Privacy Policy
Last updated: May 19, 2026
1. Introduction & Commitment
JacketLink("we", "us", or "our") takes the security and privacy of consumer financial documents extremely seriously. Our platform is specifically designed to eliminate the common, insecure practice of sending highly sensitive Non-Public Personal Information (NPI) — such as Social Security numbers, bank statements, and tax files — over standard unencrypted emails and mobile texts.
This Privacy Policy outlines how we collect, store, transmit, protect, and process data on behalf of our client automobile dealerships ("Dealers") who use our secure document portals.
2. Types of Data We Process
We collect and process two categories of information on our platform:
A. Dealer Account Information
When a dealership signs up for our SaaS, we collect employee names, business emails, dealership phone numbers, corporate tax IDs (EIN), and subscription billing details. This data is used solely to maintain, secure, and bill the Dealer's account.
B. Customer/Applicant Submitted Data
When a dealership creates a secure single-use deal link, the invited buyer/applicant may upload:
- Driver's Licenses (processed locally/securely using Gemini OCR for validation).
- Vehicle Trade-In Photographs (exterior, interior, odometer readings).
- Credit Application particulars (SSN, income, address, employer history).
- Automobile Insurance Cards & binders.
- Paystubs, tax W-2 returns, and utility residency bills.
3. Encryption & Security Measures
To guarantee compliance with the FTC Safeguards Rule, our platform employs state-of-the-art administrative, technical, and physical safeguards:
- Encryption in Transit: All data transmitted between the customer's device, our API, and the database is secured using High-Grade Transport Layer Security (TLS 1.3 / HTTPS).
- Encryption at Rest: Every document, credit application detail, and image is encrypted immediately upon ingestion using AES-256 (Advanced Encryption Standard) on our database servers.
- Access Control: Access to dealership portals is strictly permission-gated. A dealer representative can only view deals assigned to their dealership. Administrative dashboards utilize session token validation.
- Secure Disposal: Once a dealership terminates their subscription, all historical document vault storage is permanently purged/wiped from our servers in compliance with federal guidelines.
4. Subprocessors
We work with industry-leading, SOC 2 Type II certified cloud providers to run our applications. All data is housed inside secure US-based hosting centers. Our authorized subprocessors include:
| Subprocessor | Purpose | Security Standard |
|---|---|---|
| Vercel Inc. | Global Next.js Hosting & Edge Network | SOC 2 Type II |
| Convex Co. | Secure Document Metadata & Database | SOC 2 Type II |
| Stripe Inc. | Secure B2B Subscription Payment Processing | PCI-DSS Level 1 |
| Resend Inc. | Transaction & Alert Email Deliverability | SOC 2 Type II |
| Google Cloud / Gemini | Secure AI Document OCR Verification | SOC 2 Type II |
5. How We Use and Share Information
WE DO NOT SELL YOUR PERSONAL OR BUSINESS DATA.
We will never sell, rent, or monetize dealer records, employee rosters, or customer applications. We process and present files solely for the invited dealership so they can verify documents, auto-fill credit paperwork, and close deals.
We may share information only in the following restricted scenarios:
- To secure and support our technical infrastructure via our authorized subprocessors listed above.
- To comply with a valid court order, subpoena, federal inquiry, or regulatory audit.
- To prevent immediate fraud, active cybersecurity threats, or illegal dealer activity.
6. Dealer Safeguard Obligations
Dealerships are classified as "Financial Institutions" under the Gramm-Leach-Bliley Act (GLBA). Accordingly, Dealer warrants that it complies with the FTC Safeguards Rule. In particular, the Dealer agrees to implement robust terminal security, enable operating system firewalls, train staff on social engineering, and ensure that custom deal links are sent only to authorized car buyers.
7. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post the revised copy here and update the "Last updated" date at the top. Dealers will receive an admin notification if subprocessors are added or removed, as required by corporate Data Processing Agreements (DPAs).