Privacy Policy

Effective Date: April 27, 2026  |  Last Reviewed: April 27, 2026

Operator: FOCUS SYSTEMS CONSULTING CORP (DBA FintekFlow)  ·  Texas Taxpayer No. 32103509330

1. Introduction and Scope

This Privacy Policy ("Policy") governs the collection, processing, storage, and disclosure of personal and financial information by FOCUS SYSTEMS CONSULTING CORP, a Texas corporation doing business as FintekFlow ("Company," "we," "us," or "our").

FintekFlow operates exclusively as a pass-through compliance middleware — a secure, technology-enabled clearinghouse that computes Ability-to-Repay (ATR) metrics and Debt-to-Income (DTI) ratios to assist property operators, landlords, and real estate developers in meeting federal underwriting standards. This Policy applies to all end-users ("Applicants") and platform subscribers ("Operators") who interact with any FintekFlow product or service.

2. Pass-Through Entity Declaration

FOCUS SYSTEMS CONSULTING CORP is NOT a Consumer Reporting Agency (CRA) as defined under the Fair Credit Reporting Act, 15 U.S.C. § 1681a(f). We do not assemble or evaluate consumer credit information for the purpose of furnishing consumer reports to third parties. We do not originate loans, extend credit, or participate in any credit decision as a principal party. Our sole function is to apply objective, algorithmic computations to real-time bank transaction data provided by the Applicant, and to return a standardized compliance output (the "ATR Certificate") to the designated Operator.

Because we are not a CRA under FCRA § 1681a(f), FCRA's adverse-action notice requirements (15 U.S.C. § 1681m) do not apply to our outputs as such. However, Operators who use our ATR Certificate as a factor in a credit or housing decision may independently bear adverse-action obligations. FOCUS SYSTEMS CONSULTING CORP expressly disclaims all liability arising from an Operator's use of our outputs as a basis for adverse action.

3. Information We Collect

We collect only the minimum information necessary to generate a valid ATR Certificate. Specifically:

• Identity Verification Data: Legal first and last name, email address, phone number, residential zip code, and the last four (4) digits of your Social Security Number or Individual Taxpayer Identification Number (SSN/ITIN), collected solely for identity-matching purposes.
• Open Banking Transaction Data (via Plaid): With your explicit, informed consent, we initiate a tokenized bank-data session through Plaid Inc., our exclusive Open Banking integration partner. This session retrieves up to ninety (90) days of debit/credit transaction history from the Applicant's designated financial institution(s). This data is used exclusively to compute net monthly income and recurring liability figures.
• Computed Compliance Outputs: Derived metrics including DTI ratio, Coverage Ratio, monthly net income, and a binary or tiered ATR verdict.

4. Open Banking Integration and Plaid Credential Flow

FintekFlow integrates with Plaid Inc. (https://plaid.com) to facilitate secure, consent-based access to bank transaction data. The credential flow operates as follows:

1. Applicant Consent: The Applicant is presented with a Plaid Link modal and explicitly authorizes the connection to their financial institution.
2. Tokenized Authentication: The Applicant's banking credentials (username and password) are entered directly into Plaid's encrypted interface and are transmitted exclusively to Plaid's servers using TLS 1.3. FOCUS SYSTEMS CONSULTING CORP never receives, views, intercepts, or stores raw banking credentials of any kind.
3. Access Token Issuance: Upon successful authentication, Plaid issues a short-lived, revocable access token to FintekFlow. This token permits a one-time, read-only retrieval of transaction data within the authorized scope.
4. Data Retrieval and Immediate Processing: FintekFlow retrieves the transaction dataset, applies its ATR algorithm in-memory, and generates the compliance output. The raw transaction data is permanently purged upon completion of the computation cycle (see Section 5).
5. Token Revocation: Upon completion of the certification cycle, the Plaid access token is invalidated. No persistent link to the Applicant's bank account is maintained by FOCUS SYSTEMS CONSULTING CORP.

Applicants should review Plaid's End User Privacy Policy at plaid.com/legal/end-user-privacy-policy for information on how Plaid processes their data.

5. Zero-Retention Policy — GLBA Safeguards Rule Compliance

FOCUS SYSTEMS CONSULTING CORP has designed its data architecture in strict accordance with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, 16 C.F.R. Part 314, as amended by the Federal Trade Commission's 2021 Final Rule (effective June 9, 2023). Our Zero-Retention Policy embodies the principle of data minimization and constitutes the cornerstone of our information security program.

