Privacy Policy

PPrivacy Policy

Mortgage Bank of California, Inc. (NMLS #38232), dba MBANC. Last updated June 1, 2026 · Effective June 1, 2026.

01Introduction

Mortgage Bank of California, Inc. ("MBANC," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, share, and protect your personal information when you visit our website at mbanc.com (the "Site"), submit a loan inquiry, become a borrower, or otherwise interact with us. This policy applies to:

Visitors to mbanc.com
Prospective borrowers who submit a QuickQual form, schedule a callback, or otherwise inquire about a mortgage product
Current and past borrowers (including loan applicants, funded loans, and post-close servicing) — see also our separate Gramm-Leach-Bliley Act Privacy Notice for additional disclosures specific to non-public personal financial information
Residents of any U.S. state, including those with comprehensive privacy laws (California, Colorado, Connecticut, Virginia, Utah, and others) If you have questions after reading this policy, please contact us using the information in Section 13.

02Information We Collect

Information you provide directly

When you submit a QuickQual form, schedule a callback, complete a loan application, or otherwise communicate with us, we collect:

Identifiers: name, email address, phone number, mailing address
Property information: state where the subject property is located, property type (single-family, multi-family, condo, etc.), occupancy intent (primary residence, second home, investment)
Loan information: purpose (purchase, refinance, cash-out), self-reported loan amount range, down payment range
Financial information: self-reported income type (W-2, 1099, self-employed, DSCR, asset-rich, foreign national), self-reported credit score range, employment information (during application)
Consent records: TCPA consent for phone and SMS communications, SMS verification status, e-signature records
Voluntary information: anything you tell us in conversations, comments, or follow-up communications During the formal mortgage application process, we collect additional sensitive financial information including Social Security number, full credit reports, income documentation, bank statements, and asset verification. The handling of this information is further governed by our separate GLBA Privacy Notice.

Information collected automatically

When you visit mbanc.com, our servers and our analytics partners automatically collect:

Device and connection information: IP address, approximate geographic location (derived from IP), browser type and version, device type, operating system, screen resolution, language settings
Usage information: pages visited, time spent on pages, click paths, referring URL, links clicked, form interactions
Marketing attribution: UTM parameters from inbound links (utm_source, utm_medium, utm_campaign, utm_content, utm_term), advertising click identifiers (gclid for Google Ads, fbclid for Meta)
Cookies and similar tracking technologies: see our Cookie Policy for the complete list

Information from third parties

We receive information about you from:

Credit reporting agencies — when you authorize a credit pull during a formal application
Investors and lending partners — secondary-market investors (eResi, Verus, and others) and warehouse-line providers, in connection with loan funding and servicing
Public records — NMLS Consumer Access, county recorder offices, property records databases
Marketing and analytics platforms — Google, Meta, TikTok provide aggregated and pseudonymous reporting about how our advertising performs
Authorized representatives — real estate agents, financial advisors, attorneys, or other parties you authorize to interact with us on your behalf

03How We Use Your Information

We use the information we collect for the following purposes:

Mortgage origination and servicing — evaluating eligibility, originating, processing, underwriting, funding, and servicing mortgage loans
Communication — responding to your inquiries, sending application updates, providing customer service
Legal and regulatory compliance — complying with federal and state mortgage-lending laws including the Real Estate Settlement Procedures Act (RESPA), Truth in Lending Act (TILA), Equal Credit Opportunity Act (ECOA), Home Mortgage Disclosure Act (HMDA), the Gramm-Leach-Bliley Act (GLBA), state mortgage commissioner requirements, and NMLS reporting
Site operation — operating, maintaining, securing, and improving our website and services
Fraud and security — detecting, preventing, and responding to fraud, unauthorized activity, and security incidents
Marketing measurement — measuring the effectiveness of our advertising and improving our marketing
Research and analytics — internal research to improve our products and services
Honoring preferences — recording and acting on your communication preferences and opt-out requests
Legal obligations — responding to court orders, subpoenas, regulatory inquiries, and other lawful requests We do not use your information for automated decision-making that produces legal or similarly significant effects without human review. All credit decisions involve human underwriter judgment.

