This Privacy Policy explains what information Curter collects, how we use and protect it, what we do not do with it, and your rights as a user.
Curter, Inc. ("Curter," "we," "us," or "our") operates the Curter platform — an AI-powered software service that helps SBA lenders and banking professionals generate loan briefs and identify refinancing opportunities within their existing loan portfolios. The Service is available at curter.ai.
This Privacy Policy governs how Curter collects, uses, stores, discloses, and protects information in connection with the Service. It applies to all users of the Service, including individual loan officers, banking professionals, Team Leaders, and Subordinate Users operating under a Team Account.
For privacy-related questions or requests, contact us at:
This Privacy Policy is incorporated by reference into and forms part of Curter's User Agreement. Defined terms used in this Privacy Policy that are not separately defined herein have the meanings given to them in the User Agreement, available at curter.ai/terms.
Everything that exists in the Curter platform falls into one of two categories. Understanding this distinction is fundamental to understanding how privacy works on our platform:
| Category 1 — Service Information | Category 2 — User Data & Submitted Content | |
|---|---|---|
| Source | Retrieved by Curter from publicly available government, regulatory, and financial sources. | Input, uploaded, or transmitted by you or your Authorized Users. |
| Examples | SBA SOPs; federal interest rate benchmarks; eligibility criteria; regulatory guidance; industry underwriting standards; government-published financial data. | Borrower names & financials; loan portfolio data; client contact information; sales leads; deal terms; account credentials; payment information. |
| Privacy responsibility | Curter. We control what public sources we retrieve and how we present them. | Yours primarily. You choose what to input. You are responsible for having the right to submit it. Curter protects it as described in this Policy. |
When you create an account, use the Service, or communicate with us, we collect:
When you access and use the Service, we automatically collect certain technical and usage information:
To generate Outputs, Curter's platform retrieves and synthesizes information from publicly available sources including SBA publications and SOPs, federal agency guidance and rulemaking, publicly available interest rate benchmarks and financial data, and industry-standard underwriting references. This is Service Information as defined in the User Agreement. Curter controls what public sources we access and how we present that information. Service Information does not constitute personal data about any individual and is not subject to this Privacy Policy's protections for User Data.
Curter does not:
We use the information we collect primarily to provide the Service you have subscribed to. Specifically:
Curter will NEVER: (1) sell User Data to any third party for any purpose; (2) use User Data for advertising or marketing to your clients, borrowers, or prospects; (3) share User Data with competitors of yours or with other Curter customers; (4) use your borrower data or loan portfolio data for any purpose beyond providing the Service to you; or (5) use Submitted Content to train AI models without your explicit written consent.
You retain full ownership of all User Data you submit to the Service. By submitting User Data, you grant Curter a limited, non-exclusive, non-transferable license to process your User Data solely for the purpose of providing the Service to you. This license terminates when your account is closed or User Data is deleted in accordance with Section 5.4.
You are solely responsible for the content, accuracy, legality, and appropriateness of User Data you submit. Specifically, you represent and warrant that:
If you choose to submit sales leads, prospect data, client contact lists, pipeline information, or other competitively sensitive business development information, you do so entirely at your own risk. See Section 6.3 of the User Agreement for the full scope of Curter's disclaimers regarding such Submitted Content.
Curter implements commercially reasonable administrative, technical, and physical safeguards designed to protect User Data against unauthorized access, disclosure, alteration, and loss. Our current security practices include:
IMPORTANT LIMITATION: No security system is perfect. Curter cannot guarantee that security measures will prevent all unauthorized access, breaches, or data loss. Internet-based data transmission involves inherent risks that are beyond Curter's ability to fully eliminate. See Section 8 of the User Agreement for the full scope of Curter's limitation of liability for security incidents.
Curter retains User Data for the following periods:
To request deletion of your User Data, contact [email protected] with subject line 'Data Deletion Request.' Curter will acknowledge your request within 10 business days and complete deletion within a commercially reasonable timeframe, not to exceed 45 days, except where retention is required by law.
If you submit to the Service any Proprietary Information — including trade secrets, non-public financial data, client lists, sales leads, M&A plans, deal terms, or other information you or a third party considers confidential — you do so entirely at your own risk. Curter is not responsible for the consequences of you inputting Proprietary Information into the Service beyond the security safeguards described in Section 5.3. See Section 6 of the User Agreement for the complete scope of your assumption of risk with respect to Submitted Content.
