Privacy Policy

This Privacy Policy describes how ShopDPA LLC, a Texas limited liability
company doing business as ShopDPA® (“ShopDPA,” “we,”
“us,” or “our”), collects, uses, shares, and protects your information
when you visit or use shopdpa.com and any related subdomains,
brand sites, or services we operate (collectively, the “Site”). By using the Site,
you acknowledge that you have read and understood this Privacy Policy.

1. About ShopDPA

ShopDPA is a Texas-focused home loan referral and matching service. We help
Texas homebuyers learn about and apply for state down payment assistance programs —
including programs run by the Texas State Affordable Housing Corporation (TSAHC) and the
Texas Department of Housing and Community Affairs (TDHCA), the federal Mortgage Credit
Certificate (MCC), and other state and federal homeownership programs — and we connect
qualified buyers with licensed mortgage professionals in our partner network.

ShopDPA is not a licensed mortgage broker, lender, or loan officer. We do
not originate, fund, approve, deny, or service mortgage loans. We are not a government agency.

2. The information we collect

2.1 Information you give us directly

When you submit a form, sign up for emails, contact us, or otherwise interact with the Site, you may give us:

Identity and contact information: name, email address, phone number(s), mailing address (when applicable).
Eligibility information: ZIP code, county, household income range, household size, first-time-homebuyer status, target home price range, target timeline to purchase, employment category, credit-score range (self-reported tier), and similar information needed to identify which down payment assistance programs and lenders may be a fit.
Veteran status: whether you are an active-duty service member, veteran, or qualifying surviving spouse (for VA loan and Texas Veterans Land Board program eligibility).
Communications: the content of emails, text messages, and form submissions you send us.

We do not collect Social Security numbers, full dates of birth, driver’s
license numbers, government ID numbers, full bank account numbers, or full credit card
numbers on the Site. If you are referred to a partner mortgage professional and proceed with
a loan application, that partner — not ShopDPA — will collect any such information
directly from you under their own privacy practices.

2.2 Information we collect automatically

When you visit the Site, we and our service providers automatically collect:

Device and connection data: IP address, browser type and version, operating system, device type, screen size, language preference.
Usage data: pages visited, time spent, links clicked, referring URL, search terms (when applicable), session start and end times.
Location data: approximate location derived from IP address (city / metro / state level — not precise GPS).
Cookies, pixels, and similar technologies: see Section 7.

2.3 Information from third parties

We may receive information about you from:

Public ZIP-to-city services (e.g., Zippopotam.us) when we look up the city/state for a ZIP code you submit.
Consent verification services (e.g., TrustedForm) that capture and time-stamp your consent for compliance with the Telephone Consumer Protection Act (TCPA).
Marketing platforms (e.g., Google, Meta, LinkedIn) that report aggregated ad performance.
Partner mortgage professionals that report back to us (in aggregate, without individual loan terms) whether your referral resulted in a closed transaction.

We do not purchase consumer leads from data brokers and we do not
acquire your information from “trigger lead” sources or other unconsented sources.

3. How we use your information

We use your information to:

Match you with appropriate programs and lenders. We use your eligibility information to identify which TSAHC, TDHCA, MCC, VLB, FHA, VA, USDA, or conventional loan options and which licensed mortgage professionals in our partner network may be a fit for you.
Contact you about your inquiry. We and our partner network may contact you by phone, text message, and email to discuss your inquiry and provide information about programs and loan options.
Operate, secure, and improve the Site. We use technical data to operate the Site, prevent fraud, debug issues, and analyze how visitors use the Site so we can improve it.
Provide customer support. We use your information to respond to your questions and complaints.
Send marketing communications that you have asked to receive (e.g., emails about programs or guides). You can unsubscribe at any time.
Comply with the law and protect rights. We use information as necessary to comply with applicable law, respond to legal process, and protect the rights, property, or safety of ShopDPA, our users, our partners, or others.
Conduct corporate transactions. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction.

We do not use your information to make automated decisions that produce legal
or similarly significant effects without human review.

