requests within 30 days.

10.2 Data Deletion

You have the right to request deletion of User Data Curter holds about you. To request deletion, contact [email protected] with the subject line 'Data Deletion Request.' Curter will process deletion requests within 45 days, subject to the following exceptions:

10.3 Data Portability

Upon request, Curter will provide you with a copy of your User Data in a commonly used, machine-readable format. Contact [email protected] to submit a portability request.

10.4 California Residents — CPRA / California Privacy Rights

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA), including:

To exercise any California privacy right, contact [email protected]. We will respond within 45 days (with a possible 45-day extension for complex requests). We will verify your identity before processing your request. California residents may also designate an authorized agent to submit requests on their behalf.

Curter does not knowingly collect personal information from individuals under the age of 16, and the Service is not directed at or intended for use by individuals under the age of 18.

10.5 No Discrimination

Curter will not discriminate against you for exercising any privacy right described in this Section — we will not deny service, charge different prices, or provide a different level of service as a result of your privacy rights request.

11. Cookies & Tracking Technologies

Curter uses a limited set of cookies and similar technologies necessary to operate the Service:

Curter does NOT use:

You can control cookies through your browser settings. Disabling session cookies will prevent you from logging into the Service. Disabling preference cookies will cause the Service to lose your saved settings between sessions.

12. Minors

The Service is intended exclusively for use by licensed financial professionals and banking institutions. The Service is not directed at, and we do not knowingly collect personal information from, individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will promptly delete it. If you believe we have collected information from a minor, contact [email protected].

13. Changes to This Privacy Policy

Curter may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the revised Policy. If you do not accept a material change, you must discontinue use of the Service and may request deletion of your User Data before the effective date of the change.

Prior versions of this Privacy Policy are archived and available upon request at [email protected].

14. Cross-Reference Map — User Agreement Privacy Provisions

The following table maps each privacy-related commitment in the User Agreement to the section of this Privacy Policy that addresses it, so you can verify complete coverage:

User Agreement Provision User Agreement Section Privacy Policy Section
Privacy Policy available at curter.ai/privacy§5.3Entire Policy
User Data not sold to third parties§5.3§4.4, §7.1
Commercially reasonable safeguards for User Data§5.3§5.3
GLBA, FCRA compliance obligations§5.2, §14.5§8.1–8.3
No HIPAA without BAA§5.2§8.4
Data breach notification to account holder§5.4, §8.6§9.3
User's breach notification duties to third parties§8.6§9.3 (callout)
Third-party AI provider data transmission consent§7.3§6.1–6.4
Third-party AI providers' own privacy policies§7.3§6.3
No Curter liability for AI provider breach§7.3, §8.3§6.3
Curter not liable for user's decision to submit data§6.1–6.5§5.2, §5.5
Sales leads / proprietary info at user's own risk§6.3§5.5
Security protocols for submitted content§6.3§5.3
Data retained per Applicable Laws then deleted§12.4§5.4
Service Information derived from public sources§4.4, §10.4§2 (table), §3.3
User responsible for consents to submit third-party data§6.2§5.2
User Agreement incorporated by reference§15.4§1 (callout)

15. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or Curter's data practices, contact:

Curter, Inc.
Privacy inquiries: [email protected]
Security incidents: [email protected]
Legal: [email protected]
Website: curter.ai

Effective: May 18, 2026 · Version 1.0 · curter.ai/privacy
© 2026 Curter, Inc.