04How We Share Your Information

We share your information only as described in this section.

Service providers and processors

We share information with vendors who perform services on our behalf and are contractually obligated to use it only for those services:

Loan servicing platforms, underwriting systems, and document preparation vendors
Credit reporting agencies (with your authorization)
Title insurance companies, appraisers, escrow agents, and closing agents
Technology providers operating our infrastructure: hosting, customer relationship management (CRM), email and SMS delivery, analytics
Payment processors and accounting services
Professional advisors: auditors, accountants, attorneys

Investors and lending partners

We share borrower information with:

Secondary-market investors who purchase or fund loans (including but not limited to eResi and Verus)
Warehouse-line providers who fund originations before sale to investors
Mortgage insurers, where applicable These relationships are governed by our separate GLBA Privacy Notice, which describes your right to opt out of certain non-affiliate sharing where applicable.

Marketing and advertising partners

We share limited information with advertising platforms to measure and optimize our marketing:

Google (Google Ads, Google Analytics) — receives aggregated and pseudonymous data about ad clicks and conversion events. We may upload hashed contact information to measure offline conversions (e.g., funded loans attributable to specific clicks).
Meta Platforms (Facebook, Instagram) — receives hashed contact information and conversion event data via the Meta Pixel and Meta Conversions API for ad measurement and audience targeting.
TikTok — receives hashed contact information and conversion event data via the TikTok Pixel and TikTok Events API for ad measurement and audience targeting. Under the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), and similar laws in Colorado, Connecticut, Virginia, Utah, and other states, sharing data with these platforms for cross-context behavioral advertising is considered a "sale" or "sharing" of personal information. You have the right to opt out of this sharing — see Section 8.

Legal, safety, and compliance

We may share information when required or permitted by law:

With federal and state regulators (NMLS, the Consumer Financial Protection Bureau, state mortgage commissioners, state attorneys general)
In response to subpoenas, court orders, or other legal process
To enforce our agreements, protect our rights, or defend against legal claims
To investigate and prevent fraud, security violations, or harm to any person

Business transfers

In connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business or assets, we may transfer your information to the successor or acquiring party, subject to applicable law and the terms of this Privacy Policy.

With your consent

We may share information in other circumstances with your consent or at your direction. We do not sell your personal information for monetary consideration. We do share personal information for purposes that constitute "sharing" or "selling" under certain state privacy laws, as described in Section 4.3 — and you have the right to opt out of that sharing (Section 8).

05Cookies and Tracking Technologies

We and our partners use cookies, pixels, web beacons, software development kits (SDKs), local storage, and similar technologies on mbanc.com. These technologies allow us to:

Make the Site work (form state, security)
Measure performance and analytics
Deliver and measure the effectiveness of advertising
Detect fraud and protect your account For a categorized list of every cookie and tracking technology in use on mbanc.com, what each one does, how long it persists, and how to opt out, see our Cookie Policy. You can manage your cookie preferences at any time by clicking the "Cookie Preferences" or "Do Not Sell or Share My Personal Information" link in the website footer.

06Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this policy and to comply with applicable law. You may request earlier deletion of information that we are not legally required to retain — see Section 8.

Category of information	Retention period
Loan files (funded, denied, withdrawn)	At least 3 years after final action; longer where required by RESPA, HMDA, state law, or investor requirements (commonly 7 years)
QuickQual / inquiry data (no loan opened)	Up to 3 years after the last interaction, then deleted or anonymized
Communications (email, SMS, call recordings)	Up to 7 years where related to a loan; 3 years for general inquiries
Marketing analytics data	Up to 2 years from collection
Cookie / browser data	Per the durations listed in the Cookie Policy
Audit logs and compliance records	As required by applicable mortgage-lending laws

07Security

We implement administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:

Encryption — TLS 1.2 or higher for data in transit, and encryption at rest for sensitive data stores
Access controls — role-based access, limiting employee access to information on a need-to-know basis, with audit logging
Authentication — multi-factor authentication for employees accessing borrower data
Vendor diligence — security and privacy review of third-party processors before sharing data
Incident response — formal procedures for detecting, responding to, and notifying affected parties about security incidents
Regular assessments — security testing and vulnerability assessments consistent with mortgage-industry standards No security program is impenetrable. While we work to maintain commercially reasonable safeguards consistent with applicable law and industry standards, we cannot guarantee absolute security. If we determine that a security incident has affected your information in a manner that requires notice under applicable law, we will notify you in accordance with that law.