• Zero Storage of Raw Transactional Data: The raw bank transaction records retrieved via Plaid are processed entirely in volatile memory (RAM). Upon generation of the ATR Certificate, all raw transactional data is irreversibly purged from our active systems. No raw transaction record is written to any persistent storage medium — including our production databases, backups, or logging infrastructure.
• Zero Storage of Banking Credentials: As described in Section 4, FOCUS SYSTEMS CONSULTING CORP maintains zero possession of banking login credentials at any point in the data flow. This design choice eliminates credential-breach risk at the platform level entirely.
• Retained Data — Minimum Compliance Set: Following purge of raw data, we retain only the following minimum dataset required for federal compliance and audit purposes:
  • Applicant basic PII (name, email, last 4 SSN/ITIN digits)
  • The final ATR verdict and computed DTI/Coverage Ratio
  • An immutable cryptographic audit hash (SHA-256) of the computation event, linked to a timestamp and the Operator's account identifier
  • The date and method of Applicant consent
• Compliance with 16 C.F.R. Part 314: Our security program includes, without limitation: designation of a qualified individual to oversee the program; risk assessments; implementation of administrative, technical, and physical safeguards; continuous monitoring; staff training; and incident response procedures.

6. Equal Credit Opportunity Act (ECOA) — Regulation B Record Retention

Although FOCUS SYSTEMS CONSULTING CORP is not a creditor as defined under Regulation B (12 C.F.R. Part 1002), our Operator clients may be subject to ECOA's record retention obligations. To facilitate Operator compliance, we retain the minimum compliance set described in Section 5 in accordance with the following Regulation B schedules:

• Standard Applications (Regulation B § 1002.12(b)(1)): Records related to any credit application — including the ATR Certificate and associated audit hash — are retained for a minimum of twelve (12) months from the date of the application action (approval, denial, or withdrawal).
• Business Credit Applications (Regulation B § 1002.12(b)(2)): Records related to applications for business credit are retained for a minimum of twenty-five (25) months from the date of notification of the action taken.
• Regulatory and Law-Enforcement Access: In the event of a formal investigation or inquiry by the Consumer Financial Protection Bureau (CFPB), the U.S. Department of Justice, or any other federal or state regulatory authority, we will retain all relevant records for the duration of such proceeding and provide access as required by applicable law and valid legal process.

7. Data Security Safeguards

FOCUS SYSTEMS CONSULTING CORP employs enterprise-grade, defense-in-depth security controls:

• Encryption in Transit: All data in transit between Applicant devices, our servers, and third-party APIs (including Plaid) is encrypted via TLS 1.3.
• Encryption at Rest: The minimum compliance dataset retained in our isolated PostgreSQL databases is encrypted at rest using AES-256.
• Access Controls: Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) are enforced on all administrative access to production infrastructure.
• Cryptographic Audit Trail: Every ATR computation event is immutably logged with an SHA-256 hash, providing a tamper-evident audit trail for regulatory review.
• Vendor Security: We conduct due diligence on all third-party service providers, including Plaid, to ensure their security programs are commensurate with our own.

8. Disclosure of Information

FOCUS SYSTEMS CONSULTING CORP shares information only in the following limited circumstances:

• With Authorized Operators: The ATR Certificate (comprising the compliance verdict, DTI/Coverage Ratio, and audit hash) is disclosed exclusively to the specific Operator who initiated the certification request on behalf of the Applicant, and only in the context of an active, executed service agreement.
• With Service Providers: We disclose data to sub-processors (e.g., Plaid, cloud infrastructure providers) solely to the extent necessary to deliver the service, under contractual confidentiality obligations no less protective than this Policy.
• As Required by Law: We may disclose information in response to a valid subpoena, court order, regulatory demand, or as otherwise required by applicable federal or state law.
• No Sale of Data: FOCUS SYSTEMS CONSULTING CORP does not sell, rent, license, or otherwise transfer personal or financial data to any third party for commercial purposes. We derive no revenue from data brokerage activities.

9. Your Privacy Rights

Depending on your jurisdiction of residence, you may have the right to request access to, correction of, or deletion of your personal information held by FOCUS SYSTEMS CONSULTING CORP. To exercise these rights, please submit a written request to our Compliance Team at the contact information below. We will respond within thirty (30) calendar days.

In the event you believe your data has been processed in violation of this Policy or applicable law, you have the right to lodge a complaint with the relevant supervisory authority, including but not limited to the Federal Trade Commission (FTC) or the Consumer Financial Protection Bureau (CFPB).

10. Amendments to This Policy

FOCUS SYSTEMS CONSULTING CORP reserves the right to amend this Policy at any time. Material changes will be communicated to registered Operators and Applicants via the email address on file, with a minimum of thirty (30) calendar days' advance notice prior to the effective date of the amendment.

11. Contact — Compliance Team

All inquiries regarding this Privacy Policy, data subject rights requests, or GLBA compliance matters should be directed to: