Cool idea though.
Cool idea though.
The scamming that happens to homebuyers is not even comparable to the risk in uploading docs to a website which promises they won't share user data with anyone. This is genuinely a pro buyer tool with no association with any 3rd party.
The tool has already helped many people negotiate and get a better deal on their mortgage. Please before judging understand that 70% of buyers overpay in their mortgage 1-3% in closing costs and bad rates. It's mind boggling how much lenders get away with profiting in junk fees from stressed out homebuyers.
For example, you could advise the person uploading to remove PII prior to the upload, and link to pdf editing tools that allow them to do that.
You could say that not including PII like full name(s) found on just about every loan estimate does not take away from the value of the tool.
Another thing that could be done is to provide clear means for removing any data uploaded, or opt-out pre-upload of any data being used for training.
For example by creating an account first.
Providing some skin in the game such as putting the removal behavior in the terms of service and a personal guarantee to do everything to ensure sensitivity to privacy of this information will be handled carefully staking your reputation, probably would help.
A business is not just about the product.
Your Privacy Policy. There is no default way to download it (see 9.), and since it is window-ed cannot print entire doc. That means I cannot keep a copy of it for myself.
> We collect the following types of information:
> Mortgage Documents: Loan Estimates and Closing Disclosures you upload for analysis.
Okay, but
> 4. Data Security
> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.
This means nothing. Are you ISO 27001:2022, NIST SP 800-53, CIS, CE+, Essential Eight, or something else? Have you been audited, and proof? Who is your ISP? What regs do you follow around data sovereignty?
Terms of Service. Again, no default way of download. Overall, I would never agree to this ToS. It demands all kinds of requirements on the user, but takes no responsibility for anything - or as described above, explain how you will protect your customers.
You have no reference anywhere where you are geographically. No address, no about us, no who you are. I would be very leery on uploading anything.
Rather than talking up the value of the tool as superceding the concerns, a more constructive approach might acknowledge the concerns and emphasize how you already do minimize risk or commitments you're willing to make towards doing so.
Being dismissive doesn't help worried or skeptical people feel more secure, and worried and skeptical people make perfectly good users too.
Maybe I'm wrong here, but, My mental model of privacy policies and the like has always been: This is a lie, the company will do whatever it wants with my data. And I will have no recourse.
As such I've always acted accordingly. And very few websites have legit info on me.
I just added a way to easily download the entire privacy policy and terms of service, also quickly added an about page with some info about me - https://closing.wtf/about
Eventually I'm going to get a certification and will keep your other points in mind.
Bold strategy Cotton.
Owner did the smart thing and listened to the constructive criticism which made me feel infinitely better about using his tool.
Which I will now do, and would not have before. I am also his exact customer.
That is not being a "hater".
I have no reason to think you're not completely sincere in this!
But, realize it doesn't mean anything.
Unless that promise is backed by some ironclad contract, it means nothing. Companies grow and hire new people who don't care about the original values. Or they get acquired and all bets are off. Or they start running low on cash and suddenly decide monetizing all that data is a good idea after all. Or it becomes visible enough to attract attention of the government who shows up demanding copies of data. And so on.
I've been in one or more startups where all of these things have happened.
AFAIK house sale prices (ie. property transactions) are open in many (most?) jurisdictions.
>and swoop the deal with a slightly better offer
How does that even work? The winning bidder is presumably someone who gave the highest offer. Why would another company pay above and beyond that, considering that there's probably several other serious buyers who aren't willing to pay more?
What happens when you get hacked? Not if. To come back at someone with valid concerns with a "no, you don't understand my point of view" does nothing but a disservice to you.
Expecting people to just accept things is just not a good way to operate. When you receive push back, you need better responses than this. Will the vast majority of your users push back, sadly, probably not. However, you did post this to HN and then reacted poorly to valid criticism. Tsk tsk
Privacy concerns are real but the importance of that matter in your project is overestimated here by an absurd level.
What I read is not a constructive criticism and the suggestions laid down are not realistic nor business relevant at all. I feel like this is some sort of mass wishful thinking.
But it doesn’t need a lot of the data in that document, so really they need a way to redact all the unnecessary data to require less trust.
