Privacy Policy

Last updated: May 18, 2026

1. Introduction

BrokerOS ("we," "our," or "us") is committed to protecting your privacy and the privacy of your clients. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mortgage broker platform and services.

2. Information We Collect

2.1 Client Information

We collect client information that you provide, including but not limited to:

  • Personal identification information (name, date of birth, address)
  • Contact information (email, phone number)
  • Financial information (income, employment details, property information)
  • Documentation related to mortgage applications

2.2 ID and Contact Screenshot Scanning

When you use our scanning feature to extract client information from government-issued identification documents (driver's licenses, passports, provincial ID cards) or screenshots containing client contact details, the following applies:

  • In-Memory Processing Only: Uploaded IDs and screenshots are processed entirely in memory. The uploaded image or PDF is never stored on our servers, in our database, or in any persistent storage.
  • Third-Party AI Processing: To extract information from uploaded IDs and screenshots, we use Google Gemini AI service. Your client's uploaded file is securely transmitted to Google's servers for processing.
  • Data Transmission: Uploaded files are sent to Google via encrypted HTTPS connections.
  • Immediate Discard: After information extraction is complete, the uploaded file is immediately discarded from memory. Only the extracted text data (name, email, phone, address, date of birth, etc.) is retained in your application records.
  • Google's Data Retention: Google may retain the uploaded data for up to 18 months according to their privacy policy. We recommend reviewing Google's privacy policy for details on their data handling practices.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our mortgage broker platform services
  • Process mortgage applications and calculate financial ratios
  • Match clients with appropriate lenders
  • Generate submission documents and reports
  • Improve our services and user experience
  • Comply with legal obligations and regulatory requirements

4. Third-Party Services & Google User Data

BrokerOS integrates with Google and Microsoft services. This section comprehensively discloses how we access, use, store, and share user data from these providers.

4.1 Google Services

We use the following Google services. When you connect or use these features, your data is processed as described below:

  • Google Drive: If you connect Google Drive, we request access to store and organize documents. We receive and store your Google account email and OAuth tokens. Documents you choose to sync are uploaded to your Google Drive. We do not access files beyond what you explicitly sync.
  • Google Gemini AI: We use Google Gemini AI for multiple features: ID and contact screenshot scanning, bank statement analysis, credit report extraction, income/employment document processing, mortgage statement analysis, document classification, AI assistant chat, marketing content generation, and paystub data extraction. Documents, screenshots, and content you submit for these features are transmitted to Google's servers for processing. Uploaded files are processed in memory and not stored on our servers; only extracted data is retained. Google may retain submitted content according to their privacy policy (up to 18 months for some data).
  • Google Calendar & Gmail (via Nylas): If you connect your Google account for calendar or email, we use Nylas as an intermediary. We receive access to read and write calendar events and to read, send, and modify emails. This enables calendar sync, email integration, and related features. Nylas processes your data per their privacy policy; we store only the data necessary to provide our services.
  • Google Contacts: If you connect Google Contacts, we request access to read and sync your contacts for CRM and contact management. We store contact data and OAuth tokens necessary to provide these features.

Data sharing and disclosures: BrokerOS does not sell, rent, or trade your Google user data to third parties. We do not transfer or disclose your Google user data for advertising, data brokerage, or any purpose unrelated to providing and improving our application's core features.

We may disclose or transfer Google user data only as follows: (1) to Google when you use Google Drive, Google Gemini AI, or Google Contacts; (2) to Nylas when you connect Gmail or Google Calendar for email and calendar sync; and (3) to our infrastructure providers (for example, Supabase) solely to host and operate the application, limited to what is necessary for the features you enable. We do not use Google user data for serving ads.

The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. See the Google API Services User Data Policy.

Sensitive and restricted scopes: Some Google OAuth permissions we request (for example, for Gmail or Google Calendar) are classified by Google as sensitive or restricted. Those features must follow Google's OAuth verification rules and the stricter handling rules in the User Data Policy. For context, see Google's Verification requirements and OAuth App Verification Help Center. Our use of Google user data is limited to the practices described in this Privacy Policy and must conform with Google's Limited Use requirements.

