Privacy Policy
Privacy Policy of Fortress Loan and Finance LLC
Effective Date: May 28, 2026
Last Updated: May 28, 2026
1. Introduction & Scope
Fortress Loan and Finance LLC ("Fortress," "Company," "we," "us," or "our"), a Colorado limited liability company with its principal office at 2265 Lima St, Aurora, CO 80010-1334, operates the Fortress mobile application (the "App"), available on the Apple App Store, and related websites at fortressloanandfinance.com (together, the "Services").
The App is a loan-matching and lead-generation platform. When you submit information through Fortress, we use it to help you explore financial products from independent third-party lenders, financial institutions, and marketing partners. As described in our Privacy Policy and Terms, we may share your information with these partners in connection with our matching services—including arrangements where partners compensate us for referrals. Fortress is not a lender. We do not originate loans, make credit decisions, set rates or fees, or guarantee approval or funding.
This Privacy Policy explains what personal information we collect, how we use it, how we protect it, and—importantly—how and to whom we sell it. Because selling consumer data to third parties is central to our business model, we describe those practices plainly in Section 5. Please read this Policy carefully before using the App.
By downloading, installing, accessing, or using the App, you agree to this Privacy Policy and our Terms of Use. If you do not agree, do not use the Services. The App is intended for United States residents who have reached the age of majority in their state of residence (18 or older in most states).
2. Laws & Regulatory Framework
Our data practices are designed to align with applicable U.S. federal and state requirements, including:
- Gramm-Leach-Bliley Act (GLBA): Information such as your Social Security Number, bank account details, income, and employment data may constitute "nonpublic personal financial information" under GLBA. GLBA may require separate privacy notices and may limit certain state privacy rights with respect to that information.
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA): Including definitions of "sale," "sharing," and "sensitive personal information," and consumer rights to know, delete, correct, and opt out.
- Fair Credit Reporting Act (FCRA): Where we interact with consumer reporting agencies or "consumer reports," FCRA rights and obligations may apply.
- Federal Trade Commission (FTC) rules and guidance on data brokers, lead generation, and unfair or deceptive practices.
- CAN-SPAM Act (commercial email) and Telephone Consumer Protection Act (TCPA) (calls and texts), where applicable to our communications.
- State comprehensive privacy laws in Virginia, Colorado, Connecticut, Texas, and other jurisdictions that may grant additional rights.
Depending on the type of information and how it is used, GLBA, FCRA, or other federal frameworks may preempt or limit certain state-law privacy rights. Where a conflict exists, we apply the standard that provides the greater protection required by law.
3. Information We Collect
3a. Information You Provide Directly
When you use the App or submit a request through our Services, you may provide the following categories of information:
Personal identifiers
- Full legal name (first, middle, and last)
- Date of birth
- Email address
- Phone number (mobile and/or home)
- Full residential address, including street, city, state, and ZIP code
Government & identity documents
- Social Security Number (SSN)
- Driver's license number and issuing state
We collect your SSN to verify your identity, satisfy know-your-customer (KYC) requirements imposed by lender partners, and help prevent fraud. SSN is transmitted using encryption in transit. We collect driver's license information to confirm identity, verify state eligibility, and meet KYC obligations required by partners who purchase leads.
Financial & employment information
- Bank account number (full account number)
- Bank routing number
- Bank name and account type (checking or savings)
- Employer name
- Employer phone number
- Employment status and job title
- Monthly or annual gross income
- Source of income (employment, self-employment, benefits, or other)
- Purpose of the loan or cash advance request
We collect full bank account and routing numbers so lender partners can verify account ownership, assess eligibility, and—if you accept an offer—potentially set up ACH disbursement or repayment. Employer name and employer phone number may be used by lenders for income and employment verification.
3b. Information Collected Automatically
When you interact with the App or our websites, we and our service providers may automatically collect:
- Device identifiers, operating system, device model, and App version
- Internet Protocol (IP) address and network connection type
- Usage patterns, session duration, screens viewed, and clickstream data
- Approximate location derived from IP address or device signals
- Cookies, mobile software development kits (SDKs), pixels, and similar technologies
3c. Information from Third Parties
We may receive information about you from:
- Identity verification and fraud-prevention vendors
- Consumer reporting agencies and alternative data providers (in FCRA-governed contexts)
- Marketing affiliates, publishers, or referral partners who direct users to the App
4. How We Use Your Information
We use personal information for the following purposes:
- To create, authenticate, and manage your account
- To verify your identity (KYC), detect fraud, and assess basic eligibility signals
- To package your information into a lead and match you with lender and marketing partners
- To sell your personal information to third-party lenders, financial institutions, and marketing partners (see Section 5)
- To process referrals, route your request, and facilitate connections with buyers
- To send transactional messages and, where you have consented, marketing communications
- To analyze App performance, conduct research, and improve our Services
- To comply with legal obligations, respond to lawful requests, and enforce our Terms of Use
5. Sale and Sharing of Personal Information
Fortress sells personal information. This is not incidental to our business—it is a core part of how the App operates. We want you to understand exactly what that means.
