Privacy Policy

Effective Date: June 8, 2026

1. Scope & Who We Are

This Privacy Policy is issued by Remnant Financial Foundation, LLC (a California licensed insurance agency operating under the trade name Restant™) and Remnant Financial Foundation, Inc. (a technology company operating Restant OS™) — collectively, “Restant,” “we,” “us,” or “our.”

This policy applies to personal information we collect through restantinsurance.com, restantos.com, our mobile and web applications, paper and electronic forms, phone and email communications, and any other channel through which we interact with you.

As a U.S. financial institution and licensed insurance agency, we are subject to the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and applicable state insurance privacy laws.

2. At-a-Glance Summary

  • What we collect — Identity, contact, household financial, health (for insurance underwriting), employment, and platform-usage information.
  • Why we use it — Quoting, applying, underwriting, issuing, and servicing insurance policies; operating Restant OS; complying with law.
  • Who we share with — Insurance carriers, service providers, and partners — partners only with your explicit, written, revocable consent.
  • What you can do — Request access to, correction of, or deletion of your personal information, and withdraw your sharing consent at any time.

Restant does not sell personal information for money, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California law.

3. Information We Collect

We collect only what is necessary for the purposes disclosed below.

  • Identity & Contact — Name, address, email, phone, date of birth, marital status, household composition, government-issued identifier where required for underwriting and tax reporting.
  • Insurance Application — Insurable interest, beneficiary designations, coverage amounts, policy preferences, prior insurance history, and applicant statements.
  • Health Information — Medical history, prescription information, height and weight, lifestyle and tobacco use, and other underwriting-relevant health information. Subject to additional protections under state insurance privacy laws.
  • Financial Information — Income, employment, assets, liabilities, mortgage status, savings rate, premium funding capacity, and banking information for premium payment processing.
  • Property Information — Target home value, location, purchase timeline, and related real estate data where you have engaged Restant OS for first-home-buyer planning.
  • Platform & Device — Account credentials (stored hashed), login activity, IP address, device identifiers, browser type, pages viewed, and usage telemetry.
  • Inferences & Signals — Standardized readiness and resilience signals (S2U™, P2P™) derived from the above, designed to convey scores rather than raw personally identifiable inputs.
  • Communications — Records of phone calls, emails, chats, text messages, and meeting notes between you and Restant Pro producers or Restant staff.

Some information we collect — including Social Security number, account credentials, precise geolocation, and health information — qualifies as “sensitive personal information” under California law. We use sensitive personal information only for disclosed purposes and as authorized by applicable law. We do not use sensitive personal information to infer characteristics about you for marketing.

4. Sources of Information

We collect information from the following sources:

  • Directly from you, when you create an account, submit a form, complete an application, speak with a Restant Pro, or interact with Restant OS.
  • From insurance carriers, in connection with underwriting decisions, policy issuance, and ongoing servicing.
  • From service providers, including identity verification, electronic application platforms, payment processors, document storage providers, and analytics providers acting under written agreement.
  • From insurance consumer reporting agencies, such as MIB Group, with your written authorization on the carrier's application.
  • From mortgage and lending partners, where you have provided consent for them to share information back to Restant for P2P™ resilience monitoring.
  • From public sources, including state insurance regulator records, court records, and other lawfully accessible public records.
  • Automatically through the website and platform, via cookies, log files, and similar technologies.

5. How We Use Information

We use personal information for the following purposes — and only the following purposes — unless we obtain your separate, informed consent.

  • Insurance services — Quoting, applying for, underwriting, issuing, paying premium on, modifying, and servicing insurance policies.
  • Platform operation — Operating Restant OS, including authentication, scenario simulation, signal generation, account management, and customer support.
  • Communications — Responding to inquiries, sending transactional messages (policy notices, illustration delivery, payment reminders, security alerts), and providing service updates.
  • Educational and marketing — Sending newsletters and educational content where you have opted in. You can unsubscribe at any time.
  • Compliance and legal — Meeting our regulatory and contractual obligations.
  • Fraud prevention — Detecting and preventing fraud, account takeover, abuse of platform features, and security incidents.
  • Improvement of services — Internal analytics, product research, model validation, and quality assurance, performed on de-identified or aggregated data wherever feasible.
  • Signal sharing — Sharing readiness/resilience signals with partners, only with your explicit consent.

Restant OS includes automated calculation and scoring components. These produce informational outputs that are reviewed by a licensed human Restant Pro before any insurance recommendation is made. We do not subject you to fully automated decisions that produce legal or similarly significant effects.

6. When We Share Information

We share personal information only in the circumstances described below. We share the minimum information necessary for the specific purpose.

  • With insurance carriers — To underwrite, issue, and service the policies you apply for. The carrier becomes a separate controller of that information.
  • With service providers — Acting as our processors under written agreement: identity verification, electronic application/illustration platforms, payment processors, secure document storage, IT and security providers, email and SMS delivery, and analytics.
  • With mortgage, lending, and capital partners — Only with your explicit, written, revocable consent.
  • With professional advisors — Auditors, lawyers, and compliance consultants under confidentiality obligations.
  • To comply with law — In response to lawful process, court orders, regulatory examinations, subpoenas, or other legal obligations.
  • In connection with a business transaction — If we undergo a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations.
  • With your direction — Anyone else you specifically direct us to share with.