Limited Use — how we use Google user data: Raw data from Google APIs, and any data aggregated, anonymized, or derived from it, is used only to provide or improve user-facing features of BrokerOS that are visible when you use Google-connected features. We do not transfer or sell Google user data to advertising platforms, data brokers, or information resellers. We do not use Google user data to serve ads, including retargeting, personalized, or interest-based advertising. We do not use Google user data to determine credit-worthiness or for lending purposes. Other transfers or uses of Google user data are not permitted except as described in this policy (including for security, legal compliance, or subprocessors strictly necessary to operate the features you enable).

Permitted transfers (summary): Under the User Data Policy, transfers are allowed only in limited circumstances—for example, to provide or improve appropriate user-facing features with consent where required, for security (such as investigating abuse), to comply with applicable laws, or as part of a merger, acquisition, or sale of assets after explicit prior user consent. Our transfers to Google, Nylas, and infrastructure providers are consistent with providing the features you choose to connect and are described above.

Human access to Google user data: We do not allow BrokerOS personnel to read your Google user data (for example, the content of your emails or calendar events) except where permitted under the Google API Services User Data Policy—such as with your affirmative agreement to view specific messages, files, or other data (for example, when you request support that requires it), when necessary for security (for example, investigating a bug or abuse), when necessary to comply with applicable law, or when data is aggregated and used for internal operations in accordance with applicable legal requirements.

Personnel and subprocessors: We require employees, contractors, agents, and successors who may handle Google user data to comply with the Google API Services User Data Policy and with this Privacy Policy.

Your control and revocation: You can disconnect Google integrations in BrokerOS (for example, through Settings → Integrations). You can also revoke BrokerOS's access to your Google Account at any time in your Google Account security settings; after revocation, we stop receiving new data from Google subject to normal sync and propagation delays.

Transparency and updates: Google requires that your privacy policy thoroughly disclose how your application accesses, uses, stores, or shares Google user data, and that your use stays within what is disclosed. If we materially change how we handle Google user data, we will update this page and the "Last updated" date and, where required, notify you and obtain consent before new uses.

For all Google services, you can review Google's privacy policy at: https://policies.google.com/privacy

4.2 Microsoft Services

If you connect your Microsoft 365 or Outlook account for calendar or email, we use Nylas as an intermediary. We receive access to:

  • Microsoft Calendar: Read and write access to your calendar events for sync and scheduling features.
  • Microsoft Email: Read, send, and modify access to your email for email integration features.

We store only the data necessary to provide our services. Microsoft and Nylas process your data according to their respective privacy policies.

4.3 Other Third-Party Services

We may use other third-party services for hosting, analytics, e-signing, and other operational purposes. All third-party services are required to maintain appropriate security measures and comply with applicable privacy laws.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit (HTTPS) and at rest
  • Access Controls: Multi-tenant architecture with Row-Level Security (RLS) ensures data isolation between organizations
  • Authentication: Secure authentication and authorization mechanisms
  • Audit Logging: All sensitive operations are logged for security and compliance
  • No Local Storage of IDs or Screenshots: Uploaded IDs and contact screenshots are never stored on our servers - they are processed in memory only and immediately discarded

6. Data Retention

We retain your application data and client information for as long as necessary to provide our services and comply with legal obligations. Uploaded ID images and contact screenshots are never stored - only the extracted information is retained in your application records.

7. Your Rights (PIPEDA Compliance)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access your personal information
  • Request correction of inaccurate information
  • Withdraw consent for data processing (subject to legal and contractual obligations)
  • File a complaint with the Privacy Commissioner of Canada

To exercise these rights, please contact us at the information provided below.

8. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will post the updated policy on this page and update the "Last updated" date. If we change how we access, use, store, or share your data (including Google or Microsoft user data), we will notify you by email to your account address and/or through a prominent notice in the app. We encourage you to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

BrokerOS Privacy Team

Email: info@brokerospro.com

Address: 2207 90B St, Edmonton, AB

Important Notice About Document Processing

When you use our ID scanning, document analysis, or AI features, documents and content may be processed by Google Gemini AI. Document images are never stored on our servers—they are processed in memory and discarded after extraction. However, Google may retain submitted data according to their privacy policy. By using these features, you acknowledge and consent to this third-party processing.

Terms of Use|Back to Home