Legal

Privacy Policy

Effective: July 18, 2026  ·  Last updated: July 18, 2026

Plain-language summary. We collect information you give us when you apply to process payments with us, and technical information about how you use this website — including advertising data from the Meta (Facebook) Pixel. We use it to underwrite and operate merchant accounts, to meet anti-money-laundering obligations, and to measure our advertising. We share it with the banks, gateways and compliance vendors needed to place and run your account. We do not sell personal information for money. This summary is for orientation only — the full policy below governs.
Contents
  1. Who we are
  2. Information we collect
  3. How we use information
  4. Legal bases (UK/EU)
  5. Cookies, the Meta Pixel and advertising
  6. Who we share information with
  7. International transfers
  8. How long we keep it
  9. Security
  10. Your rights
  11. California privacy rights
  12. Children
  13. Changes
  14. Contact us

1. Who we are

This website is operated by [LEGAL ENTITY NAME], a [ENTITY TYPE] registered in [JURISDICTION] under company number [COMPANY NUMBER], with its registered office at [REGISTERED ADDRESS] ("Strata", "we", "us").

Strata is a payment technology provider. We are not a bank and we do not ourselves hold a banking licence. Card acquiring is performed by licensed acquiring institutions we introduce you to and integrate with.

For the purposes of UK/EU data protection law we are a controller of the personal information described in this policy. Where we pass an application to an acquiring bank or gateway, that institution acts as an independent controller of the information it receives, under its own privacy notice.

2. Information we collect

2.1 Information you give us

When you submit a merchant application or contact us, we collect:

Please note. Identity documents and financial records are sensitive. Only submit them through channels we ask you to use. Telegram is convenient for conversation but is not an appropriate channel for identity documents — we will direct you to a secure upload.

2.2 Information we collect automatically

2.3 Information from third parties

3. How we use information

PurposeWhat this involves
Assessing your applicationUnderwriting your business, verifying identity, screening against sanctions and industry databases, and deciding whether and on what terms we can place your account.
Placing and operating accountsIntroducing you to acquiring institutions and gateways, configuring your checkout, setting reserve and payout terms, and administering settlements.
Legal and regulatory complianceMeeting KYC/AML, sanctions, tax and record-keeping obligations, and responding to lawful requests from regulators, card networks and law enforcement.
Fraud and risk managementMonitoring for fraud, chargeback abuse, prohibited activity and breaches of our terms.
Communication and supportReplying to enquiries, providing account support, and sending service messages.
Advertising and measurementMeasuring which campaigns produce applications, and building audiences on advertising platforms. See section 5.
Improving the serviceUnderstanding how the site is used and diagnosing technical problems.

We do not use automated decision-making producing legal or similarly significant effects without human involvement. Applications are reviewed by a person before a decision is issued.

4. Legal bases (UK/EU)

Where UK or EU data protection law applies, we rely on:

5. Cookies, the Meta Pixel and advertising

We advertise on Meta (Facebook and Instagram) and use the Meta Pixel on this website. The Pixel is a piece of code that reports events — such as a page view, or a click on "Submit Application" — back to Meta, together with your IP address, browser identifiers, and cookie data. Meta uses this to attribute applications to advertisements, to optimise ad delivery, and to let us build custom and lookalike audiences.

Meta acts as an independent controller for the data it receives, and in some respects as our joint controller for the collection and transmission of that data. Meta's own handling is governed by its Privacy Policy.

Cookies and similar technologies we use fall into these categories:

CategoryPurpose
Strictly necessaryRequired for the site to function and to be secure. Cannot be switched off.
AnalyticsTell us how the site is used in aggregate so we can improve it.
AdvertisingThe Meta Pixel and click identifiers, used to measure campaigns and target advertising.
Consent and opt-out. On your first visit we show a cookie banner. Analytics and advertising cookies — including the Meta Pixel — help us measure our advertising. You can decline them from that banner, or later through the "Cookie preferences" link in the footer of every page, and we honour Global Privacy Control signals sent by your browser.

You can also limit ad tracking through your Meta ad preferences, your browser's cookie controls, or a Global Privacy Control signal, which we honour where legally required.

6. Who we share information with

We share personal information with:

We do not sell personal information for money. Our use of advertising technology may nonetheless constitute "sharing" or a "sale" under some United States state laws — see section 11.

7. International transfers

We and our providers operate internationally, and your information may be transferred to and processed in countries whose data protection laws differ from those of your own. Where we transfer information out of the UK or European Economic Area, we rely on an adequacy decision where one exists, or otherwise on Standard Contractual Clauses (and the UK Addendum where applicable), together with any additional safeguards required. You may request a copy of the relevant safeguard using the contact details in section 14.

8. How long we keep it

InformationRetention
KYC/AML records and identity documentsAt least five (5) years after the end of the business relationship, or longer where required by law.
Transaction and settlement recordsSeven (7) years — driven by card network rules, chargeback windows and tax law.
Declined or abandoned applicationsTwenty-four (24) months, so we can recognise resubmissions and evidence our decisions.
Website, analytics and advertising dataFourteen (14) months.
CorrespondenceTwenty-four (24) months.

When information is no longer needed, we delete it or irreversibly anonymise it.

9. Security

We maintain technical and organisational measures appropriate to the risk, including encryption in transit, access controls on a need-to-know basis, and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a breach affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

10. Your rights

Depending on where you live, you may have the right to:

To exercise any of these, contact us using section 14. We will respond within the period required by law (generally one month under UK/EU law, forty-five days under California law). We may need to verify your identity first.

11. California privacy rights

If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you the rights to know, delete, and correct personal information, to opt out of its "sale" or "sharing", to limit the use of sensitive personal information, and not to be discriminated against for exercising those rights.

In the preceding twelve months we have collected the categories of personal information listed in section 2, for the purposes in section 3, and disclosed them to the categories of recipient in section 6. We have not sold personal information for monetary consideration. Our use of the Meta Pixel for advertising constitutes "sharing" for cross-context behavioural advertising under the CPRA, and you may opt out.

To opt out of sharing, email [PRIVACY EMAIL] with the subject "Do Not Sell or Share My Personal Information", or send a Global Privacy Control signal from your browser, which we honour. You can also decline advertising cookies at any time through the "Cookie preferences" link in the footer of every page.

12. Children

This website and our services are directed to businesses and to individuals aged eighteen (18) or over. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

13. Changes

We may update this policy from time to time. We will change the "Last updated" date above and, where changes are material, take reasonable steps to notify you. Continued use of the site after changes take effect means you accept the updated policy.

14. Contact us

Privacy enquiries and rights requests: [PRIVACY EMAIL]
Postal address: [REGISTERED ADDRESS]
Data protection officer / EU–UK representative: Not appointed

General questions can also reach us on Telegram at @stratapay, though please do not send identity documents or rights requests there.