Privacy Policy
Effective Date: (Updated) August 4, 2025
1. Who we are and scope
Stratas LLC (“Stratas LLC,” “we,” “us,” or “our”) is a brokerage that helps businesses evaluate and obtain working-capital solutions, including merchant cash advances (MCA), term loans, SBA-backed loans, invoice factoring, and lines of credit, by matching applicants with banks, financing companies, and factor partners. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our websites, forms, phone and SMS communications, email, customer portals, and any other products or services that link to this Policy (collectively, the “Services”). This Policy applies to both prospective and current business customers and to individuals acting on behalf of a business. It does not apply to third-party sites or services that we do not control.
2. Key definitions
a. personal information means information that identifies, relates to, describes, or can reasonably be associated with a particular consumer or household. b. sensitive personal information includes identifiers like government ID numbers, financial account numbers plus access codes, precise geolocation, and information revealing racial or ethnic origin or health where applicable law defines it as sensitive. c. business applicant means any business and its authorized representatives seeking capital through our Services. d. financial partner means a bank, non-bank lender, financing company, factor, or other funding source that may review an application. e. service provider means a vendor that processes information for us under contract, such as identity verification, fraud prevention, analytics, secure document transfer, and cloud hosting.
3. Products covered
This Policy is tailored primarily to: merchant cash advances, term loans, SBA loans (facilitated with bank partners), invoice factoring, and lines of credit. We may, at your direction, facilitate introductions for merchant services or payment processing through independent, PCI-DSS-validated partners; this is ancillary and not the focus of our Services.
4. Information we collect
We collect information directly from you, from your devices, from your business, and from third parties (subject to law). Categories include:
a. identifiers and contact details: name, business title, email, phone, mailing address, IP address, device identifiers. b. business profile: legal business name, DBA, entity type, EIN, industry (NAICS), time in business, business address(es), ownership/management information. c. financial information (business): revenue, average balances, cash-flow data, bank statements, AR/AP aging, tax returns, P&Ls, balance sheets, invoices, contracts, and other underwriting materials. d. financial information (individual, when required by partners): SSN/ITIN, date of birth, government-issued ID details, residential address history, credit-related data where permissible purpose exists. e. application and communications data: forms you submit, call recordings, SMS/email logs and content, notes from conversations, support tickets, marketing preferences. f. third-party data sources: identity verification and KYC vendors, watchlist/OFAC screening providers, credit bureaus and alternative credit data sources (where permitted), bank-connect providers (open banking), fraud-risk and device-fingerprinting vendors. g. technical and usage data: device type, browser, operating system, referring/exit pages, timestamps, approximate geolocation, and cookie or similar identifiers. h. inferences: risk scores, eligibility estimates, and product fit assessments derived from the above.
Notice at collection for California residents (summary) We collect the categories listed above for business purposes, including underwriting, KYC/AML screening, fraud prevention, service delivery, analytics, and marketing consistent with this Policy. We do not sell personal information for money. We may “share” personal information for cross-context behavioral advertising as defined by California law; you may opt out as described below.
5. Lawful bases and permissible purposes
Depending on jurisdiction, we rely on one or more of the following: your consent; performance of a contract or pre-contractual steps at your request; compliance with legal obligations (including BSA/AML, sanctions, and fair-lending laws); our legitimate interests in operating and improving the Services; and, where applicable, permissible purpose for obtaining and using consumer reports under the Fair Credit Reporting Act (FCRA). For MCAs and certain commercial products, consumer reports may not be required; if a consumer report is accessed, we will do so only with a permissible purpose and appropriate disclosures/authorizations.
6. How we use information
We use information to: a. evaluate, underwrite, broker, and service financing requests; b. perform identity verification, KYC/CIP, AML and sanctions screening; c. detect and prevent fraud, abuse, or security incidents; d. obtain bank-transaction data through user-authorized connections to assess cash flow; e. communicate about applications, offers, requests for documents, servicing updates, renewals, and support; f. conduct analytics, product development, QA and training (including quality review of recorded calls); g. comply with legal, regulatory, tax, audit, and reporting obligations; h. maintain business records and enforce agreements; i. conduct limited marketing and remarketing consistent with law, with opt-out options.
Automated decision-making and profiling We may use automated scoring and decision aids to estimate eligibility, risk, or pricing. Final decisions may also involve human review by us or our financial partners.
