Privacy Policy for BrokerFlow

Last Updated: April 26, 2026

Status: Data Processor (SaaS Provider)

Contact: enquiries@broker-flow.com

1. Our Role and User Categories

BrokerFlow is a SaaS platform providing document automation for mortgage professionals. We process data for three main groups:

• The Broker: Individual mortgage advisors using the platform.
• The Firm Principal: Administrative or compliance leads with oversight across the entire firm.
• The Client: Homebuyers or individuals seeking a re-mortgage who use our secure upload portal.

In all cases, the Mortgage Firm is the Data Controller, and BrokerFlow is the Data Processor.

2. Client Portals & Data Collection

We provide a secure environment for clients (homebuyers and re-mortgage applicants) to upload sensitive financial evidence. This includes:

• Identity Docs: Passports, driving licenses, and proof of address.
• Financial Evidence: Payslips, P60s, and bank statements required for mortgage or re-mortgage assessments.
• Application Data: Property details and current mortgage information for re-mortgage cases.

3. AI Processing (The "Zero-Training" Guarantee)

BrokerFlow uses Anthropic's Claude AI to extract data from uploaded documents.

• Privacy-First Extraction: Data is sent via a private, encrypted API for analysis.
• No Retention in AI: The AI extracts the necessary data points and immediately "forgets" the document.
• Zero Training: We do not use any client documents or extracted data to train or improve the AI models. Your clients' sensitive data never becomes part of a public or private training set.

4. Storage and Data Residency (Supabase)

We use Supabase for our database and file storage infrastructure.

• Data Residency: All personal data and documents are stored on secure servers located within the European Union (EU). This is compliant with UK GDPR under the existing adequacy regulations.
• Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3).

5. Access and Control (Hierarchy)

To ensure firm-wide compliance and oversight, BrokerFlow is built with a hierarchical access model:

• The Broker: Has access to the data of the clients they are personally managing.
• The Firm Principal: Has high-level access to all data processed within their firm for compliance auditing, quality control, and business continuity purposes.
• BrokerFlow Staff: Have no access to your client documents unless explicitly requested for technical support.

6. Third-Party Sub-Processors

We only utilize a limited number of "Best-in-Class" sub-processors:

• Database & Storage: Supabase (EU-based servers).
• AI Analysis: Anthropic (Claude API).
• Payments: Stripe (for brokerage subscription management).

7. Data Deletion

We store documents at the direction of the Broker/Firm Principal. Once a file or client record is deleted by the firm, it is permanently removed from our Supabase storage buckets and databases.