Data Subject Access Request (DSAR) Policy

CR Equity AI ("CREAI," "we," "our," or "the Company") is committed to transparency, consumer rights, and responsible stewardship of all personal and financial information processed through our platform. This Data Subject Access Request (DSAR) Policy outlines how individuals ("data subjects") may request access to their personal data, how CREAI verifies and responds to such requests, and the rights and limitations that apply under applicable privacy and financial‑data regulations.

1. Purpose and Scope

This policy governs all DSAR requests submitted by consumers, borrowers, applicants, partners, and authorized representatives whose personal information is processed by CR Equity AI. It applies to data collected through:

  • The CREAI platform and client portals
  • AI‑powered underwriting, valuation, and compliance engines
  • Affiliate and partner integrations
  • Customer support, onboarding, and communication channels

This policy does not override obligations under the Fair Credit Reporting Act (FCRA), Gramm‑Leach‑Bliley Act (GLBA), or other financial‑services regulations that may restrict disclosure of certain data.

2. Rights of Data Subjects

Depending on jurisdiction and regulatory applicability, individuals may have the right to:

  • Request access to personal data CREAI has collected or processed
  • Request confirmation of whether CREAI is processing their data
  • Request correction of inaccurate or incomplete information
  • Request deletion of eligible personal data
  • Request information about categories of data collected, sources, purposes, and third‑party disclosures
  • Designate an authorized agent to submit a request on their behalf

CREAI honors these rights to the extent permitted by law and subject to financial‑services compliance requirements.

3. Submitting a DSAR

Data subjects may submit a DSAR through any of the following channels:

  • Email: privacy@crequity.ai
  • Secure Portal: Provided to clients and borrowers during onboarding
  • Written Request: As permitted by applicable law

Requests must include sufficient information to identify the data subject and the specific rights being exercised.

4. Identity Verification

To protect consumer financial data, CREAI requires robust identity verification before fulfilling any DSAR. Verification may include:

  • Government‑issued identification
  • Multi‑factor authentication through the CREAI portal
  • Matching data elements already on file
  • Signed authorization for agents or representatives

If verification cannot be completed, CREAI will notify the requester and may deny the request for security reasons.

5. Response Timeline

CREAI will acknowledge DSAR requests within 10 business days and will respond within 45 days, unless an extension is permitted due to complexity or volume. If an extension is required, CREAI will notify the requester with an updated timeline.

6. Data That May Be Withheld

Certain categories of data may be restricted from disclosure, including:

  • Proprietary underwriting models, AI outputs, or risk‑scoring algorithms
  • Information protected under FCRA, GLBA, or bank‑level confidentiality rules
  • Data that would compromise security, fraud prevention, or regulatory investigations
  • Information that includes trade secrets or intellectual property
  • Data belonging to other individuals or entities

CREAI will provide an explanation when data cannot be disclosed.

7. Deletion Requests

CREAI will delete eligible personal data upon verified request unless retention is required for:

  • Legal or regulatory compliance
  • Fraud prevention and security
  • Contractual obligations
  • Ongoing underwriting, servicing, or dispute resolution

Deletion may include anonymization or de‑identification where appropriate.

8. Recordkeeping

CREAI maintains an audit‑ready log of all DSAR requests, verification steps, response actions, and retention decisions. These logs are preserved in accordance with regulatory and internal compliance requirements.

9. Updates to This Policy

CREAI may update this DSAR Policy to reflect changes in law, regulatory guidance, or platform operations. The most current version will always be available on the CREAI website or client portal.