Privacy Policy

Sultan Stone Capital ("Sultan Stone Capital," "we," "our," or "us") is an operating brand of Sultan Gateway LLC, a Virginia limited liability company. This Privacy Policy explains how we collect, use, share, and protect personal information you provide when you visit our website or use our services.

If you have questions about this Privacy Policy, contact us at privacy@sultanstonecapital.com.

1. What this policy covers

This policy applies to:

• Our public website at sultanstonecapital.com
• Our applicant portal at app.sultanstonecapital.com (when launched)
• Email and phone communications with us
• Any other interactions you have with Sultan Stone Capital

It does not cover third-party websites we may link to. When you leave our site, the privacy policies of those services apply.

2. Information we collect

2.1 Information you give us directly

• Contact information: name, email, phone number, business name, business address
• Business profile information: business type, years in operation, monthly/annual revenue, number of employees, industry
• Financial information you provide as part of an application: tax returns, bank statements, profit-and-loss statements, balance sheets, loan purpose, requested loan amount and term, EIN, owner credit information (if provided)
• Communications: the content of emails, messages, and calls with us
• Engagement information: consulting engagement details, scheduled calls, retainer agreements

2.2 Information we collect automatically

• Device and browser information: IP address, browser type, operating system, device identifier
• Usage information: pages visited, time spent on pages, referrer URL, click events
• Cookies and similar technologies (see Section 7)

2.3 Information from third parties

• Lender responses to loan submissions we make on your behalf
• Referral source data if a referral partner introduced you
• Payment processor data (for consulting clients — Stripe; we do not store full payment card details)
• Credit-pull data if you authorize us to obtain credit information (we do not pull credit without your written authorization)

3. How we use your information

We use information collected to:

• Communicate with you about your inquiry, application, or engagement
• Evaluate your business for loan brokering or consulting engagements
• Match your application to appropriate lenders on our panel
• Prepare loan packages, underwriting analyses, and consulting deliverables
• Process payments for consulting retainers
• Send transactional and operational emails (status updates, scheduled meeting reminders)
• Send marketing emails to which you've subscribed (you can unsubscribe at any time)
• Improve our website, services, and internal operations
• Comply with legal obligations (including record-keeping required under the Gramm-Leach-Bliley Act, IRS regulations, and applicable state laws)
• Detect and prevent fraud, abuse, or security incidents

We will not use your information for purposes materially different from those above without notifying you and giving you a chance to opt out.

4. How we share your information

We share your information only when necessary. We do not sell your personal information to anyone.

4.1 Lenders we submit applications to

When we submit your loan application to a lender on our panel, we share the relevant portions of your business and financial profile with that specific lender. We tell you which lenders we submit to. Each lender has its own privacy policy governing what it does with your data after we submit.

4.2 Service providers (subprocessors)

We share information with the following types of service providers strictly to operate our business:

• Supabase — database, authentication, and file storage (US-based)
• Vercel — application hosting (US-based)
• Cloudflare — DNS, CDN, and security (US-based)
• Resend — transactional email delivery (US-based)
• Stripe — payment processing for consulting retainers (US-based)
• Calendly — scheduled call booking (US-based)
• PostHog — privacy-friendly product analytics
• Sentry — error monitoring
• Documenso / DocuSign — e-signature for engagement letters and disclosures

Each of these providers has security and privacy commitments comparable to or stricter than ours. Updated subprocessor lists are available on request.

4.3 Legal and compliance disclosures

We may share information if required by law, court order, valid subpoena, or regulator request, or to protect the safety, rights, or property of our clients, our firm, or the public.

4.4 Business transfers

If Sultan Gateway LLC is acquired, merged, or undergoes a corporate restructuring, your information may be transferred to the new entity. We will notify you in advance of any such transfer affecting your data.

4.5 With your consent

We may share information in other ways with your explicit consent.