Every partner and service provider that receives identifiable personal information from us is bound by a written Data Processing Agreement (DPA) that defines permitted purposes, prohibits secondary use, requires confidentiality, and imposes security obligations.

7. Sharing Signals With Partners

A central function of Restant OS is the generation of standardized readiness and resilience signals — S2U™ and P2P™ — and the sharing of those signals with mortgage and capital partners.

Consent is required, every time. We share S2U or P2P signals with a partner only after you have given explicit, written authorization specifying the partner receiving the data, the categories of data shared, the purpose, and the duration of the consent. Authorization is revocable at any time.

Minimum sharing. Signals are structured as standardized scores, not raw personal information. The partner receives the standardized signal output plus the minimum identifying information necessary to link the signal to the relevant customer or loan.

Signal is reference, not decision. The mortgage or capital partner makes its own underwriting and pricing decision. The signal does not bind the partner and does not entitle you to any specific outcome.

8. How Long We Keep It

We retain personal information only as long as necessary to fulfill the purposes described in this policy, and for additional periods required by law.

  • Applicant records that did not result in a policy: generally not less than five (5) years.
  • In-force and former policy records: life of the policy plus generally not less than seven (7) years following termination.
  • Tax-relevant records: as required by federal and state tax law.
  • Marketing consent records: until consent is withdrawn, plus a reasonable verification period.
  • De-identified and aggregated analytics: may be retained indefinitely.

When retention is no longer required, we delete or de-identify the information.

9. How We Protect It

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction. Our information security program is designed around principles set out in the NIST Cybersecurity Framework and the trust services criteria underlying SOC 2.

  • Encryption of personal information in transit (TLS) and at rest.
  • Least-privilege access controls with multi-factor authentication for privileged access.
  • Network segmentation and monitoring of administrative activity.
  • Vendor due diligence and contractual security obligations for processors.
  • Periodic penetration testing and vulnerability scanning.
  • Workforce training on data privacy, information security, and insurance ethics.
  • Incident response procedures, including notification to affected individuals and regulators as required by law.

No system can be guaranteed perfectly secure. We continuously work to improve our safeguards. Restant OS is in active preparation for SOC 2 Type II attestation.

10. Your Rights

Depending on your state of residence and the law that applies to you, you have the following rights:

  • Right to Know / Access — Request a copy of the personal information we hold, the categories of sources, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to Correct — Request that we correct inaccurate personal information.
  • Right to Delete — Request that we delete personal information, subject to exceptions for active insurance contracts, legal obligations, and fraud prevention.
  • Right to Limit Sensitive PI — Request that we limit the use of sensitive personal information to the purposes for which it was collected.
  • Right to Withdraw Consent — Withdraw consent to share S2U/P2P signals with a partner at any time. Withdrawal stops further sharing prospectively.
  • Right Against Discrimination — We will not deny you services, charge you a different price, or provide a lower quality of service because you exercised a privacy right.

Because insurance and financial data are sensitive, we will verify your identity before honoring a request to access, correct, or delete information.

11. California Rights (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

In the last twelve months, we have collected the categories of personal information described above, including categories that qualify as sensitive personal information. We have not “sold” personal information for monetary or other valuable consideration, and have not “shared” personal information for cross-context behavioral advertising.

California residents (or their authorized agent) may submit a verifiable consumer request to know, correct, delete, limit the use of personal information, or to withdraw consent through the contact channels below. We will respond within forty-five (45) days of a verified request.

Personal information collected in connection with insurance products is also subject to the Gramm-Leach-Bliley Act (GLBA) and applicable state insurance privacy laws. Where the laws overlap, we honor the more protective right.

12. Cookies & Online Tracking

We use cookies, local storage, pixels, and similar technologies for the following purposes:

  • Strictly necessary — Authentication, session continuity, security, and load balancing. These cannot be turned off without breaking the service.
  • Preferences — Remembering your settings.
  • Analytics — Understanding how the site and platform are used, in aggregate, so we can improve them.

We do not use cookies for cross-context behavioral advertising. We honor “Do Not Track” and Global Privacy Control (GPC) signals.

13. Children's Privacy

Restant's services are directed to adults, generally first-home-buyer households. We do not knowingly collect personal information from individuals under the age of sixteen (16). If you believe a minor has provided personal information to us, please contact us and we will take appropriate action.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and notify you through reasonable means, which may include posting a notice on our website, sending an email, or providing notice through Restant OS. Changes apply prospectively from the effective date.

15. How to Contact Us

If you have questions about this policy, want to exercise a right, or want to file a complaint, please contact us. We aim to acknowledge requests within five (5) business days.

Email: admin@restantinsurance.com

If we cannot resolve your concern, you may contact the California Privacy Protection Agency, the California Attorney General, the California Department of Insurance (consumer hotline 1-800-927-4357), or the Federal Trade Commission.