08Your Privacy Rights

Your privacy rights depend on where you live. The mechanisms for exercising any of these rights are described in Section 8.6.

California (CCPA / CPRA)

If you are a California resident, you have the following rights:

Right to Know — request information about (a) the categories and specific pieces of personal information we have collected about you, (b) the sources from which we collected it, (c) the purposes for collection, (d) the categories of third parties to whom we have disclosed it, and (e) the categories of personal information we have sold or shared.
Right to Delete — request deletion of your personal information, subject to exceptions for information we must retain (e.g., to complete a transaction, comply with legal obligations, or as needed for security and fraud prevention).
Right to Correct — request that we correct inaccurate personal information.
Right to Opt Out of Sale or Sharing — direct us to stop sharing your personal information for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information — direct us to limit the use of sensitive personal information (e.g., precise geolocation, financial account information, government identifiers) to purposes necessary for our services.
Right to Non-Discrimination — you will not be denied service, charged different prices, or provided different quality of service for exercising any of these rights.

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA)

If you are a resident of Colorado, Connecticut, Virginia, or Utah, you have rights similar to California, including the right to access, delete, correct (where applicable), and opt out of targeted advertising, sale, and profiling. Colorado and Connecticut residents may also exercise these rights via a Universal Opt-Out Mechanism (such as Global Privacy Control) — see Section 8.5.

Other state residents

Several other states have enacted comprehensive privacy laws taking effect on staggered dates (including Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Jersey, Minnesota, Nebraska, and others). If you reside in one of these states, you have rights similar to those described above; the specific mechanisms and timelines depend on your state's law. We will honor valid requests under any applicable state privacy law.

All other U.S. residents

Regardless of where you live in the United States, you may:

Unsubscribe from marketing emails using the "Unsubscribe" link in any marketing email
Stop marketing SMS by replying "STOP" to any marketing SMS
Request that we stop calling you for marketing purposes
Request access to or deletion of your information by contacting us as described in Section 8.6

Global Privacy Control (GPC)

When your browser sends a Global Privacy Control signal (the Sec-GPC: 1 HTTP header), we treat that as a valid opt-out request for sale and sharing of your personal information under CCPA and equivalent state laws — even without a separate request from you. GPC is supported in browsers such as Brave, DuckDuckGo, and Firefox (with the privacy extension installed). You can verify whether your browser sends GPC at globalprivacycontrol.org.

How to exercise your rights

You may exercise any of the rights described in this Section 8 in any of the following ways:

Cookie Preferences panel — click the "Cookie Preferences" link in the footer of any page to manage your tracking choices.
"Do Not Sell or Share My Personal Information" — click this link in the footer to opt out of sharing for cross-context behavioral advertising.
Email — send a request to privacy@mbanc.com with the subject line "Privacy Request." For California residents, include "CCPA Request" in the subject line.
Phone — call (844) 918-1886 and ask to speak with our privacy team.
Mail — send a written request to the address in Section 13.

We will respond to verifiable consumer requests within 45 days. We may extend this period by an additional 45 days when reasonably necessary, in which case we will inform you of the extension. We may need to verify your identity before processing certain requests; we may ask you to confirm information we already have about you, such as recent interactions, to confirm you are the person whose data is involved. We will not use information you provide for verification for any other purpose. Authorized agents: You may designate an authorized agent to make a request on your behalf. We may require written authorization signed by you, proof of the agent's identity, and direct confirmation from you that you have authorized the agent's request. Appeals: If we decline to take action on your request and you reside in a state that provides for an appeal right (Virginia, Colorado, Connecticut), you may appeal that decision by replying to our denial message or contacting us at privacy@mbanc.com with the subject "Privacy Appeal." We will respond to your appeal within 60 days.

