Effective date: October 10, 2025
Who we are. Merchant Flow Financial (“Merchant Flow,” “we,” “us,” “our”) provides commercial financing brokerage and advisory services to U.S. businesses.

Scope. This Policy explains how we collect, use, disclose, and protect personal information of business owners, guarantors, and business contacts that interact with us online and offline (website, applications, calls, texts, email, events, and partner referrals).

Regulatory context in plain English. Some of the data we handle may fall under financial privacy and security rules (e.g., the FTC’s Safeguards Rule under GLBA for “consumers”), while much of our work is business‑to‑business. We apply one high standard across the board to reduce your risk—regardless of whether GLBA technically applies to a specific record. eCFR+2Federal Register+2

A. Information we collect

  • Identifiers & contact data: name, address, email, phone, government ID (e.g., driver’s license), IP/device data.
  • Business & financial data: business legal name, EIN, ownership, revenues, bank statements, processing volumes, tax documents, payables/receivables, collateral, leases.
  • Credit & risk data: credit reports/scores about owners/guarantors (where permitted), fraud signals, sanctions checks.
  • Communications & preferences: recordings of calls (with notice), emails, SMS logs, consents, opt‑out choices.
  • Internet/usage data: cookies, pixels, and similar technologies (see Cookies & Ads).
  • Inferences drawn from the above to assess eligibility or tailor services.

Sources. You; your devices; our affiliates; lenders and service providers; lead partners (only where they can prove compliant consent); credit bureaus and data vendors; public records. For consumer reports, we obtain and use them only for a legally permissible purposeConsumer Financial Protection Bureau+1

B. How we use information

  • Underwriting and brokering financing; servicing communications.
  • Verifying identity, preventing fraud, and complying with law.
  • Operating our sites, analytics, and improving services.
  • Marketing (email/SMS/phone) only with appropriate consent and honoring all opt‑out requests.
  • Recordkeeping, security, debugging, and legal defense.

C. Cookies, analytics, and ads

We use cookies/pixels and similar tech for site operations, analytics, and (if enabled) retargeting/“cross‑context behavioral advertising.” You can manage cookies in your browser and at /privacy/choices. If California law applies to you, you may opt out of “sharing” for targeted ads at the same link. California Privacy Protection Agency

D. Texts, calls, and email

  • Texts (SMS/MMS). We send marketing texts only with your prior consent. Reply STOP to cancel, HELP for help. Message & data rates may apply. We also honor National Do‑Not‑Call rights applied to texts (FCC codified this). Federal Register
  • Calls. We respect federal telemarketing hours (8 a.m.–9 p.m. local time) and maintain internal and National DNC suppression. We identify ourselves and provide a callback number. No spoofed caller ID. If we use prerecorded messages, we include an automated opt‑out. Federal Trade Commission+2Federal Trade Commission+2
  • Email. Commercial email includes an unsubscribe link and our physical postal address; we honor opt‑out requests within 10 business days. Federal Trade Commission+1

Note on TCPA “one‑to‑one” consent. The FCC’s 2023 “one‑to‑one” consent rule for lead generators was vacated by the Eleventh Circuit and later removed by the FCC. Bottom line: you still need valid prior express consent where required, but not “one seller at a time.” Keep documented consent anyway—judges are scrutinizing TCPA defenses more aggressively. Justia+2Federal Communications Commission+2

E. Outbound calling, lead generation & prospecting commitments

  • We scrub calling/texting lists against the National DNC at least every 31 days and maintain an entity‑specific DNC list; requests are honored promptly. Federal Trade Commission
  • We train staff on TSR disclosures, calling windows, abandonment rules, and opt‑out mechanisms; we maintain written procedures and audit compliance (TSR “safe harbor”). Federal Trade Commission
  • For purchased or partner leads, we require vendors to produce timestamped proof of consent and the exact disclosure copy shown.
  • We register and maintain A2P 10DLC brand/campaigns with carriers for U.S. messaging; unregistered or non‑compliant traffic can be blocked or fined by carriers. Twilio

F. How we share information

We share information with:

  • Lenders and funding partners to evaluate and complete financing;
  • Service providers/contractors (KYC, hosting, analytics, communications, document processing) under confidentiality obligations;
  • Credit bureaus and data partners for permissible purposes;
  • Affiliates for business operations;
  • Legal/Compliance (to comply with law, defend rights, or in corporate transactions).
    We do not sell personal information for money. If we “share” data for targeted advertising, you may opt out at /privacy/choicesCalifornia Privacy Protection Agency

G. Retention

We retain application and underwriting records for the period necessary to provide services and meet legal/defense needs—generally up to 7 years after the last interaction, unless a longer period is required. Marketing opt‑out/suppression records are kept to honor your request. (California expects disclosure of retention or criteria in the policy/notice at collection.) Arnold & Porter

H. Your privacy rights (U.S. states)

Depending on your state (e.g., California), you may have the right to know/accessdeletecorrectopt‑out of sale/shareand targeted advertising, and limit use of sensitive personal information. Submit requests at /privacy/requests or email privacy@merchantflow.com. California requires a Notice at Collection (see below) and a “Do Not Sell or Share” link if applicable. California DOJ

GLBA vs. state privacy. California’s CCPA/CPRA does not apply to certain personal information collected “pursuant to” GLBA, but other data you collect (e.g., marketing site visitors, some B2B contacts) can still be covered—don’t assume a blanket exemption. Carlton Fields+1

I. Credit reports & adverse action (FCRA/ECOA)

If we obtain a consumer report about an owner/guarantor, we do so only for a permissible purpose and provide required adverse action notices under ECOA/Reg B and FCRA if credit is denied based on such information. Consumer Financial Protection Bureau+1

J. Security (Safeguards)

We maintain a written information security program with administrative, technical, and physical controls (access control, encryption in transit and at rest where appropriate, multi‑factor authentication for sensitive systems, vendor oversight, risk assessments, training, and incident response). If a security event triggers the FTC Safeguards Rule notification threshold (500+ consumers), we will notify the FTC within 30 days as required. eCFR+1

K. Children

Our services are for businesses. We don’t knowingly collect personal information from children under 13.

L. Changes

If we materially change this Policy, we’ll post the update here with a new effective date.

M.  How to contact us

Merchant Flow Financial
155 Passaic Avenue, Suite 450, Fairfield, NJ 07004 • (973) 406‑6441
privacy@merchantflow.com (data rights & questions)
dnc@merchantflow.com (Do‑Not‑Call/Text requests)