Sultan Gateway LLC, operating as Sultan Stone Capital, is committed to protecting your nonpublic personal information ("NPI") in accordance with the federal Gramm-Leach-Bliley Act ("GLBA"). This Notice explains what NPI we collect about you, how we use it, with whom we share it, and how we protect it.
This Notice is required by federal law. It supplements (but does not replace) our general Privacy Policy.
What is "nonpublic personal information"?
Under GLBA, NPI is personally identifiable financial information that is not publicly available, including:
- Information you provide on applications or other forms (e.g., income, business revenue, tax returns, bank statements)
- Information about transactions between you and us, or between you and another party we connect you with (e.g., loan applications, funded loans, consulting engagements)
- Information we obtain from credit bureaus (only if you authorize us to pull credit)
- EIN, business tax ID, owner SSN if collected for credit purposes
Information we collect
We collect NPI from you when you:
- Submit an inquiry on our website
- Complete an application in our applicant portal
- Upload financial documents (tax returns, bank statements, profit-and-loss statements, balance sheets)
- Provide information during a consultation
- Authorize us to pull credit on you or your business
We also receive information about you from:
- Lenders we submit your application to (their responses, decisions, and terms offered)
- Referral partners who introduce you to us
- Payment processors (for consulting clients) — limited to transaction confirmations
How we use and share your information
We use your NPI to provide our services to you. We share NPI as follows:
Affiliates
Sultan Stone Capital does not have affiliates that receive your NPI for their own marketing.
Nonaffiliated third parties — when permitted by law
We share NPI with nonaffiliated third parties only as permitted by GLBA, including:
- Lenders to whom we submit your loan application, solely for the purpose of evaluating your application. We tell you which lenders we submit to.
- Service providers that help us operate our business (database, email, payment processing, storage) — all bound by confidentiality obligations
- As required by law (court orders, subpoenas, regulatory requests)
- For fraud prevention or to protect against security threats
- With your written consent
Marketing exception
We do NOT share your NPI with any nonaffiliated third party for that party's own marketing purposes. Because of this, GLBA's opt-out right for marketing-related sharing does not apply.
Your rights
Under federal and applicable state law, you have the right to:
- Access the NPI we hold about you
- Request correction of inaccurate information
- Request a copy of this Notice at any time
- Receive notice if we materially change our information-sharing practices
To exercise any of these rights, contact us at privacy@sultanstonecapital.com.
Our security commitment — Safeguards Rule
GLBA's Safeguards Rule requires us to maintain appropriate administrative, technical, and physical safeguards to protect your NPI. We do this by:
- Restricting access to NPI to authorized personnel only, on a need-to-know basis
- Encrypting data in transit (TLS 1.2+) and at rest (AES-256)
- Storing highly sensitive information (EINs, tax data) in a separate, more strictly access-controlled database schema
- Logging all access to NPI for compliance audit purposes
- Requiring two-factor authentication for all administrative accounts
- Using magic-link authentication for client accounts to reduce credential theft risk
- Reviewing third-party service providers annually for security and privacy posture
- Maintaining incident response procedures for suspected or confirmed data breaches
- Training personnel on data handling practices
- Reviewing and updating these safeguards at least annually
We carry cyber liability insurance to provide additional financial protection in the event of a breach.
What happens if there is a data breach?
In the unfortunate event of a security incident that may affect your NPI, we will:
- Notify you without unreasonable delay (typically within 30 days of confirmation)
- Notify applicable state regulators as required by state breach-notification laws
- Cooperate with law enforcement as required
- Take steps to mitigate harm and prevent recurrence
- Provide guidance on protective steps you may take (credit freezes, identity monitoring, etc.)
How long we keep your information
We retain NPI:
- During your active engagement with us
- After engagement ends, for the period required by IRS, lender, or state regulator record-keeping requirements (typically 7 years)
- Then securely deleted or anonymized
Contact us
If you have questions or concerns about your nonpublic personal information:
Sultan Stone Capital
c/o Sultan Gateway LLC
Privacy contact: privacy@sultanstonecapital.com
If you believe we have violated GLBA or otherwise mishandled your NPI, you may file a complaint with:
- Federal Trade Commission (FTC): ftc.gov/complaint
- Your state attorney general
← back to home