5.1 We Sell Your Personal Information
Fortress Loan and Finance LLC sells personal information as defined by the CCPA/CPRA and applicable state privacy laws. "Sale" includes disclosing personal information to another business or third party for monetary or other valuable consideration.
We sell data to third-party lenders, financial institutions, marketing partners, data aggregators, and lead buyers. The personal information we sell may include all categories listed in Section 3, including: name, phone number, email address, full address with ZIP code, SSN, driver's license number and state, bank account number, routing number, bank name, employer name, employer phone number, income, employment status, and loan purpose.
In exchange for this data, we may receive monetary compensation, referral fees, per-lead payments, revenue share, or other valuable consideration. The amount or type of compensation we receive may influence which partners receive your data first, how quickly your lead is distributed, or how offers are ranked or displayed in the App.
5.2 Categories of Third Parties Who Buy or Receive Your Data
Buyers and recipients of sold data may include:
- Licensed lenders and financial institutions offering personal loans, installment loans, cash advances, lines of credit, and related products
- Insurance companies and providers of other financial products
- Debt relief, debt settlement, and credit counseling companies
- Marketing partners that may contact you with financial or non-financial offers
- Data brokers and aggregators who may resell or further distribute the information they purchase from us
Once your information is sold, the buyer's own privacy policy governs how that party uses, retains, and shares your data. We do not control—and are not responsible for—how purchasers use your information after the sale. Some buyers may resell data to additional parties. You should review each recipient's privacy practices before accepting any offer.
5.3 Your Right to Opt Out of Sale
If you are a California resident—or reside in another state that provides a comparable right—you may opt out of the sale of your personal information.
To submit an opt-out request, email [email protected] with the subject line "Do Not Sell My Information," or use the in-app opt-out link in Settings (when available).
We will process verified opt-out requests within 15 business days. Opting out stops future sales of your personal information but does not delete data already sold to third parties before your request was processed. Even after you opt out, we may still share information as required by law, to complete a transaction you initiated, to prevent fraud, or to provide core App functionality you request.
6. Legal Basis for Processing
Depending on context and applicable law, we rely on one or more of the following bases:
- Consent: You provide consent when you submit information through the App and agree to this Policy. You may withdraw consent, but doing so may prevent us from providing matching services.
- Contractual necessity: Processing is necessary to deliver the loan-matching and lead-generation services you request.
- Legal obligation: Processing required for KYC/AML compliance, regulatory recordkeeping, and responses to lawful process.
- Legitimate business interests: Including fraud prevention, network security, service improvement, and enforcement of our agreements—balanced against your privacy rights.
7. Data Retention
We retain personal information only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required by law. Retention periods vary by data type:
- Full applicant profile (name, SSN, address, bank info, income, employment): Duration of the business relationship plus 5 to 7 years after last activity, or longer if required by law or an active legal hold. Example: if you last used the App in January 2025, profile data may be retained until at least January 2030–2032.
- Lead and sale records (buyer identity, sale date, compensation): 5 to 7 years for FTC recordkeeping and dispute resolution.
- Marketing and communication records (consent logs, email/SMS opt-ins): 2 to 3 years after last interaction, or until opt-out plus 90 days.
- Device and usage logs (IP, session data, clickstream): 12 to 24 months.
- Opt-out records (Do Not Sell requests): Minimum 5 years to demonstrate compliance. Example: an opt-out received in March 2025 is logged until at least March 2030.
- Support communications: 3 years after ticket resolution.
Where applicable law mandates longer retention, the legal minimum controls. We may retain anonymized or aggregated data that no longer identifies you for analytics and reporting.
8. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including:
- Encryption in transit using TLS 1.2 or higher; encryption at rest using AES-256 where applicable
- Role-based access controls and least-privilege access for personnel
- System monitoring, logging, and periodic security reviews
- Vendor due diligence and contractual data-security obligations for service providers and, where feasible, data buyers
You are responsible for safeguarding your device credentials and account access. Notify us immediately at [email protected] if you suspect unauthorized access to your information.
No method of transmission or storage is completely secure. If a data breach affects sensitive personal information, we will notify affected individuals and regulators as required by applicable law.
9. Your Privacy Rights
Subject to applicable law and successful identity verification, you may have the right to:
- Know / Access: Request the categories and specific pieces of personal information we hold, and learn to whom we have sold or disclosed it—including buyer categories and, where technically feasible, specific third-party recipients
- Delete: Request deletion of personal information we maintain, subject to legal and contractual exceptions. Data already sold to third parties cannot be retrieved or "undeleted" from buyers' systems
- Correct: Request correction of inaccurate personal information
- Portability: Receive certain information in a structured, commonly used, machine-readable format
- Opt out of sale: As described in Section 5.3
- Non-discrimination: Exercise privacy rights without discriminatory treatment. Some features require data processing; opting out of sale or deletion may limit functionality
Submit requests to [email protected] with the subject line "Privacy Request." We will verify your identity before fulfilling a request. Authorized agents may submit requests on your behalf where state law permits, with proof of authority. We respond within 45 days for California residents and within 30 days where other state laws apply, subject to permitted extensions.