09Gramm-Leach-Bliley Act (GLBA) Notice for Borrowers

As a financial institution under the Gramm-Leach-Bliley Act, MBANC provides a separate GLBA Privacy Notice describing how we collect, share, and protect non-public personal financial information about borrowers (and certain prospective borrowers). The GLBA Privacy Notice is provided at the time of application and annually thereafter for active borrowers. The GLBA Privacy Notice describes specific opt-out rights for the sharing of non-public personal financial information with non-affiliated third parties. Those rights are independent of, and in addition to, the state-law rights described in Section 8 of this Privacy Policy. If you would like a copy of our current GLBA Privacy Notice, please contact us using the information in Section 13.

10Children's Privacy

Our Site and services are directed to adults seeking mortgage products. We do not knowingly collect personal information from anyone under 18 years of age. If you believe we have collected information from a person under 18, please contact us using the information in Section 13 and we will promptly delete it.

11International Visitors

mbanc.com is operated from the United States, and our products and services are offered only to residents of U.S. states and territories where we are licensed (a list of our licensing is available at mbanc.com/licensing or via the NMLS Consumer Access database). If you access the Site from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws that differ from those in your country. We do not currently target our services to residents of the European Union, the United Kingdom, or other jurisdictions outside the United States, and this Privacy Policy is not intended to comply with the General Data Protection Regulation ("GDPR"), the UK GDPR, or other non-U.S. privacy laws.

12Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this policy and provide additional notice as appropriate (for example, a notice on our website or an email to registered customers). Your continued use of the Site after changes take effect constitutes your acceptance of the updated policy.

13Contact Us

If you have questions, complaints, or requests regarding this Privacy Policy or our handling of your personal information: Mortgage Bank of California, Inc. NMLS #38232 [Corporate mailing address pending compliance officer confirmation] Email: privacy@mbanc.com Phone: (844) 918-1886 Privacy requests: Include "Privacy Request" in your subject line; California residents, use "CCPA Request."

01About this Cookie Policy

This Cookie Policy explains how mbanc.com uses cookies and similar tracking technologies, what they do, and the choices available to you. It supplements our Privacy Policy, which describes more broadly how we collect, use, and share personal information. By using mbanc.com, you agree to our use of cookies as described in this policy and as managed through your cookie preferences.

02What are cookies and tracking technologies?

A "cookie" is a small text file that a website places on your device. Some cookies are erased when you close your browser ("session cookies"); others remain on your device for a set period or until you delete them ("persistent cookies"). We and our partners also use related technologies, including:

Local storage and session storage — similar to cookies, but with larger capacity, stored by the browser
Web beacons / pixels — tiny images or scripts that record that a page was viewed or an action taken
Software development kits (SDKs) — code provided by third parties (e.g., analytics or advertising platforms) that runs in the browser For simplicity, this policy refers to all of these collectively as "cookies and tracking technologies."

03Cookie Categories

We group cookies into four categories. The first category (Strictly Necessary) cannot be disabled. The others can be enabled or disabled via the "Cookie Preferences" link in the website footer.

Strictly Necessary

Cookie / storage key	Purpose	Duration
mbanc_utm_source, mbanc_utm_medium, mbanc_utm_campaign, mbanc_utm_content, mbanc_utm_term, mbanc_gclid, mbanc_fbclid (sessionStorage)	Stores marketing attribution parameters from your inbound link so we can attribute your inquiry correctly across multi-page sessions	Session (until tab closed)
QuickQual form state (sessionStorage)	Remembers your form progress so you don't lose data if you navigate to another page	Session
Cookie consent state (localStorage)	Remembers your cookie preferences so the banner doesn't reappear on every visit	12 months
CSRF and security tokens	Protects against cross-site request forgery and other security threats	Session

These cookies are required for mbanc.com to function. They do not store information that identifies you personally outside of the immediate functional purpose, and they cannot be disabled through cookie preferences (disabling them would break the Site).

