Privacy Policy

PMI Ninja, operated by Hint Holdings LLC ("we," "us," or "our"), provides a Private Mortgage Insurance removal service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at pmininja.com or use our services.

Personal Information

When you use our service, we may collect:

• Name and email address
• Property address
• IP address (captured when you sign the authorization)

Financial Information

To evaluate your PMI removal eligibility, we collect:

• Mortgage lender name and loan number
• Current loan balance and monthly payment
• PMI amount and interest rate
• Original loan amount and origination date
• Mortgage statements you upload

Payment Information

Payment processing is handled by Stripe, Inc. We do not store your credit card number, expiration date, or CVV on our servers. We retain your Stripe session and payment intent identifiers, payment amount, and payment status for our records.

Automatically Collected Information

When you access our website, we may collect device information, browser type, referring URLs, and pages visited through standard web server logs.

We use the information we collect to:

• Evaluate your eligibility for PMI removal
• Extract mortgage data from uploaded statements using AI-powered document analysis
• Contact your mortgage lender on your behalf as authorized
• Manage your PMI removal case from submission through completion
• Process payments for our service
• Send transactional emails (sign-in links, payment confirmations, case status updates)
• Send reminder emails to help you complete the onboarding process
• Respond to your inquiries and provide customer support
• Comply with legal obligations

We share your information only in the following circumstances:

• With your mortgage lender/servicer: When you sign our authorization, you grant us permission to contact your lender on your behalf to manage the PMI removal process.
• Service providers (subprocessors): We use the third-party services listed below. Each one processes your data solely to provide its service to us, under a written agreement that restricts further use.
  • Supabase — managed Postgres database, authentication, and file storage. Receives your account profile, onboarding responses, mortgage data, uploaded documents, and signed authorization PDFs.
  • Stripe— payment processing and subscription billing. Receives your name, email, billing address, and payment-card details (card data is entered directly into Stripe's hosted form and does not transit our servers).
  • Resend — transactional email delivery. Receives your email address and the contents of messages we send you (sign-in links, status updates, receipts).
  • Anthropic — AI-powered document analysis. Receives the contents of mortgage statements you upload for the purpose of extracting structured loan data; processed under a no-training data-processing agreement.
  • Vercel — application hosting and content delivery. Receives all request data necessary to serve our website, including IP address, user agent, and request paths, as part of standard web-server logs.
  • Sentry — error monitoring and performance diagnostics. Receives error stack traces and limited request metadata. Sensitive fields (SSN, DOB, full address, auth tokens) are scrubbed before transmission; session replay of pages handling personal information is disabled.
  • Upstash — Redis-backed rate-limiting. Receives transient IP-derived identifiers used to enforce per-endpoint request limits.
  • Google Workspace — email mailbox for our support and notice addresses. Receives email you send to us.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We implement industry-standard security measures to protect your data. Your mortgage statements are stored in encrypted cloud storage with access restricted to your user account. Authentication is handled via secure, passwordless magic links. All data is transmitted over HTTPS/TLS encryption.

While we take reasonable steps to protect your information, no method of electronic storage or transmission is 100% secure.

We retain your personal and financial information for the duration of your account and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. Authorization records and payment history are retained as legal and financial records.

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Opt out of marketing communications
• Request a portable copy of your data

To exercise any of these rights, contact us at support@pmininja.com.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the following rights:

• Right to Know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties we have shared it with
• Right to Delete — request deletion of personal information we have collected about you, subject to legal exceptions (for example, records we must retain to comply with mortgage-adjacent recordkeeping rules or tax law)
• Right to Correct — request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing— see the "Do Not Sell or Share My Personal Information" statement below
• Right to Non-Discrimination — exercise these rights without penalty

To submit a request, email privacy@pmininja.com or support@pmininja.com with the subject line "CCPA Request" and a description of your request. We will respond within 45 days. We may need to verify your identity before fulfilling the request; if you are an account holder, we typically verify by confirming a magic-link sign-in to the email address on file. You may also authorize an agent to submit a request on your behalf.

Do Not Sell or Share My Personal Information

We do not sell your personal information.We also do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the prior 12 months and have no plans to. If our practices ever change, we will update this Policy and present a dedicated "Do Not Sell or Share" link before any such activity begins.

We use essential cookies for authentication and session management — these are required for the service to function and cannot be turned off through cookie controls. We do not use third-party advertising or behavioral-targeting cookies.

We use Sentry for error monitoring; Sentry may set a first-party identifier to correlate errors within a single session. We do not currently operate a third-party analytics product that uses cookies. If we add one, we will update this Policy and, where required by law, present a cookie banner before any non-essential tracking is set.

Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date.

If you have questions about this Privacy Policy or our data practices, contact us at:

Hint Holdings LLC (d/b/a PMI Ninja)
Email: support@pmininja.com