10. Marketing Opt-Outs
- Email: Use the unsubscribe link in any marketing email. We process email opt-outs within 10 business days under CAN-SPAM. Transactional and service-related emails may continue.
- SMS: Reply STOP to opt out of marketing texts; reply HELP for assistance under TCPA rules. One-time passwords and transactional texts are not affected.
- Push notifications: Manage through your device operating system settings.
- Phone marketing calls: Email [email protected] to opt out of telemarketing. Auto-dialed marketing calls require prior express written consent under TCPA.
Important: Opting out of marketing communications does not stop the sale of your personal information. To opt out of sale, submit a separate "Do Not Sell My Information" request under Section 5.3.
11. California Residents (CCPA / CPRA)
If you are a California resident, the following additional rights apply under the CCPA as amended by the CPRA.
Right to Know: You may request the categories and specific pieces of personal information collected; categories of sources; business or commercial purposes; and categories of third parties to whom we sell or disclose information—including the fact that we sell data and the categories of buyers.
Right to Delete: You may request deletion of personal information we maintain, subject to CCPA-permitted exceptions (legal compliance, fraud prevention, transaction completion, and similar grounds).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We sell personal information under the CCPA's definition. Opt out via [email protected] or the in-app "Do Not Sell" link. We process opt-outs within 15 business days.
Right to Limit Use of Sensitive Personal Information: SSN, driver's license number, and full bank account number are "sensitive personal information" under CPRA. You may request that we limit use of sensitive information to purposes permitted by CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising CPRA rights.
Contact [email protected] with the subject "California Privacy Request." We respond within 45 days. California residents are entitled to two free access requests per 12-month period. GLBA and FCRA may limit certain CPRA rights with respect to financial information covered by those statutes.
12. Other State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws may have rights similar to those described above, including rights to access, delete, correct, obtain a portable copy, and opt out of targeted advertising, sale of personal data, or certain profiling.
To exercise rights under your state's law, email [email protected] with your state of residence and the nature of your request. We will respond within the timeframe required by applicable law.
13. Do Not Track and Global Privacy Control
There is no universally accepted standard for "Do Not Track" (DNT) browser signals. We do not currently respond to DNT signals.
We honor Global Privacy Control (GPC) signals from California residents as a valid opt-out of sharing personal information for cross-context behavioral advertising under the CCPA/CPRA, to the extent required by law.
14. GLBA and FCRA Notices
GLBA: Your SSN, bank account number, routing number, income, and employment information may be "nonpublic personal financial information" under the Gramm-Leach-Bliley Act. We may provide a separate GLBA Initial Privacy Notice that governs certain financial information. Where GLBA applies, it may limit state privacy rights with respect to that information.
FCRA: If we share information with consumer reporting agencies or obtain "consumer reports," your rights under the Fair Credit Reporting Act apply, including the right to dispute inaccurate information in your file. Hard credit inquiries are performed only with your express prior authorization.
GLBA and FCRA may preempt or limit certain state privacy rights, including some CCPA/CPRA rights, with respect to information subject to those federal frameworks.
15. Cookies and Tracking Technologies
We use cookies, mobile SDKs, pixels, device fingerprinting signals, and similar technologies to:
- Authenticate sessions and maintain App functionality
- Detect fraud and abuse
- Measure analytics and advertising attribution
- Understand how users interact with our Services
You can manage cookies through browser settings (for web) and privacy or advertising settings on your mobile device (for the App). Disabling certain technologies may limit functionality or prevent access to some features.
16. Children's Privacy
The App is designed for adults 18 years of age and older. It is not directed to children, and we do not knowingly collect personal information from anyone under 18 in violation of the Children's Online Privacy Protection Act (COPPA).
If we learn that we have collected information from a minor, we will take steps to delete it promptly. Parents or guardians who believe a minor has submitted information should contact [email protected].
17. International Users
The Services are directed to users in the United States. Personal information is processed and stored in the United States. By using the App, you consent to the transfer and processing of your information in the U.S., which may have different data-protection standards than your home country.
18. Policy Updates
We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date at the top of this page and may notify you through the App or by email where appropriate. Your continued use of the Services after the revised Policy is posted constitutes acceptance of the changes, unless applicable law requires additional consent.
19. Contact Us
For privacy rights requests, opt-out of sale, or questions about this Policy:
Fortress Loan and Finance LLC
2265 Lima St, Aurora, CO 80010-1334
Privacy requests: [email protected]
General support: [email protected]
Website: fortressloanandfinance.com