The answers you need before you send us your book.

MyLola handles borrower-level data: names, contact info, loan terms, document attachments. Below is a plain-English description of where it lives, who can reach it, and what happens if you leave.

Google Cloud + Firebase, in U.S. regions.

MyLola is built on Firebase (a Google Cloud product). Borrower records, household records, loan data, activity timeline, email metadata, and Lola drafts are stored in Firestore. Files (uploaded documents, attachments) are stored in Cloud Storage. Both are hosted in Google Cloud's U.S. regions.

We do not run our own database. We do not ship borrower data to third-party data warehouses. Anthropic is the only outside processor that ever sees borrower data, and only in the moment Lola is drafting a reply for you (see below).

We ask for exactly the scopes we use.

When you connect your Google account, MyLola requests Gmail (read + send), Calendar (read + write), and Drive (read). Each of those maps to a feature you turned on:

• Gmail read scope -> auto-attach incoming email to the right household timeline.
• Gmail send scope -> "Send" and "Send later" in the compose dialog. Every send is initiated by you.
• Calendar read/write -> appointment scheduling, meeting links on contact records.
• Drive read -> attach a borrower's pre-approval letter or appraisal to their household.

You can disconnect Google at any time from Settings -> Integrations. Disconnecting stops all reads and revokes the refresh token.

Drafts only. No training. No retention by the model provider.

When you click "Draft with Lola" on an email thread, MyLola sends the original message plus relevant household context (FORM notes, recent activity, primary loan summary) to Anthropic's API to generate a draft reply. Anthropic's commercial API terms prohibit using this data to train their models, and request-level data is not retained beyond a short operational window.

Lola never auto-sends. Every draft lands in your /lola-drafts queue or pre-fills your compose dialog. You review, edit, and send. The only emails that leave your account are ones you explicitly send (or schedule).

Google Sign-In, role-scoped access, no shared credentials.

Every user signs in with their own Google account. There are no shared logins. Team plans support role scoping (LO / Processor / LO Assistant / Business Dev), which gates which records and actions each role can reach.

Firestore security rules enforce that data is only readable by the LO who owns it, members of their team, and (for shared records) explicitly invited collaborators. Server-side Cloud Functions enforce the same rules.

Your inbox stays yours. Even your assistants can't see it.

Email is scoped to the licensed Loan Officer who connected Gmail. No assistant role of any kind — Processor, LO Assistant, Business Dev, or Admin — can read, send, or otherwise touch the LO's inbox or sent folder. Mail merge, scheduled send, Lola drafts, and the inbox view are all gated to the LO uid by both Firestore rules and Cloud Function auth checks.

The LO Assistant role CAN access the LO's calendar so they can book meetings on the LO's behalf. Email and calendar are separate scopes, separately granted, separately enforced.

TLS in transit, AES-256 at rest.

All traffic between your browser and MyLola is over TLS 1.2+. Firestore and Cloud Storage encrypt data at rest with AES-256, managed by Google Cloud. Anthropic API traffic is TLS 1.2+.

OAuth refresh tokens are stored in Google Secret Manager, not in Firestore.

Your data, your call.

Export: from Settings, you can export every household, borrower, loan, activity, and partner record as JSON or CSV. No support ticket required.

Delete: cancel your account and your data is retained for 90 days (in case you come back), then hard-deleted. You can also request immediate hard-delete by emailing support and we will complete it within 30 days.

If something goes wrong, you hear from us.

If MyLola experiences a security incident affecting your data, you will be notified within 72 hours of confirmation. Incident notices include what happened, what was accessed, and what you should do.

Report a security concern: security@mylola.ai. We respond within one business day.