Analytics

Cookie / tag	Provider	Purpose	Duration
_ga, _ga_KPCEEV00LB	Google Analytics 4 (G-KPCEEV00LB)	Distinguishes unique users and measures site usage	2 years
_gid	Google Analytics 4	Short-term user distinction	24 hours

These cookies help us understand how visitors use the Site so we can improve it. You can opt out via Cookie Preferences.

Marketing and Advertising

Cookie / tag	Provider	Purpose	Duration
Google Ads tag (AW-971880397)	Google	Measures advertising conversions and builds remarketing audiences for Google Ads	Up to 540 days
_gcl_au, _gcl_aw, _gcl_gb	Google Ads	Stores click identifiers and conversion attribution data	90 days
Meta Pixel (2244670849078602)	Meta Platforms, Inc. (Facebook, Instagram)	Measures conversions and builds remarketing audiences for Facebook and Instagram ads	90 days
_fbp	Meta	Browser identifier used by Meta Pixel for ad measurement	90 days
TikTok Pixel (D8C6IUBC77UANKFS4GE0)	TikTok	Measures conversions and builds remarketing audiences for TikTok ads	13 months

These cookies are used to deliver advertising, measure ad performance, and build audiences for future advertising campaigns. You can opt out via Cookie Preferences or the "Do Not Sell or Share My Personal Information" link. Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), the Colorado Privacy Act, and similar laws in Connecticut, Virginia, Utah, and other states, sharing data with these providers for cross-context behavioral advertising is considered a "sale" or "sharing" of personal information. Opting out of marketing cookies opts you out of that sharing.

Functional

Cookie / tag	Provider	Purpose	Duration
Liora chat session (when active)	MBANC / GoHighLevel (LeadConnector)	Enables AI-assisted conversation persistence and session continuity	Session or up to 30 days
YouTube / Vimeo video embed cookies	Google / Vimeo	Loaded only when you click a video to play; enables video playback and viewing statistics	Varies by provider

These cookies enable enhanced features and personalization. You can opt out via Cookie Preferences.

04Server-Side Tracking

In addition to browser-based cookies, we use server-side tracking to measure conversions even when browser-based tracking is blocked (for example, by iOS 14.5+ Intelligent Tracking Prevention, ad blockers, or your consent choices). Server-side events use hashed personal information (SHA-256 hashes of email and phone) — not your raw data. If you opt out of marketing cookies via Cookie Preferences, send a Global Privacy Control (Sec-GPC: 1) signal, or use our "Do Not Sell or Share" link, we also suppress server-side tracking events for your interactions.

Service	Purpose	When it fires
Meta Conversions API	Server-side complement to the Meta Pixel; sends conversion events with hashed identifiers to Meta for ad measurement	When you submit a QuickQual form
TikTok Events API	Server-side complement to the TikTok Pixel; same purpose for TikTok	When you submit a QuickQual form
Google Ads Offline Conversion Import (when implemented)	Uploads loan-funded conversion events back to Google Ads using the original ad click identifier (gclid)	When a QuickQual lead becomes a funded loan

05How to Manage Your Cookie Preferences

You have several ways to control how cookies are used on mbanc.com.

Cookie Preferences panel

Click the "Cookie Preferences" link in the website footer to open our consent manager. From there you can:

Accept all cookies
Decline all non-essential cookies
Choose specific categories (Analytics, Marketing, Functional)
View the full list of cookies and what each one does
Change your choice at any time Your preference is stored in your browser. If you clear your browser data, you will see the cookie banner again on your next visit.