Edit: words.
Your typical home buyer isn't reading the contract they sign when they buy a home, let alone the privacy policy of a simple tool they use to check if they have a mortgage with decent terms.
kojeovo's original comment was less so. When you build a product, you're going to get random, in-actionable comments from people who just like to complain. Separating the signal from noise is difficult, and while there is a underlying concern about privacy, not giving anything actionable moves it towards to the noise side of the spectrum.
A lower all cash offer (say $975K) is likely a better offer for the seller because it reduces the risk for them and closes the transaction much quicker than a mortgage transaction.
I have been a buyer in two transactions where my offer was slightly lower than the highest bidder, but with better terms.
Yes many banks charge $30 or more for a wire transfer, but I'd rather just pay the $60 than have a large sum wire transfer lost, stolen, etc.
Some banks/Brokerages are sane and do not charge extra for wire transfers. Fidelity is one such. BOA also(if you have enough assets there, $100k will do it).
Their aggressive dismissal of the concern is not a good look.
I won't even get into how ridiculous it is to consider anyone who disagrees with you a "hater."
This isn't about privacy, it's a security concern. People's life savings are on the line here, and the information OP is requesting is enough to pull off very sophisticated social engineering attacks. It's entirely reasonable to ask what they're going to do with that information and how they're keeping it secured, and their reaction to the questions is entirely inappropriate for someone who's asking for this degree of trust.
Do sellers in the US know how large your down payment is? AFAIK that's not a thing in Canada. Offers either have a financing condition, or don't. If the offer doesn't have a financing condition, the buyer might be paying cash. But they could just be trying to present an offer with better terms, gambling that they'll definitely find financing somewhere or the other.
If you have suggestions more than "don't trust this random internet tool even if it gives you free advice, regardless of the value it offers", please let me know [thanks emoji]
Every time I’ve sold a house it’s been a factor in deciding which offer(s) to pick or counter.
There isn’t anything actionable in them. It seems like you are running some kind of scheme to collect these documents. And it’s not clear why you need them at all: you could provide the same advise to everyone regardless of their contents, which is to compare options, or to ask for more lender refunds.
A great analogy would be a website that asks users to provide their usernames and passwords for sites to see if it’s a strong password or if it’s been compromised. “Sorry, the credentials stouset / hunter2 were found in our database for Hacker News.”
Sure maybe you’re a saint and don’t store or misuse this data. But such a site would in the best case be training users to do a very wrong and dangerous thing. In the worst case you get breached by attackers who do use the collected data to do evil.
With such a high chance of not actually getting the sale done, sellers are motivated to take 475 immediate cash instead of 525 with a 1/3rd risk of having to do it all over. Especially if they need the cash to buy their next home.
This is actually a really good analogy because it does illustrate that it's not a completely crazy ask—people do trust Troy Hunt to run such a site. But OP should be much more understanding of how dangerous the concept is and offer options to resolve concerns (Troy allows downloading the passwords list to check locally), especially while they're not Troy Hunt-level famous and still are trying to build up trust.
Note that all cash commonly means no financing contingency. I put in an all-cash offer and financed it. I just didn’t have an out if I couldn’t find financing I liked. (Legally.)
You’ll never ever please the privacy commenters on HN who are armchair security enthusiasts. They’re never going to use your product and they’re never going to stop complaining if you show your product to them.
Normal people just don’t care. For a tiny side project spend your time on the thing that’s potentially useful to people not trying to appease the privacy crowd on HN.
This gives you a obvious profit motive, and makes you seem more sketchy because you now have more skin in the game to keep it operating as a valid and useful business service
This is actually uploading all the information to the backend and storing it in a database. Like a page that is asking for a service URL, a username, a password, a TOTP secret, sending it all to the server, and having the server check if the credentials have been pwned and saving it all.
> We never sell or share data with third parties. All information is used solely to generate analyses to help borrowers analyze and optimize their mortgages.
I even looked further into the privacy policy, just to be diligent here.
> We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.
With how much info I have been provided, I'm just not gonna upload a document to your site. Like I said, just doesn't inspire confidence as I scroll your landing page. Could just be a copy change to fix this.