Privacy Policy

This Privacy Policy describes how Hardline Lending, Inc. (entity status pending confirmation)(“we,” “us,” “Hardline”) collects, uses, shares, and protects personal information when you use the Hardline platform at hardlinelending.com (the “Service”). The Service is offered only to United States residents acting for business or investment purposes. We do not knowingly serve users located in the European Union, the United Kingdom, or the European Economic Area, and we do not currently make the Service available to residents of New York, New Jersey, Illinois, or California.

Hardline is a software marketplace; we are not a lender, broker, originator, underwriter, or fiduciary, and we do not hold funds, process loan payments, or service loans. Borrowers and lenders discover one another through the Service and reach a closing directly between themselves. Because Hardline brings together borrowers and lenders for loan transactions, Hardline is a “financial institution” under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule (16 C.F.R. Part 314). See Section 9 for our GLBA Privacy Notice and Section 12 for our information-security disclosures.

For privacy inquiries: privacy@hardlinelending.com.

For privacy-rights requests (access, deletion, correction, opt-out): privacy@hardlinelending.com or hardlinelending.com/privacy-request.

For security incidents: security@hardlinelending.com.

We collect personal information from: (i) you directly when you create an account, submit a deal, upload documents, or send messages; (ii) Stripe Identity when you complete verification; (iii) automatically through cookies and similar technologies when you use the Service; and (iv) the other party to a matched transaction (for example, lender notes about a borrower deal).

We use personal information to:

• provide and operate the Hardline marketplace, including matching borrowers and lenders you have selected, facilitating communication, and enabling document exchange;
• verify your identity and screen against sanctions lists;
• detect, prevent, and respond to fraud, security incidents, and abuse;
• communicate with you about your account, security, and service updates;
• comply with legal, regulatory, tax, and recordkeeping obligations, including those imposed by the Gramm-Leach-Bliley Act, the Bank Secrecy Act (as applicable to our service providers), and tax authorities;
• enforce our Terms of Service;
• improve the Service through analytics on de-identified or aggregated data.

We collect the following categories of “sensitive personal information” under the California Privacy Rights Act and analogous state laws:

• account log-in credentials (your Hardline password, stored only as a salted hash);
• government-issued identifiers (driver’s license, state ID, or passport number), collected for identity verification by our service provider Stripe Identity; Hardline does not retain identity-document images or biometric templates;
• financial-account information you include in deal documents (for example, bank statements you upload as part of a loan submission);
• contents of communications you send to other Users through the in-platform messaging system, where Hardline is not the intended recipient;
• biometric information processed by Stripe Identity for verification (Stripe is the controller of any biometric template; Hardline does not access or store it — see Section 7).

We do not collect precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, health data, or information about sex life or sexual orientation.

We use sensitive personal information solely for purposes permitted under California Civil Code § 1798.121(a) and analogous provisions: (i) to perform the services you have requested; (ii) to prevent, detect, and investigate security incidents and fraudulent or illegal activity; (iii) to verify or maintain the quality of our services; and (iv) to comply with our legal obligations. We do not use or disclose sensitive personal information to infer characteristics about you. You may submit a Right to Limit request at privacy@hardlinelending.com.

Where required by state law (for example, Texas TDPSA § 541.101(b)(4)), we obtain your opt-in consent before processing sensitive personal information.

When you complete identity verification on Hardline, our service provider Stripe, Inc. (“Stripe”) captures an image of your government-issued identification and a short video selfie. Stripe uses facial-geometry technology to create a biometric identifier (“face template”) from these images and to compare it to your ID photo solely to confirm your identity. Stripe is the controller of any biometric template generated during verification, and Stripe’s handling is governed by Stripe’s privacy policy.