When you submit a lead form, we share your contact information and your eligibility information
with one or more licensed mortgage professionals in our partner network for
the purpose of contacting you about your inquiry. The partner(s) we select are determined by
your geographic area and the program(s) you appear to qualify for.

The partner(s) you are referred to operate under their own privacy policies. Once your
information is shared, the partner becomes an independent recipient of that information and
is responsible for its further use under their own policies and applicable law. We
strongly recommend you review the partner’s privacy policy when they contact you.

We share information with vendors who help us operate the Site, including:

Web hosting and content delivery (Rocket.net, Cloudflare or equivalent).
Customer relationship management and lead-routing platforms (Follow Up Boss, LeadConduit, or equivalents).
Email service providers.
Analytics providers (Google Analytics, Microsoft Clarity, or equivalents).
Compliance verification (TrustedForm or equivalent).
Advertising platforms (Google, Meta, LinkedIn, TikTok or equivalents).
Payment processors (if applicable).

These vendors are contractually limited to using your information only to provide services to ShopDPA.

We may disclose information when we believe in good faith that disclosure is required by law,
court order, subpoena, or other legal process, or is necessary to protect the rights, property,
or safety of ShopDPA, our users, our partners, or others.

If ShopDPA is involved in a merger, acquisition, reorganization, sale of assets, bankruptcy,
or similar corporate transaction, your information may be transferred to the successor or
acquiring entity as part of that transaction.

We may share your information with other parties when you have consented to that sharing.

We do not sell your personal information to data brokers, list-rental services, lead aggregators, or other unrelated third-party marketers.
We do not rent your personal information.
We do not share your information with our partner mortgage professionals for any purpose other than responding to your inquiry, unless you separately consent.

5. How long we keep your information

We retain your information for the period necessary to fulfill the purposes outlined in this
Privacy Policy, comply with our legal obligations (including federal and Texas mortgage
advertising and consumer-protection recordkeeping requirements), resolve disputes, and
enforce our agreements. In general:

Lead-form submissions and related contact information: up to seven (7) years from collection.
TCPA consent records and TrustedForm certificates: at least five (5) years from collection.
Site analytics and aggregated usage data: up to twenty-six (26) months in identifiable form, then aggregated.
Email subscribers: until you unsubscribe, plus a short suppression period to ensure we do not re-contact you.
Customer support communications: up to seven (7) years from the last interaction.

When the retention period ends, we delete or anonymize the information.

6. How we protect your information

We use reasonable administrative, technical, and physical safeguards designed to protect your
information against unauthorized access, loss, or alteration. These include encryption in
transit (HTTPS / TLS) for all Site traffic, access controls on internal systems, vendor due
diligence on service providers, and regular review of our privacy and security practices.

No method of transmission over the internet or electronic storage is 100% secure.
While we strive to protect your information, we cannot guarantee absolute security. If you have
reason to believe that your interaction with us is no longer secure, please contact us
immediately.

7. Cookies and tracking technologies

We and our service providers use cookies, pixels, web beacons, local storage, and similar
technologies (collectively, “cookies”) to operate the Site,
remember your preferences, measure performance, and serve relevant advertising.

The cookies we use fall into the following categories:

Strictly necessary cookies keep the Site running, remember your form progress, and protect against fraud. You cannot opt out of strictly necessary cookies.
Performance cookies measure how visitors use the Site so we can improve it (e.g., Google Analytics, Microsoft Clarity).
Functional cookies remember choices you make so we can give you a better experience.
Advertising cookies help us and our advertising partners measure the effectiveness of advertising and serve relevant ads on other sites (e.g., Meta Pixel, Google Ads, LinkedIn Insight, TikTok Pixel).

Managing cookies. You can manage cookies through your browser settings, opt out
of certain advertising cookies via the
Network Advertising Initiative and the
Digital Advertising Alliance, and
use the Your Texas Privacy Rights page on this Site
to opt out of targeted advertising and the “sale” or “share” of personal
information as those terms are defined under applicable state privacy laws. Some Site features
may not work correctly if you disable strictly necessary cookies.

