Privacy Policy
Effective: April 29, 2026.
MerchantSourced (“we”, “us”) operates a B2B marketplace for business-funding leads. This Policy describes what information we collect, why, and how we share it with our commercial buyers under the safeguards required by the Gramm-Leach-Bliley Act (“GLBA”) and applicable state law.
1. What we collect
- Business contact details: business name, owner name, business email, business phone.
- Underwriting attributes: monthly revenue, FICO band, time in business, MCA stack, requested amount, urgency.
- Submission metadata: IP address, user agent, timestamp, consent text version, source URL.
- Phone metadata via Twilio Lookup: line type, carrier name. We do not retain raw Twilio responses.
2. Why we collect it
To deliver the merchant's funding request to commercial buyers who match the merchant's declared profile, to validate the submission against fraud and TCPA rules, and to maintain auditable records of exclusivity and consent.
3. Who we share it with
Real-time exclusive leads are shared with one approved commercial buyer. Real-time shared leads are shared with up to three approved commercial buyers. Bulk inventory is shared with the buyer who purchases that filtered slice. We do not sell merchant data to consumer marketers, list resellers, or non-commercial-finance third parties.
4. Buyer obligations
All buyers contractually agree (Section 3 of the Buyer Agreement) not to resell, retransmit, or syndicate the data. CSV exports include per-row HMAC watermarks that allow us to identify the source of any leaked file in a single row.
5. Security
Data is stored in encrypted Postgres on Neon (US-East). Transport is TLS-only. Buyer passwords are bcrypt-hashed (cost 10). Session cookies are HTTP-only and Secure-flagged. API keys are random 256-bit tokens.
6. Your rights
Merchants may request deletion of their record, receipt of which we honor within 30 days for any record not currently in active commercial use. Email privacy@merchantsourced.com. California, Virginia, Colorado, and Connecticut residents may exercise additional rights as described under the applicable state law.
7. Retention
Lead records are retained 24 months from capture, after which contact fields are anonymized. Audit-trail signatures and consent metadata are retained 7 years for compliance.