7. Sharing and disclosures
We disclose information as reasonably necessary for the purposes above: a. financial partners and funding sources: to evaluate applications, structure offers, and service financing. b. bank partners for SBA loans: to meet SBA lender requirements; SBA forms may collect additional data subject to SBA privacy rules. c. factors and buyers: for invoice-factoring evaluations and verifications (including customer verifications). d. service providers: hosting, document collection, secure file transfer, analytics, communications, ID verification, KYC/AML, fraud prevention, e-signature, and customer support. e. data partners: credit bureaus and alternative data providers, subject to permissible purpose; sanctions/watchlist screening services. f. advisors and auditors: attorneys, accountants, regulators, and examiners under confidentiality. g. corporate transactions: merger, acquisition, financing, or sale of assets, where information may be transferred with appropriate safeguards. h. legal compliance: to courts, law enforcement, regulators, and any party where required by law, subpoena, or to protect rights, safety, and security. i. with your direction: where you explicitly authorize additional disclosures.
We do not sell personal information for monetary consideration. Where a disclosure could be deemed a “share” for cross-context behavioral advertising, you may opt out as described below.
8. Retention and minimization
We retain information only as long as reasonably necessary for underwriting and servicing, to comply with laws (including record-keeping requirements that may extend up to seven years after account closure or final decision), resolve disputes, and enforce agreements. If your application does not result in financing, we typically retain core application records for at least three years for compliance and audit, unless law requires longer. We periodically review, aggregate, de-identify, or securely delete data that is no longer needed.
9. Security program (administrative, technical, and physical safeguards)
We maintain a written information security program designed to protect information against unauthorized access, use, disclosure, alteration, and destruction. Controls include:
a. governance and access control • role-based access control with least privilege and documented approval workflows • multi-factor authentication for internal and administrative access • single sign-on where supported; periodic access reviews and revocation within defined SLAs • separation of duties for production access and data exports • unique credentials; strong-password and rotation policies b. encryption and key management • encryption in transit using modern TLS (TLS 1.2+ or successor) • encryption at rest for production databases and document storage using industry-standard algorithms • restricted key access with rotation and logging c. network and platform security • VPC segmentation, security groups, minimal inbound ports, and principle of least exposure • endpoint protection and mobile-device management on company-managed devices • hardened images and baseline configurations aligned to industry benchmarks • vulnerability scanning and remediation; periodic third-party testing where appropriate • backups with tested restoration; disaster-recovery and business-continuity plans with defined RTO/RPO targets d. application and data safeguards • secure development lifecycle practices; code review and dependency management • input validation and protection against common web exploits • audit logging for privileged actions and data exports; tamper-resistant logs retained per policy • data loss prevention for bulk exports and email exfiltration alerts where feasible • redaction and masking of sensitive fields in lower environments (no production data in non-prod) e. vendor and third-party risk management • security and privacy due diligence prior to onboarding vendors handling personal information • written contracts with confidentiality, breach-notification, and minimum-security obligations • ongoing monitoring and periodic reassessment f. personnel security and training • background checks as permitted by law for sensitive roles • mandatory security, privacy, phishing-awareness, and compliance training • acceptable-use and confidentiality agreements g. incident response and breach notification • documented incident-response plan with 24/7 escalation paths • prompt investigation, containment, and remediation • notifications to affected individuals and regulators as required by applicable law and contractual commitments
We align our program to industry standards (for example, SOC 2 and ISO/IEC 27001 principles) without implying certification unless expressly stated elsewhere. No method of transmission or storage is 100 percent secure; we cannot guarantee absolute security.
10. Cookies and tracking technologies
We use cookies, pixels, and similar technologies for authentication, session management, analytics, and to understand campaign performance. You can adjust your browser settings to refuse or delete cookies; certain features may not function without them. Where required by law, we honor Global Privacy Control (GPC) and provide mechanisms to opt out of cross-context behavioral advertising.
11. Choices and rights
Your options may include: a. access, correction, and portability: request a copy of your information or correct inaccuracies. b. deletion: request deletion subject to legal exemptions (for example, records we must keep for compliance). c. opt out of marketing: unsubscribe via provided links, reply STOP to SMS, or contact us. d. opt out of cross-context behavioral advertising and limit sensitive personal information: use our web controls or contact us. e. do not sell or share: California and certain U.S. state residents may opt out via our controls or by contacting us. f. FCRA-related rights: if a consumer report is used in connection with your application, you may have rights to request the nature of the information and to dispute inaccuracies with the bureau.
Submitting a request
Email [email protected] with your name, business name, and request type. We may need to verify your identity and authority (for example, proof you are an authorized signatory). Authorized agent requests require proof of authorization and identity verification.