5. How long we keep your information

We retain information only as long as we need it for legitimate business purposes or legal requirements:

• Inquiry leads (no application started): 24 months from last contact, then deleted
• Application records and financial documents: 7 years from last engagement, per IRS and lender record-keeping requirements
• Consulting engagement records: 7 years from engagement end
• Email communications: 7 years from last communication
• Website analytics data (anonymous): 26 months (PostHog default)
• Audit logs: 7 years (compliance requirement)

After these periods, we securely delete or anonymize records. You can request earlier deletion of your data (see Section 8) subject to legal retention requirements that may override your request for certain records.

6. How we protect your information

We take security seriously. Our protections include:

• Encryption in transit: all data between you and our services is encrypted via TLS 1.2+
• Encryption at rest: all database records and file storage are encrypted with AES-256
• Access controls: internal access to applicant data is restricted to authorized Sultan Stone Capital personnel only, on a need-to-know basis
• Audit logging: every access to sensitive applicant data is logged for compliance review
• Magic-link authentication: we do not use traditional passwords for client accounts, reducing the risk of credential theft
• Two-factor authentication required for all administrative accounts
• Separation of sensitive data: highly sensitive information (EINs, full tax return data) is stored in a separate, more strictly access-controlled database schema
• Vendor security review: we review the security and compliance posture of each service provider listed in Section 4
• Annual review: we review and update our security practices at least once per year

Despite these protections, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but we commit to industry-standard practices and continuous improvement.

If a data breach affects your information, we will notify you and applicable regulators in accordance with the Gramm-Leach-Bliley Act and applicable state breach notification laws.

7. Cookies and tracking technologies

Our website uses a limited set of cookies and similar technologies:

7.1 Essential cookies

Required for the site to function (e.g., session cookies for authenticated portal access). Cannot be disabled.

7.2 Analytics cookies

We use PostHog (a privacy-friendly analytics tool) to understand how visitors use our site. PostHog is configured to respect Do Not Track requests and to anonymize IP addresses where possible.

7.3 Cookie controls

You can control cookies via your browser settings. Disabling essential cookies will break authenticated portal features. Disabling analytics cookies has no impact on services.

We do not use cookies for advertising retargeting and we do not embed third-party advertising trackers.

8. Your rights

You have the following rights regarding your personal information:

8.1 Right to access

Request a copy of the personal information we hold about you. We respond within 30 days.

8.2 Right to correct

Request that we correct inaccurate or incomplete information.

8.3 Right to delete

Request deletion of your personal information, subject to legal retention requirements (see Section 5).

8.4 Right to data portability

Request a machine-readable copy of information you've provided us.

8.5 Right to opt out

• Marketing emails: unsubscribe link in every marketing email, or email privacy@sultanstonecapital.com
• Transactional emails (status updates, account-related): cannot be opted out of without closing your account, as they are required to operate the service

8.6 California residents

You have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is sold or shared. We do not sell your personal information. California-specific requests should reference your residency and we will process them in accordance with CCPA timeframes.

8.7 How to exercise these rights

Email privacy@sultanstonecapital.com with your request. We will verify your identity before processing (to prevent fraudulent requests against your data). We do not charge a fee for reasonable requests.

9. Children's privacy

Our services are intended for businesses and their adult owners. We do not knowingly collect information from anyone under 18. If we learn we have collected such information, we will promptly delete it.

10. International users

Sultan Stone Capital operates from the United States. Our services and data storage are US-based. If you access our services from outside the US, your information will be transferred to and processed in the US. By using our services, you consent to this transfer.

We do not currently offer services to clients outside the US.

11. Changes to this Privacy Policy

We may update this Privacy Policy as our practices evolve or as required by law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Email affected users when changes substantially affect how we handle their data
• Continue to honor commitments made in the previous version of the policy for information collected under that version

We encourage you to review this policy periodically.

12. Contact us

For privacy questions, requests, or complaints:

Sultan Stone Capital
c/o Sultan Gateway LLC
Email: privacy@sultanstonecapital.com
General contact: sultan@sultanstonecapital.com

If you believe we have violated this Privacy Policy or applicable law, you may also file a complaint with the appropriate regulator (e.g., your state attorney general or the Federal Trade Commission).