Hardline does not receive, store, possess, or have access to any biometric identifier or biometric information generated during verification, as those terms are defined in the Illinois Biometric Information Privacy Act (740 ILCS 14/10) and analogous laws (Tex. Bus. & Com. Code § 503.001(a); RCW 19.375.010). Hardline does not receive any face-geometry template, source image of your face or identification document, similarity score, or other data derived from your biometric identifier that could be used to identify you. Hardline receives only (i) a verification result of pass, fail, or requires-input; (ii) the Stripe Identity session reference number; and (iii) certain non-biometric document fields you authorize Stripe to release, such as the name, date of birth, and document number printed on your identification, which Hardline uses to populate your account.

Hardline retains the verification result and session reference for the duration of your account and for five (5) years thereafter, consistent with the recordkeeping requirements of 31 C.F.R. § 1010.430 and applicable state anti-fraud rules. Hardline never possesses biometric identifiers or biometric information; accordingly, the retention and destruction of any such data is governed by Stripe’s published policies. Hardline does not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.

Illinois residents. Hardline does not currently make the Service available to residents of Illinois. We do not knowingly collect, capture, receive, obtain, or otherwise acquire biometric identifiers or biometric information from Illinois residents, and we do not direct Illinois residents into the Stripe Identity verification flow. If you believe you are an Illinois resident and have nevertheless been routed into identity verification, please contact privacy@hardlinelending.com immediately so we can investigate, close your account, and request deletion of any data Stripe may have collected. If Hardline expands to Illinois in the future, we will provide pre-collection notice, obtain informed written consent and release in compliance with 740 ILCS 14/15(b), publish a retention and destruction schedule in compliance with 740 ILCS 14/15(a), and post our Biometric Data Policy at /legal/biometric-policy.

Texas and Washington residents.Hardline is not the entity that captures or possesses your biometric identifier; Stripe is. To the extent that Tex. Bus. & Com. Code § 503.001 or RCW 19.375 imposes obligations on persons who “capture” or are “in possession of” biometric identifiers, those obligations attach to Stripe. Hardline nevertheless represents that it does not sell biometric identifiers, does not retain biometric identifiers, and uses biometric verification results only for identity verification and fraud prevention.

We share personal information only as follows:

The following is provided pursuant to the Gramm-Leach-Bliley Act and Regulation P (16 C.F.R. Part 1016).

Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information.

What? The types of personal information we collect and share depend on the product or service you have with us. This information can include: name, address, phone number, email; income and assets you disclose when submitting a loan deal; account history within Hardline; and government-issued identification verified through our identity-verification provider.

How? All financial companies need to share customers’ personal information to run their everyday business. Below we list the reasons financial companies can share their customers’ personal information, the reasons Hardline chooses to share, and whether you can limit this sharing.

How does Hardline protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law, including computer safeguards, encryption in transit and at rest, multi-factor authentication for staff access, access controls, vendor oversight, periodic risk assessment and testing, employee training, and an incident-response program. These safeguards are administered under a written information security program maintained pursuant to the FTC Safeguards Rule, 16 C.F.R. Part 314.

How does Hardline collect my personal information? We collect your personal information when you open an account, submit a loan deal, provide account information, or use our service. We also collect personal information from our identity-verification provider Stripe and from the User you have matched with.

Hardline provides this notice at account creation and annually thereafter, consistent with 16 C.F.R. § 1016.4.

We use strictly necessary cookies for authentication and session management, and functional cookies for UI preferences. We use Vercel-provided basic analytics that do not identify individual users. We do not currently deploy advertising or cross-context behavioral tracking cookies. If we add analytics or advertising cookies in the future, we will update this Policy and provide an in-product cookie preferences center.

We honor the Global Privacy Control (GPC) browser signal as a request to opt out of any sale or sharing of personal information.

We retain personal information for the periods set out below, except where a longer period is required by law, requested by a regulator, needed for the resolution of a dispute or investigation, or appropriate for the enforcement of our agreements.

When retention is no longer required, we securely delete or de-identify the information. Aggregated and de-identified analytics that do not identify any individual may be retained indefinitely.