The Service uses artificial intelligence technology, including large language models (LLMs) and generative AI systems, to process User Data and generate Outputs. To function, the AI Technology underlying the Service transmits certain User Data to third-party AI model providers whose systems perform the AI processing and return results to Curter's platform.
BY USING ANY AI-POWERED FEATURE OF THE SERVICE, YOU CONSENT TO THE TRANSMISSION OF YOUR USER DATA TO THIRD-PARTY AI MODEL PROVIDERS AS NECESSARY TO GENERATE OUTPUTS. This transmission is what makes the Service work. If you are not willing to have your User Data transmitted to third-party AI infrastructure, do not use AI-powered features of the Service.
Curter transmits to third-party AI providers only the User Data necessary to process your specific request and generate the requested Output. Curter does not transmit to AI providers:
Third-party AI model providers operate under their own terms of service, privacy policies, and data handling agreements. Curter enters into data processing agreements with AI providers that require them to use transmitted data solely for the purpose of providing the requested AI service and not to use Customer data to train general AI models without consent. However:
To the extent you are prohibited by your institution's policies, applicable law, or client agreements from transmitting specific categories of data to third-party cloud AI services, it is your sole responsibility to ensure you do not submit such data to the Service. Curter has no obligation to independently enforce your institution's internal data governance policies.
Before submitting any User Data to the Service, you are solely responsible for evaluating whether transmitting that data to third-party AI providers is permissible under: (i) your institution's information security and vendor management policies; (ii) applicable federal and state law, including GLBA and FCRA; (iii) any contractual obligations you have to your clients or borrowers; and (iv) any regulatory guidance from your institution's federal or state regulator regarding use of cloud-based AI services.
Curter does not sell User Data, Submitted Content, or any personal information about you to any third party for any purpose, including marketing, advertising, data brokerage, or any other commercial purpose. This is an absolute commitment, not a conditional one.
We share information only in the following limited circumstances:
Curter may disclose information when required to do so by law or in good faith belief that such disclosure is necessary to:
Where legally permitted and practicable, Curter will notify you of a legal request for your data before disclosing it, so that you may seek a protective order or other relief.
If Curter is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, User Data may be transferred as part of that transaction. If such a transfer occurs, Curter will provide notice via the Service or by email before your User Data becomes subject to a different privacy policy, and you will have the opportunity to delete your data prior to transfer if you do not consent to the new policy.
The Service processes non-public personal financial information ("NPI") about your borrowers and clients as submitted by you. In this capacity, Curter acts as a service provider to you — a financial institution subject to GLBA. Curter processes NPI solely to provide the contracted Service to you, in accordance with GLBA's service provider provisions.
Curter maintains administrative, technical, and physical safeguards designed to protect NPI against unauthorized access and use, consistent with the FTC Safeguards Rule requirements applicable to service providers to GLBA-covered entities. Curter will not use NPI for any purpose inconsistent with providing the Service to you.
You, as the GLBA-covered financial institution or service provider, retain independent obligations under GLBA, including:
Curter will cooperate with reasonable vendor due diligence requests, including providing responses to vendor questionnaires and making available a summary of relevant security and privacy practices.
If User Data you submit includes consumer report information subject to the Fair Credit Reporting Act (FCRA), you represent that you have a permissible purpose under FCRA for obtaining and using that information, and that your use of the Service with such information complies with all applicable FCRA requirements. Curter does not function as a consumer reporting agency and does not generate consumer reports. Curter processes FCRA-regulated data solely as directed by you.
The Service is not designed for processing Protected Health Information (PHI) regulated under HIPAA. Curter is not a HIPAA Business Associate by virtue of this Privacy Policy or the User Agreement alone. If you intend to process PHI through the Service, you must first execute a separate, written Business Associate Agreement (BAA) with Curter. Submitting PHI to the Service without a BAA violates the User Agreement and may expose you and your institution to significant regulatory liability.
A data breach under this Policy means any confirmed unauthorized access to, acquisition of, disclosure of, or loss of User Data that compromises the security, confidentiality, or integrity of that data in a manner that triggers notification obligations under applicable law.
