Privacy Policy

Cake Mortgage Corp. ("Cake," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website caketpo.com, use our broker application portal, or interact with our services.

When you submit a Mortgage Broker Application through our portal, we collect: • Business Information: Legal entity name, DBA, street address, city, state, ZIP code, phone, fax, company email, business type, Federal Tax ID/EIN, date of incorporation, state of incorporation • Principal/Officer Information: Names, titles, ownership percentages, and last four digits of Social Security Numbers of company principals and senior officers • Broker of Record Information: Name, license number, NMLS numbers, date issued, expiration date, home address, email, date of birth, and Social Security Number (for FCRA background check authorization) • Financial Information: Production volume data, lender references, government agency approval numbers • Uploaded Documents: Corporate resolution, W-9, licenses, resumes, articles of incorporation, financial statements, quality control plans, and other supporting documentation • Electronic Signatures: Typed or drawn signature images, signer name, title, date, and consent acknowledgments • Compensation Election: Selected compensation plan, flat fee, and maximum compensation preferences

When you submit a contact form or inquiry, we collect your name, email address, company name, phone number, and any message content you provide.

We automatically collect certain technical information when you visit our website: • IP address and approximate geographic location (city, state, country) • Browser type and user agent string • Pages visited and time spent on each page • Referring URL and session duration • Timestamps of form submissions

If you subscribe to our newsletter, we collect your email address and IP address for delivery and anti-abuse purposes.

We use the information we collect for the following purposes: • Processing broker applications: Evaluating, approving, and onboarding new broker partners • Background checks: Conducting credit and background checks as authorized by you under the Fair Credit Reporting Act (FCRA) • Communication: Responding to inquiries, sending application status updates, and providing customer support • Compliance: Meeting regulatory obligations under GLBA, RESPA, and applicable state and federal laws • Security: Detecting and preventing fraud, unauthorized access, and abuse • Improving our services: Analyzing website usage patterns to improve user experience

Sensitive fields including Social Security Numbers, Federal Tax IDs, and dates of birth are encrypted using AES-256-GCM before storage. Only authorized server processes can decrypt this data.

All data transmitted between your browser and our servers is protected by TLS 1.2+ (HTTPS). We enforce HSTS (HTTP Strict Transport Security).

Uploaded documents are stored in a private encrypted storage bucket. Access requires authenticated, time-limited signed URLs that expire after 15 minutes.

All admin accounts with access to broker data are required to use two-factor authentication (TOTP).

All access to sensitive data (document views, PDF downloads, status changes) is logged with user identity, IP address, and timestamp.

Role-based access ensures only authorized personnel can view broker application data. Different roles have different access levels.

Form submission endpoints are rate-limited to prevent abuse.

We do not sell, rent, or trade your personal information. We may share your information with: • Credit Reporting Agencies: Credit Plus and LexisNexis, as authorized by you in the FCRA authorization, for the purpose of conducting background checks • Service Providers: Third-party services that help us operate our business (email delivery, cloud hosting, data storage), subject to confidentiality agreements • Regulatory Authorities: When required by law, regulation, or legal process, or to protect the rights, property, or safety of Cake Mortgage Corp., our partners, or the public • Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected: • Active broker applications: Retained for the duration of the business relationship plus 7 years for regulatory compliance • Declined applications: Retained for 3 years, then securely deleted • Contact form inquiries: Retained for 2 years • Website analytics data: Retained for 1 year • Auto-saved form drafts: Stored locally in your browser only; sensitive fields (SSN, DOB, Tax ID) are never saved to browser storage

If you are a California resident, you have the right to: • Know what personal information we collect and how it is used • Request deletion of your personal information • Opt out of the sale of your personal information (we do not sell personal information) • Non-discrimination for exercising your privacy rights

Regardless of your location, you may: • Request access to the personal information we hold about you • Request correction of inaccurate information • Request deletion of your personal information, subject to regulatory retention requirements • Withdraw consent for marketing communications at any time To exercise any of these rights, contact us at info@cakehome.com.

As a mortgage lender, Cake Mortgage Corp. complies with the Gramm-Leach-Bliley Act (GLBA). We: • Provide this privacy notice to all applicants • Implement administrative, technical, and physical safeguards to protect nonpublic personal information (NPI) • Limit access to NPI to authorized employees who need it for their job functions • Do not share NPI with non-affiliated third parties except as permitted by law • Encrypt sensitive NPI at rest using AES-256-GCM encryption

Our website uses essential cookies for authentication and session management. We do not use third-party advertising cookies or trackers. Our analytics are self-hosted and do not share data with external parties.

We use the following third-party services in the operation of our website and application portal: • Supabase (database and authentication) — data stored in the United States • Vercel (website hosting) — global CDN with US-based origin servers • Resend (email delivery) — for transactional and notification emails • Credit Plus / LexisNexis (background checks) — only when explicitly authorized by the applicant

Our services are intended for mortgage industry professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal information from minors.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of our services after any changes constitutes acceptance of the updated policy.