Privacy and Data Security

Effective date: January 1, 2026

MerchantFirst collects only the information required to review, qualify, and process merchant intake. Sensitive data is requested progressively and only when needed.

Data categories

We may process business identity, contact details, intake responses, and underwriting-related documents. Sensitive fields are encrypted and access is limited by role and ownership checks.

How data is used

Data is used for qualification, underwriting preparation, communication, and compliance operations. It is not sold to third parties.

Security controls

Controls include TLS in transit, encrypted storage at rest, role-based authorization, private document storage, signed upload workflows, and audit logging for privileged events.

Retention

Submitted records are retained according to legal and partner obligations. Draft records may be removed after inactivity windows. Data deletion requests are evaluated against legal requirements.