Get Started!

Privacy Policy

TITLESCOUT PRIVACY POLICY
Last Updated: [September 15, 2025]

This Privacy Policy explains how Sandstorm Technology Group, L.L.C. (“TitleScout,” “we,” “us,” or “our”) collects, uses, and protects information in connection with our websites and hosted software services (the “Services”). Capitalized terms not defined here have the meanings in our Terms of Use.

SCOPE & ROLES
– We provide a U.S. B2B platform that ingests, indexes, and makes legacy title data searchable for business customers.
– For Customer Data that our customers provide or instruct us to process (including GLBA nonpublic personal information (NPPI) and financial information customary to title services such as loan numbers, settlement information, and wire instructions), we act as a service provider/processor to our customers. Our customers are responsible for providing any required notices and obtaining any required consents concerning Customer Data.
– For our own website analytics, account administration, billing, and marketing contacts, we act as a business/controller.

1. INFORMATION WE COLLECT
1.1 Customer Data (Processor Role). Documents, images, and metadata that customers provide or instruct us to ingest (e.g., deeds, mortgages, closing files), which may include NPPI, financial information related to title transactions, and other personal information. Do not submit payment card data subject to PCI DSS (e.g., full PAN, CVV, magnetic‑stripe or chip data).
1.2 Account & Billing Data (Business Role). Business contact details, user credentials, role assignments, usage logs, subscription, and payment information (processed by our third‑party payment processor; we do not store full payment card numbers or CVVs).
1.3 Technical & Usage Data. Log files, device/browser information, IP addresses, timestamps, pages/features accessed, and diagnostic data used to operate and secure the Services.
1.4 Cookies & Similar Technologies. We use strictly necessary and functional cookies for authentication, security, session management, and site preferences. We do not use behavioral advertising cookies in the Services.

2. HOW WE USE INFORMATION
– Provide, operate, secure, and support the Services;
– Set up accounts, process transactions, and communicate about services/changes;
– Perform implementation and data migration;
– Monitor performance, troubleshoot, and improve the Services;
– Generate de‑identified or aggregated analytics and usage metrics;
– Comply with law and enforce our agreements.

3. HOW WE SHARE INFORMATION
– Subprocessors/Service Providers. We use vetted providers to host and operate the Services (e.g., Amazon Web Services (AWS)) and to deliver support, billing, analytics, and security. We remain responsible for their performance. A current list is available **upon request** from legal@titlescout.io (we will provide notice of material changes as required by applicable law or our DPA).
– Affiliates. We may share with our Affiliates for service operations in accordance with this Policy.
– Legal/Compliance. We may disclose as required by law, subpoena, or court order; to protect rights, safety, or the integrity of the Services; or in a business transaction (e.g., merger or sale).
– No Selling or Sharing for Cross‑Context Behavioral Ads. We do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA, and we do not use Customer Data for cross‑context behavioral advertising.

4. GLBA; CCPA/CPRA; OTHER U.S. PRIVACY LAWS
– GLBA NPPI. We implement commercially reasonable safeguards appropriate to the sensitivity of NPPI. We process NPPI only to provide the Services at your direction and do not use NPPI for our own marketing.
– CCPA/CPRA (California). For Customer Data, we act as a **service provider** and will (i) process only for permitted business purposes specified by the customer; (ii) not sell/share personal information; (iii) not combine personal information with personal information we receive from other sources except as permitted to detect security incidents or fraud or to improve the Services; (iv) ensure our personnel are bound by confidentiality; (v) flow down service‑provider obligations to subprocessors; and (vi) assist customers with consumer requests where feasible and legally required. For our own website/admin data, we act as a **business** and provide the rights below as applicable.
– Other U.S. State Laws (e.g., CO, CT, VA, UT, TX, OR). For Customer Data, we act as a processor/service provider and will support controller instructions, confidentiality, and subprocessor flow‑downs via our DPA. For our business/controller processing of admin and marketing contacts, applicable rights (access, correction, deletion, appeal) may be available; see Section 8.

5. INTERNATIONAL USE & GDPR RESPONSIBILITY

– TitleScout contracts with U.S. business customers only and hosts the Services in the United States. TitleScout does not market or contract with non-U.S. customers.
– Customer Data may nonetheless include personal information about non-U.S. persons (e.g., EU/UK citizens) if provided by the Customer.
– If Customer Data includes personal information subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or similar non-U.S. laws, the Customer is solely responsible for:
– Providing all required notices and obtaining any necessary consents from data subjects;
– Ensuring that any transfer of personal data to TitleScout in the United States is lawful under applicable data protection laws;
– Entering into a Data Processing Addendum (DPA) and Standard Contractual Clauses (SCCs) or UK Addendum with TitleScout, if required.
– TitleScout will process such data solely as a processor/service provider on documented instructions from the Customer, and will provide reasonable assistance with data subject requests and transfer impact assessments as required by law and the DPA.

6. SECURITY
We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect information, including (without limitation) encryption in transit and at rest, access controls, logging/monitoring, and vulnerability management. No system is 100% secure; we cannot guarantee absolute security.

7. DATA RETENTION
– Customer Data. We retain Customer Data for the subscription term and for 30 days following termination to facilitate export upon request. Thereafter, we delete from active systems and, within our standard backup cycles, from backups, except as required by law or to enforce rights.
– Nonpayment. In cases of termination for nonpayment (60+ days past due), we may delete Customer Data upon or after termination without further retention obligation (see Terms).
– Admin/Billing/Usage Records. We may retain these as necessary for our legitimate business purposes and legal obligations.

8. YOUR CHOICES & PRIVACY RIGHTS
– Customer Data. Requests concerning Customer Data should be directed to your organization (the controller/business). We will assist customers in fulfilling requests where feasible and legally required.
– Admin/Website Data. You may request access, correction, or deletion of your business contact data by emailing privacy@titlescout.io or legal@titlescout.io. Where applicable law requires, we will respond within the statutory time period (e.g., 45 days under CPRA, with permissible extension) and provide an **appeals** process for denied requests (appeal by replying to our decision or emailing privacy@titlescout.io with “Appeal” in the subject line).
– Authorized Agents & Verification. Where required (e.g., CPRA), you may use an authorized agent and we will take steps to verify the requestor’s identity and authority.
– Marketing. We engage in limited B2B marketing; you can opt out via unsubscribe links or by contacting us.
– Do‑Not‑Track. We do not respond to browser “Do‑Not‑Track” signals.

9. CHILDREN
The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal information from children.

10. THIRD‑PARTY LINKS
Our websites may link to third‑party sites. We are not responsible for their privacy practices.

11. CHANGES TO THIS POLICY
We may update this Policy from time to time. Material changes will be notified via email to admin contacts or through in‑app notifications and are effective as of the date stated in the notice.

12. CONTACT
Sandstorm Technology Group, L.L.C. (TitleScout)
3200 SW Huntoon Street, Topeka, KS 66604
legal@titlescout.io