Do Not Track / Global Privacy Control. We currently treat a Global Privacy
Control (GPC) signal sent from your browser as a request to opt out of the “sale”
or “share” of personal information for the device/browser sending the signal. We
do not separately respond to legacy “Do Not Track” headers.

8. Your privacy rights — Texas residents

The Texas Data Privacy and Security Act (TX-DPSA, codified at Texas Business
& Commerce Code Chapter 541, effective July 1, 2024) gives Texas residents the following
rights with respect to personal information ShopDPA controls:

Right to confirm and access. You can ask us to confirm whether we are processing your personal information, and to provide you a copy of that information.
Right to correct. You can ask us to correct inaccuracies in the personal information we maintain about you.
Right to delete. You can ask us to delete personal information we have collected about you.
Right to a portable copy. You can ask us to provide your personal information in a portable, structured, and (where technically feasible) machine-readable format.
Right to opt out of the processing of your personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling that produces legal or similarly significant effects about you.

Sensitive personal data. We collect veteran status and household income
information only with your consent. You may withdraw consent at any time by contacting us
using the contact information below.

How to exercise your rights. Email us at
privacy@shopdpa.com or use the form at
/your-texas-privacy-rights/. Please include enough
information for us to verify your identity (e.g., your name, the email address you used on the
Site, and the ZIP code you entered).

Response time. We will respond within 45 days of receiving your verifiable
request. If we need more time (up to an additional 45 days), we will let you know within the
first 45 days.

Right to appeal. If we deny your request, you can appeal by replying to our
denial email or writing to privacy@shopdpa.com with
the subject line “Privacy Rights Appeal.” We will respond to appeals within 60
days. If your appeal is denied, you may submit a complaint to the
Texas Attorney General.

9. Your privacy rights — California, Colorado, Connecticut, Virginia, Utah, and other states

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or any other U.S.
state with a comprehensive consumer privacy law, you may have additional or different rights
under your state’s law. ShopDPA’s primary service area is Texas, but if you reach us from one
of these states and we process your personal information, you can exercise your applicable
state-law rights using the same contact methods listed in Section 8.

California “Shine the Light” / “Do Not Sell or Share.”
California residents may also request a list of third parties to whom ShopDPA has disclosed
personal information for those parties’ own direct-marketing purposes during the prior calendar
year, and may opt out of the “sale” or “share” of personal information
as those terms are defined under the California Consumer Privacy Act, as amended by the
California Privacy Rights Act (“CCPA/CPRA”). Submit requests to
privacy@shopdpa.com with the subject line
“California Privacy Request.”

10. Federal privacy notices — GLBA

ShopDPA is not a “financial institution” within the meaning of
the Gramm-Leach-Bliley Act (GLBA) because we do not originate, fund, or service loans. The
partner mortgage professionals you may be referred to are financial
institutions under GLBA, and they are required to provide you with their own GLBA privacy
notice when they collect personal information from you. We strongly recommend you review
their notices.

To the extent any of our processing is treated as that of a financial institution, this
Privacy Policy together with our security practices and contracts with service providers is
intended to satisfy the GLBA Privacy Rule and Safeguards Rule.

11. Children

The Site is not directed to children under 18, and we do not knowingly collect personal
information from anyone under 18. If you believe we have inadvertently collected information
from a minor, please contact us at
privacy@shopdpa.com and we will delete it.

12. Out-of-state and international visitors

The Site is intended for users located in the United States. If you access the Site from
outside the United States, you do so at your own risk and your information may be transferred
to and processed in the United States, where data-protection laws may differ from those in
your jurisdiction.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices,
technology, legal requirements, or other factors. When we make material changes, we will
update the “Last updated” date at the top of this page and, where appropriate,
provide additional notice (such as a banner on the Site or an email to subscribers).

Your continued use of the Site after we publish an updated Privacy Policy constitutes your
acceptance of the updated terms.

14. Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we
handle your information:

ShopDPA LLC
Attn: Privacy
Email: privacy@shopdpa.com

For privacy rights requests under TX-DPSA, CCPA/CPRA, or any other state law, please use the
email address above and include “Privacy Rights Request” in the subject line.