"Do Not Sell or Share My Personal Information"

Click the "Do Not Sell or Share My Personal Information" link in the website footer to opt out of the sale and sharing of your personal information for cross-context behavioral advertising. Clicking this link will:

Disable all Marketing / Advertising cookies (Section 3.3)
Mark your session as opted-out, suppressing server-side conversion events to Meta, Google, and TikTok
Persist your opt-out across visits as long as the opt-out cookie remains in your browser

Global Privacy Control (GPC)

If your browser sends a Global Privacy Control signal (Sec-GPC: 1 HTTP header), we automatically treat that as a valid opt-out request for the sale and sharing of your personal information. You do not need to take additional action — your browser's signal is honored. GPC is supported in browsers including Brave, DuckDuckGo, and Firefox (with the Privacy Badger or similar extension). You can verify GPC status at globalprivacycontrol.org.

Browser-level controls

Most browsers allow you to view, manage, block, or delete cookies directly through their settings. Look for "Privacy," "Security," or "Site Settings" in your browser's preferences. Note that blocking all cookies may break parts of the Site that depend on Strictly Necessary cookies (Section 3.1).

Platform-level opt-outs

You can also opt out at the ad platform level, which applies across all websites you visit:

Google Ads — adssettings.google.com
Meta — facebook.com/adpreferences
TikTok — tiktok.com/legal/page/row/personalized-ads/en
Network Advertising Initiative — optout.networkadvertising.org

Digital Advertising Alliance — optout.aboutads.info
YourAdChoices — youradchoices.com Platform-level opt-outs are independent of our Cookie Preferences and remain in effect across all websites where those platforms operate.

06Do Not Track (DNT)

Our Site does not respond to "Do Not Track" browser headers, as the DNT specification was not adopted as a standard and is no longer widely supported. We do honor the current Global Privacy Control (GPC) signal — see Section 5.3.

07Updates to This Cookie Policy

We may update this Cookie Policy when we add, change, or remove cookies or tracking technologies, or in response to changes in applicable law. When we make changes, we will update the "Last Updated" date at the top of this policy. For material changes, we may also display a notice on the Site or notify you by email. We periodically rescan the Site to ensure the cookie tables in this policy accurately reflect what is in use. The cookie tables in Section 3 reflect the state of mbanc.com as of the "Last Updated" date.

08Contact Us

If you have questions about this Cookie Policy or our use of tracking technologies, contact us at: Mortgage Bank of California, Inc. NMLS #38232 [Corporate mailing address pending compliance officer confirmation] Email: privacy@mbanc.com Phone: (844) 918-1886 For general questions about how we collect and use personal information, see our Privacy Policy.

Questions or requests?

Email privacy@mbanc.com (include "Privacy Request" in the subject; California residents, use "CCPA Request"), or write:

Attn: Privacy Compliance Officer
Mortgage Bank of California, Inc.
101 S Plaza Real, Suite 203
Boca Raton, FL 33432

Call (844) 918-1886.

Privacy Policy.

PPrivacy Policy

01Introduction

02Information We Collect

Information you provide directly

Information collected automatically

Information from third parties

03How We Use Your Information

04How We Share Your Information

Service providers and processors

Investors and lending partners

Marketing and advertising partners

Legal, safety, and compliance

Business transfers

With your consent

05Cookies and Tracking Technologies

06Data Retention

07Security

08Your Privacy Rights

California (CCPA / CPRA)

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA)

Other state residents

All other U.S. residents

Global Privacy Control (GPC)

How to exercise your rights

09Gramm-Leach-Bliley Act (GLBA) Notice for Borrowers

10Children's Privacy

11International Visitors

12Changes to This Policy

13Contact Us

CCookie Policy

01About this Cookie Policy

02What are cookies and tracking technologies?

03Cookie Categories

Strictly Necessary

Analytics

Marketing and Advertising

Functional

04Server-Side Tracking

05How to Manage Your Cookie Preferences

Cookie Preferences panel

"Do Not Sell or Share My Personal Information"

Global Privacy Control (GPC)

Browser-level controls

Platform-level opt-outs

06Do Not Track (DNT)

07Updates to This Cookie Policy

08Contact Us

Questions or requests?

Your Vision. Our Expertise.Your Deal Is Done.

Your Vision. Our Expertise.
Your Deal Is Done.