Privacy and Data Security
Effective date: January 1, 2026
MerchantFirst collects only the information required to review, qualify, and process merchant intake. Sensitive data is requested progressively and only when needed.
Data categories
We may process business identity, contact details, intake responses, and underwriting-related documents. Sensitive fields are encrypted and access is limited by role and ownership checks.
How data is used
Data is used for qualification, underwriting preparation, communication, and compliance operations. It is not sold to third parties.
Security controls
Controls include TLS in transit, encrypted storage at rest, role-based authorization, private document storage, signed upload workflows, and audit logging for privileged events.
Retention
Submitted records are retained according to legal and partner obligations. Draft records may be removed after inactivity windows. Data deletion requests are evaluated against legal requirements.