Privacy Policy
Effective: July 18, 2026 · Last updated: July 18, 2026
1. Who we are
This website is operated by [LEGAL ENTITY NAME], a [ENTITY TYPE] registered in [JURISDICTION] under company number [COMPANY NUMBER], with its registered office at [REGISTERED ADDRESS] ("Strata", "we", "us").
Strata is a payment technology provider. We are not a bank and we do not ourselves hold a banking licence. Card acquiring is performed by licensed acquiring institutions we introduce you to and integrate with.
For the purposes of UK/EU data protection law we are a controller of the personal information described in this policy. Where we pass an application to an acquiring bank or gateway, that institution acts as an independent controller of the information it receives, under its own privacy notice.
2. Information we collect
2.1 Information you give us
When you submit a merchant application or contact us, we collect:
- Business information — legal and trading name, company number, registered and trading addresses, website and checkout domains, industry/MCC, corporate structure.
- Information about principals — names of directors, officers and beneficial owners, dates of birth, home addresses, contact details, and ownership percentages.
- Identity and verification documents — government-issued identification, proof of address, and incorporation documents, where required to satisfy Know Your Customer ("KYC") and anti-money-laundering ("AML") obligations.
- Financial and processing information — monthly volume, average ticket size, prior and current processing history, chargeback and dispute history, refund rates, bank statements, processing statements, and settlement details including the USDT wallet address you nominate for payouts.
- Compliance history — including whether you have been listed on the MATCH / Terminated Merchant File, and the circumstances of any such listing.
- Correspondence — messages you send us, including via Telegram, and our replies.
2.2 Information we collect automatically
- Device and connection data — IP address, browser type and version, operating system, device type, screen size, and language.
- Usage data — pages viewed, time on page, scroll depth, links and buttons clicked, referring URL, and exit pages.
- Advertising identifiers — click identifiers appended to links by advertising platforms (for example Meta's
fbclid) and campaign parameters (utm_source,utm_campaignand similar). We store these in your browser's session storage and attach them to your application so we can tell which advertisement led to it.
2.3 Information from third parties
- Underwriting and risk vendors — identity verification, sanctions and politically-exposed-person screening, adverse media checks, and credit reference data on the business and its principals.
- Card networks and industry databases — including the MATCH / Terminated Merchant File maintained by Mastercard.
- Advertising platforms — aggregated campaign performance reporting.
3. How we use information
| Purpose | What this involves |
|---|---|
| Assessing your application | Underwriting your business, verifying identity, screening against sanctions and industry databases, and deciding whether and on what terms we can place your account. |
| Placing and operating accounts | Introducing you to acquiring institutions and gateways, configuring your checkout, setting reserve and payout terms, and administering settlements. |
| Legal and regulatory compliance | Meeting KYC/AML, sanctions, tax and record-keeping obligations, and responding to lawful requests from regulators, card networks and law enforcement. |
| Fraud and risk management | Monitoring for fraud, chargeback abuse, prohibited activity and breaches of our terms. |
| Communication and support | Replying to enquiries, providing account support, and sending service messages. |
| Advertising and measurement | Measuring which campaigns produce applications, and building audiences on advertising platforms. See section 5. |
| Improving the service | Understanding how the site is used and diagnosing technical problems. |
We do not use automated decision-making producing legal or similarly significant effects without human involvement. Applications are reviewed by a person before a decision is issued.
4. Legal bases (UK/EU)
Where UK or EU data protection law applies, we rely on:
- Contract — to assess your application and to provide services under a merchant agreement.
- Legal obligation — for KYC/AML, sanctions screening, and record retention.
- Legitimate interests — for fraud prevention, risk management, business development, and advertising measurement. We balance these against your rights and you may object (section 10).
- Consent — for non-essential cookies and advertising tracking where consent is required. You may withdraw consent at any time.
5. Cookies, the Meta Pixel and advertising
We advertise on Meta (Facebook and Instagram) and use the Meta Pixel on this website. The Pixel is a piece of code that reports events — such as a page view, or a click on "Submit Application" — back to Meta, together with your IP address, browser identifiers, and cookie data. Meta uses this to attribute applications to advertisements, to optimise ad delivery, and to let us build custom and lookalike audiences.