Regional notices a. california (ccpa/cpra): you have the rights described above, including to know, delete, correct, opt out of sale/share, and limit use of sensitive personal information. We do not use sensitive personal information for inferring characteristics. b. nevada (NRS 603A): Nevada residents may submit a request to opt out of the sale of covered information to [email protected]. We do not sell covered information as defined by Nevada law. c. other U.S. states: where Virginia, Colorado, Connecticut, Utah, and similar laws apply, you may have comparable rights; contact us to exercise them. d. eu/uk residents (gdpr): where applicable, you may have rights to access, rectification, erasure, restriction, objection, and portability, and to lodge a complaint with your supervisory authority. Legal bases appear above. We may transfer your data to the U.S. using approved safeguards (for example, standard contractual clauses).
12. Children’s information
Our Services are for adults engaged in business activity. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided information, contact us for deletion.
13. Communications, recordings, and TCPA/CTIA
By providing a phone number or email, you consent to be contacted about your application or account via email, phone, prerecorded messages, and SMS, including by automated means where permitted. Message and data rates may apply. Reply STOP to opt out of SMS; reply HELP for help. We may record or monitor calls for quality, training, and compliance. Marketing messages require your consent and are optional.
14. Fair-lending, ECOA, and no-guarantee disclosures
We and our partners are committed to fair-lending principles and do not discriminate on a prohibited basis. Submission of an application does not guarantee approval, specific terms, or funding timeline. Prequalification ranges are estimates, subject to due diligence, partner criteria, and verification. For consumer reports used in connection with an application, adverse-action notices will be provided as required by the Equal Credit Opportunity Act (ECOA) and FCRA, where applicable.
15. Open banking and bank-connect tools
If you choose to connect a bank account through a secure aggregation tool, you authorize us and our service providers to access and transmit read-only account information (for example, balances, transactions, account holder details) solely to evaluate eligibility, manage risk, verify account ownership, and service financing. We do not receive or store your online banking credentials; access tokens are managed by the aggregation provider.
16. International transfers
We may store or process information in the United States and other countries. When transferring personal information from regions with data-transfer restrictions, we use legally recognized transfer mechanisms and implement additional safeguards as required.
17. Third-party sites and services
Links to third-party websites or platforms are provided for convenience and are governed by those parties’ privacy policies and terms. We are not responsible for their practices.
18. Limited payment-processing mention
On request, we may introduce you to independent merchant-services providers. In such cases, cardholder data is handled directly by PCI-DSS-validated providers; we do not store full primary account numbers or security codes.
19. Changes to this policy
We may update this Policy from time to time. Material changes will be posted to our website with a revised effective date. Where required by law, we will provide additional notice or obtain consent.
20. Contacting us
Stratas LLC
8275 South Eastern Avenue Las Vegas, NV
Phone: +1 725-257-5354
Email: [email protected]
Website: stratasfinancial.com
21. Additional legal notices and disclaimers
a. not legal advice: this Policy is for transparency and does not constitute legal or financial advice. b. contract precedence: if a separate, signed agreement with a customer contains terms that conflict with this Policy, that agreement governs to the extent of the conflict. c. GLBA financial privacy: certain information may be subject to the Gramm-Leach-Bliley Act (GLBA). We share nonpublic personal information with non-affiliated third parties only as permitted by law (for example, to process transactions or maintain your account) and otherwise as described in this Policy. d. UDAAP: we endeavor to present clear, non-misleading information and to avoid unfair, deceptive, or abusive acts or practices. e. recordkeeping: we maintain records sufficient to demonstrate compliance with applicable laws, underwriting standards, and this Policy. f. dispute resolution: any disputes regarding privacy practices may be raised to the contact above; additional dispute-resolution terms may appear in your application or agreement. g. data controller/processor roles: for our brokerage Services we generally act as an independent controller (or business) with respect to information you provide to us. When we process information strictly on behalf of a financial partner under their instructions, we act as their processor (or service provider).
22. Summary of security commitments for lenders and auditors
Upon request and subject to confidentiality, we can provide: • high-level network and data-flow diagrams; • summaries of recent vulnerability scans and remediation status; • copies of relevant policies (information security, access control, vendor risk, incident response, business continuity); • results of most recent access reviews for production systems; • vendor inventory and data-classification matrices; • evidence of encryption configurations and key-management practices; • incident-response test summaries and disaster-recovery exercise results.