Privacy Policy



Introduction

Hitch Equity (“Hitch”, “we”, “our”, or “us”) is a financial technology company that provides digital infrastructure,

platforms, and related services to financial institutions, lenders, brokers, and other authorized partners (“Clients”).

Hitch acts primarily as a Data Processor, processing personal data solely on behalf of and under the documented

instructions of its Clients, who act as Data Controllers.

This Privacy Policy explains:

• our role in processing personal data,

• the types of data we process,

• the safeguards we apply, and

• how individuals may exercise their rights through the appropriate controller.



Scope and Application

This Privacy Policy applies to personal data processed through:

• Hitch’s home-equity and lending technology platforms

• White-label and partner-branded portals

• APIs, integrations, and analytics tools

• Associated websites and operational systems

This policy applies only to data processed in the context of providing services to Clients.



Our Role and Responsibilities

As a Data Processor

Hitch:

• Does not determine the purposes or means of processing borrower or applicant data

• Processes personal data only to deliver contracted services

• Acts in accordance with Data Processing Agreements (DPAs) and applicable law



Client Responsibilities (Data Controllers)

Our Clients are responsible for:

• Determining the lawful basis for processing

• Providing privacy notices to individuals

• Responding to data subject rights requests

• Making final lending or eligibility decisions

If you are an individual whose data is processed via our platform, your primary relationship is with the Client, not

Hitch.



Categories of Personal Data Processed

Depending on Client instructions, Hitch may process:

Personal and Identification Data

• Name, date of birth

• Contact details

• Government-issued identifiers (where required)

Financial and Property Data

• Income and employment information

• Credit-related data

• Property and asset details

Technical and Usage Data

• IP addresses and device identifiers

• System logs and audit trails

• Platform usage metadata

Hitch processes only the minimum data necessary to perform the services.



Purposes of Processing

Hitch processes personal data solely to:

• Provide and operate fintech platforms

• Support loan origination and underwriting workflows

• Enable identity, credit, and fraud-prevention checks

• Maintain system security and integrity

• Meet contractual, legal, and regulatory obligations

Hitch does not independently use personal data for marketing, profiling, or unrelated analytics.



Legal Bases for Processing

As a Data Processor, Hitch relies on the lawful bases determined by its Clients, which may include:

• Performance of a contract

• Compliance with legal obligations

• Legitimate interests

• Consent, where applicable

Clients are responsible for communicating these bases to individuals.



Sub-Processors and Data Sharing

• Hitch may engage vetted sub-processors, such as cloud hosting, security, or verification providers.

• All sub-processors are contractually bound by data protection obligations

• Hitch conducts due diligence and ongoing oversight

• Hitch does not sell personal data

• A list of sub-processors may be made available to Clients upon request.



International Data Transfers

Where data is transferred internationally, Hitch implements appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)

• Contractual data protection commitments

• Encryption and access controls



Data Security Measures

Hitch maintains technical and organizational measures aligned with recognized security standards, including:

• Encryption in transit and at rest

• Role-based access controls and least-privilege principles

• Logging, monitoring, and audit trails

• Incident detection and response procedures

• Regular security assessments and employee training

No system is entirely risk-free; however, Hitch continuously evaluates and improves its security posture.



Data Retention and Disposal

Personal data is retained only:

• for the duration instructed by Clients,

• as required to provide services, or

• as mandated by applicable law.

• Upon termination of services, data is returned or securely deleted, subject to legal requirements.



Data Subject Rights

Requests relating to access, correction, deletion, or restriction of processing should be directed to the relevant Client

(Data Controller).

Where required by law, Hitch will reasonably assist Clients in fulfilling such requests.



Breach Notification

In the event of a personal data breach, Hitch will:

• Notify affected Clients without undue delay

• Provide relevant details to support regulatory and individual notifications

• Cooperate fully with Clients and authorities as required by law



Privacy by Design and Default

Hitch incorporates privacy and data protection principles into system design and operations, including:

• Data minimization

• Access limitation

• Secure defaults

• Risk assessments for new processing activities



Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through appropriate channels.



Contact Information

For privacy-related inquiries:

Email: william@usehitch.com

Company: Hitch Equity

If you are an individual seeking information about your data, please contact the financial institution or lender through

whom you applied.