Meta acts as an independent controller for the data it receives, and in some respects as our joint controller for the collection and transmission of that data. Meta's own handling is governed by its Privacy Policy.
Cookies and similar technologies we use fall into these categories:
| Category | Purpose |
|---|---|
| Strictly necessary | Required for the site to function and to be secure. Cannot be switched off. |
| Analytics | Tell us how the site is used in aggregate so we can improve it. |
| Advertising | The Meta Pixel and click identifiers, used to measure campaigns and target advertising. |
You can also limit ad tracking through your Meta ad preferences, your browser's cookie controls, or a Global Privacy Control signal, which we honour where legally required.
6. Who we share information with
We share personal information with:
- Acquiring banks and payment institutions — to underwrite and place your merchant account.
- Payment gateways — including Authorize.net and PayPal, to provision and operate your checkout.
- Card networks — Visa, Mastercard, American Express and Discover, including registration and reporting obligations and the MATCH / Terminated Merchant File.
- KYC, AML, sanctions and credit reference vendors — to verify identity and screen for risk.
- Service providers — hosting, communications, ticketing and analytics providers acting on our instructions under written contract.
- Advertising platforms — principally Meta, as described in section 5.
- Professional advisers — lawyers, auditors and accountants.
- Authorities — regulators, tax authorities, courts and law enforcement, where we are legally required or permitted to disclose.
- A buyer or successor — in connection with a merger, acquisition, financing or sale of assets.
We do not sell personal information for money. Our use of advertising technology may nonetheless constitute "sharing" or a "sale" under some United States state laws — see section 11.
7. International transfers
We and our providers operate internationally, and your information may be transferred to and processed in countries whose data protection laws differ from those of your own. Where we transfer information out of the UK or European Economic Area, we rely on an adequacy decision where one exists, or otherwise on Standard Contractual Clauses (and the UK Addendum where applicable), together with any additional safeguards required. You may request a copy of the relevant safeguard using the contact details in section 14.
8. How long we keep it
| Information | Retention |
|---|---|
| KYC/AML records and identity documents | At least five (5) years after the end of the business relationship, or longer where required by law. |
| Transaction and settlement records | Seven (7) years — driven by card network rules, chargeback windows and tax law. |
| Declined or abandoned applications | Twenty-four (24) months, so we can recognise resubmissions and evidence our decisions. |
| Website, analytics and advertising data | Fourteen (14) months. |
| Correspondence | Twenty-four (24) months. |
When information is no longer needed, we delete it or irreversibly anonymise it.
9. Security
We maintain technical and organisational measures appropriate to the risk, including encryption in transit, access controls on a need-to-know basis, and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a breach affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
10. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal information we hold about you.
- Rectify information that is inaccurate or incomplete.
- Erase information, where we have no overriding legal obligation to keep it. Note that AML records generally cannot be deleted on request.
- Restrict or object to processing based on legitimate interests, including profiling for direct marketing.
- Portability — receive information you gave us in a machine-readable format.
- Withdraw consent at any time, without affecting processing already carried out.
- Complain to your supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk); in the EEA, your national authority.
To exercise any of these, contact us using section 14. We will respond within the period required by law (generally one month under UK/EU law, forty-five days under California law). We may need to verify your identity first.
11. California privacy rights
If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you the rights to know, delete, and correct personal information, to opt out of its "sale" or "sharing", to limit the use of sensitive personal information, and not to be discriminated against for exercising those rights.
In the preceding twelve months we have collected the categories of personal information listed in section 2, for the purposes in section 3, and disclosed them to the categories of recipient in section 6. We have not sold personal information for monetary consideration. Our use of the Meta Pixel for advertising constitutes "sharing" for cross-context behavioural advertising under the CPRA, and you may opt out.
12. Children
This website and our services are directed to businesses and to individuals aged eighteen (18) or over. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
13. Changes
We may update this policy from time to time. We will change the "Last updated" date above and, where changes are material, take reasonable steps to notify you. Continued use of the site after changes take effect means you accept the updated policy.
14. Contact us
Privacy enquiries and rights requests: [PRIVACY EMAIL]
Postal address: [REGISTERED ADDRESS]
Data protection officer / EU–UK representative: Not appointed
General questions can also reach us on Telegram at @stratapay, though please do not send identity documents or rights requests there.