We maintain a written information security program under the FTC Safeguards Rule (16 C.F.R. Part 314) designed to be appropriate to our size, complexity, and the nature of the personal information we handle. Safeguards include access controls and least-privilege provisioning, encryption of personal information at rest and in transit, multi-factor authentication for staff access to systems that hold customer information, secure development practices, periodic risk assessment and vulnerability testing, vendor oversight, security awareness training, monitoring and logging, secure disposal, an incident-response plan, and an annual program review.

No system is perfectly secure. You should choose a strong, unique password and notify us immediately of any suspected unauthorized use of your account.

Depending on your state of residence, you may have the following rights regarding your personal information:

• Right to know / access — confirm whether we process your personal data, the categories collected, the sources, the purposes, and the categories of third parties with whom we share, and obtain a copy of the specific pieces.
• Right to delete — request deletion, subject to legal-retention exceptions including the Gramm-Leach-Bliley Act, tax recordkeeping, and ongoing dispute or fraud investigation.
• Right to correct inaccurate personal information.
• Right to opt out of the sale of personal data, of targeted advertising, and of profiling that produces legal or similarly significant effects. (We do not sell personal data or use it for targeted advertising; this opt-out is offered as a matter of practice.)
• Right to limit our use of sensitive personal information beyond statutorily permitted purposes (California).
• Right to data portability.
• Right to non-discrimination for exercising any privacy right.
• Right to appeal a denial of any request.

These rights are available to residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, subject to each state’s specific thresholds and exceptions. Florida’s Digital Bill of Rights and Washington’s My Health My Data Act apply only to controllers meeting specific revenue or sector thresholds that Hardline does not currently meet.

To exercise any right, email privacy@hardlinelending.com or visit hardlinelending.com/privacy-request. We will verify your identity by matching information you provide against our records. We will respond within 45 days; we may extend by an additional 45 days for complex requests, in which case we will notify you. Authorized agents may submit requests with written authorization signed by you.

We honor the Global Privacy Control (GPC) browser signal as a request to opt out of sale and sharing.

Hardline does not sell personal information for monetary consideration and does not share personal information with third parties for cross-context behavioral advertising. We do not deploy advertising pixels or third-party trackers from Meta, Google Ads, TikTok, LinkedIn, or similar networks.

Submit a privacy request. To exercise any privacy right — access, deletion, correction, portability, opt-out of sale or sharing, opt-out of targeted advertising or profiling, or to limit the use of sensitive personal information — email privacy@hardlinelending.com or visit /legal/privacy-choices. Authorized agents may submit on your behalf with written authorization.

Global Privacy Control.When you visit the Service with a browser or extension that sends the “Sec-GPC” signal, we treat that signal as a valid opt-out of any sale or sharing of personal information for your browser or device.

Appeals. If we deny your request, you may appeal by replying to our response or emailing privacy@hardlinelending.comwith “Appeal” in the subject line. We will respond within 60 days. You may also contact your state Attorney General.

The Service is intended only for individuals who are at least 18 years of age. We do not knowingly collect personal information from children under 18, and the Service is not directed to children. If we learn that we have collected personal information from a child under 18, we will delete it as soon as practicable. If you believe a child has provided us with personal information, please contact privacy@hardlinelending.com.

The Service is operated from the United States and is offered only to United States residents. We do not knowingly serve users located in the European Union, the United Kingdom, the European Economic Area, or other jurisdictions outside the United States. By using the Service, you consent to the transfer and processing of your information in the United States.

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days’ advance notice by email to the address on file and by in-app banner. The current version is identified by the “Last updated” date at the top; prior versions are archived at /legal/archive.

Privacy questions and requests: privacy@hardlinelending.com

Mailing address: [TO BE SUPPLIED BEFORE PUBLIC LAUNCH — required by CCPA, AAA arbitration, and breach-notification statutes]