Curter maintains a security incident response program that includes:
In the event of a confirmed data breach affecting your User Data, Curter will:
CRITICAL: Curter's notification obligation runs to you as the account holder — not directly to your borrowers, clients, or other third parties whose data you submitted to the Service. You are solely responsible for notifying your own customers, regulators, and other required parties under applicable data breach notification laws, including any notification obligations under GLBA, state breach notification statutes, and your institution's own incident response plan.
Curter cannot guarantee notification within any specific timeframe beyond what applicable law requires. Breach investigation takes time to confirm scope, identify affected users, and determine legal notification obligations. Curter will act with reasonable urgency and keep you informed as the investigation develops.
If you become aware of any unauthorized access to your account, any suspected compromise of User Data, or any vulnerability in the Service, you must promptly notify Curter at [email protected]. Timely reporting by users helps Curter investigate and contain incidents more quickly.
You have the right to access the account information Curter holds about you and to request correction of inaccurate information. To exercise this right, log into your account or contact [email protected]. Curter will respond to access requests within 30 days.
You have the right to request deletion of User Data Curter holds about you. To request deletion, contact [email protected] with the subject line 'Data Deletion Request.' Curter will process deletion requests within 45 days, subject to the following exceptions:
Upon request, Curter will provide you with a copy of your User Data in a commonly used, machine-readable format. Contact [email protected] to submit a portability request.
If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA), including:
To exercise any California privacy right, contact [email protected]. We will respond within 45 days (with a possible 45-day extension for complex requests). We will verify your identity before processing your request. California residents may also designate an authorized agent to submit requests on their behalf.
Curter does not knowingly collect personal information from individuals under the age of 16, and the Service is not directed at or intended for use by individuals under the age of 18.
Curter will not discriminate against you for exercising any privacy right described in this Section — we will not deny service, charge different prices, or provide a different level of service as a result of your privacy rights request.
Curter uses a limited set of cookies and similar technologies necessary to operate the Service:
Curter does NOT use:
You can control cookies through your browser settings. Disabling session cookies will prevent you from logging into the Service. Disabling preference cookies will cause the Service to lose your saved settings between sessions.
The Service is intended exclusively for use by licensed financial professionals and banking institutions. The Service is not directed at, and we do not knowingly collect personal information from, individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will promptly delete it. If you believe we have collected information from a minor, contact [email protected].
Curter may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the revised Policy. If you do not accept a material change, you must discontinue use of the Service and may request deletion of your User Data before the effective date of the change.
Prior versions of this Privacy Policy are archived and available upon request at [email protected].
The following table maps each privacy-related commitment in the User Agreement to the section of this Privacy Policy that addresses it, so you can verify complete coverage:
| User Agreement Provision | User Agreement Section | Privacy Policy Section |
|---|---|---|
| Privacy Policy available at curter.ai/privacy | §5.3 | Entire Policy |
| User Data not sold to third parties | §5.3 | §4.4, §7.1 |
| Commercially reasonable safeguards for User Data | §5.3 | §5.3 |
| GLBA, FCRA compliance obligations | §5.2, §14.5 | §8.1–8.3 |
| No HIPAA without BAA | §5.2 | §8.4 |
| Data breach notification to account holder | §5.4, §8.6 | §9.3 |
| User's breach notification duties to third parties | §8.6 | §9.3 (callout) |
| Third-party AI provider data transmission consent | §7.3 | §6.1–6.4 |
| Third-party AI providers' own privacy policies | §7.3 | §6.3 |
| No Curter liability for AI provider breach | §7.3, §8.3 | §6.3 |
| Curter not liable for user's decision to submit data | §6.1–6.5 | §5.2, §5.5 |
| Sales leads / proprietary info at user's own risk | §6.3 | §5.5 |
| Security protocols for submitted content | §6.3 | §5.3 |
| Data retained per Applicable Laws then deleted | §12.4 | §5.4 |
| Service Information derived from public sources | §4.4, §10.4 | §2 (table), §3.3 |
| User responsible for consents to submit third-party data | §6.2 | §5.2 |
| User Agreement incorporated by reference | §15.4 | §1 (callout) |
For any questions, concerns, or requests related to this Privacy Policy or Curter's data practices, contact:
Curter, Inc.
Privacy inquiries: [email protected]
Security incidents: [email protected]
Legal: [email protected]
Website: curter.ai
Effective: May 18, 2026 · Version 1.0 · curter.ai/privacy
© 2026 Curter, Inc.