How is my data protected?
When you form an LLC, you're trusting us with sensitive personal and business information — your full legal name, social security number (or EIN), home or business address, and ownership details. Here's how we protect it.
Quick summary
Encryption: all data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access controls: only authorized FormationHub staff can access your account; access is logged
PCI compliance: payments processed through a PCI-DSS Level 1 compliant provider (we don't store card numbers)
PII allowlist: sensitive data (EIN values, SSN, signed documents) never leaves our systems — never sent to marketing tools, never logged in plaintext
No data selling: we don't sell customer data to third parties
Your rights: you can ask us to access, correct, or delete your data at any time by contacting [email protected]
Where your data lives
Production database
Hosted on US-based managed-database infrastructure
Encrypted at rest with AES-256
Daily backups, retained 7 days
Access restricted to authorized engineering staff only
Database admin actions are logged and reviewable
Document storage
All uploaded documents (Articles of Organization, EIN confirmation letters, signed Operating Agreements) live in encrypted cloud storage
Encrypted at rest
Files are NOT publicly accessible — only fetchable through authenticated API endpoints
Auto-purge for orphaned files
Payment data
We use a PCI-DSS Level 1 compliant payment processor
We don't store card numbers on our infrastructure
We only see the last 4 digits of cards (for display purposes)
Accepted payment methods: credit/debit card and Apple Pay
Customer data platform (CDP)
Lifecycle events flow to our marketing and support tools
A schema-enforced PII allowlist keeps these keys out of that pipeline entirely:
EIN values / tax IDs
SSN / ITIN
Date of birth
Signed PDF URLs
Passport / driver's license numbers
Only safe identifiers (email, phone, customer id, business name, state code) flow to destinations
Email / SMS / Phone
Transactional email via a managed email-delivery provider (auth links, receipts)
SMS via a managed SMS provider (where used)
Chat and voice via our customer-support platform — recorded for quality
What data we collect
Identification (required)
Full legal name
Email address
Phone number
Home address (for IRS / state filing requirements)
Business details (required to file)
Proposed business name
State of formation
Member / owner names and addresses
Business purpose
Registered Agent address (we provide this if you use our RA service)
Beneficial Owner Information (required for BOI filing only, if you buy that service)
Photo of government-issued ID
Date of birth
Tax identifier (SSN or ITIN)
Payment data (handled by our payment processor)
Card brand and last 4 digits (we see this)
Full card number (our payment processor sees this; we don't)
Optional
Profile photo
What we DON'T collect
Browsing history outside FormationHub's domains
Social media account info (unless you opt in to share)
Bank account credentials (we don't initiate ACH withdrawals)
Health information, biometrics, or other sensitive categories beyond what's needed for filings
Who has access
Your data
You (via authenticated portal)
Authorized FormationHub support staff — only for the duration of resolving your ticket; access is logged
Engineering staff — read-only access to production for debugging, write access only via deployed code
Vendors we work with
We work with a small number of vendors to run FormationHub, and each only receives what it needs to do its specific job:
A PCI-DSS Level 1 compliant payment processor (payments)
A US-based cloud-storage provider (document storage)
A managed marketing-email platform (only safe attributes)
A customer-support platform for chat / help center (only safe attributes)
An error-monitoring provider (PII-stripped before transmission)
A transactional-email provider (auth links, receipts)
Questions about a specific vendor? Email [email protected].
Who we WILL NOT share with
Marketing data brokers
Targeting / advertising networks (beyond Google Ads conversion-pixel for our OWN remarketing, not for third-party targeting)
Other service providers (CPAs, attorneys, etc.) — only with your explicit consent
Legal compliance disclosures
We may disclose data when: - Compelled by a valid US legal subpoena - Required by FinCEN for BOI reporting (this is what BOI IS) - Required by the IRS in response to a legitimate inquiry about a specific filing - Necessary to investigate suspected fraud or abuse of our service
We do NOT proactively share customer data with law enforcement without a court order.
Your data rights
Access
Request a copy of the data we hold about you: email [email protected] and we'll send it to you
Get a list of the vendors we use: in this article
Correct
Update your name and phone number yourself in the portal (Account Settings)
Email address changes and business name changes require contacting support — open a chat or email [email protected]
Delete
Request account deletion: email [email protected]
We delete most data within 30 days
Some data (formation records, tax-related records) we're required to keep for a period set by law before it can be deleted
Payment records stay with our payment processor per their retention policy
Portability
If you'd like a copy of your data to move to another service, email [email protected] and we'll provide what we can in a standard, machine-readable format.
Stop marketing
Click "unsubscribe" in any marketing email
Or email [email protected] and we'll update your communication preferences
Note: transactional emails (receipts, filing confirmations, support replies) are sent regardless of marketing preferences
Incidents and breaches
We take data security seriously and work to prevent incidents before they happen. If a security incident ever affected your data, we would notify affected customers, explain what data was involved, and let you know what to do next.
If you're ever concerned that your information may have been affected by an incident — ours or someone else's — contact us right away at [email protected].
How to report a security concern
Suspected vulnerability: email [email protected]
Phishing / impersonation: forward the email to [email protected]
Lost or stolen device with FormationHub access: change your password immediately, then email [email protected]
You think you've been the victim of fraud using your FormationHub account: call us at +1 (888) 695-5281 — our chat and phone lines are answered live — or email [email protected] (we typically reply within about an hour)
Signing in securely
You can sign in to your FormationHub account two ways:
With your password
With a one-time email link — request one at the sign-in page. The link is valid for 1 hour and can be used as many times as you need within that hour; just request a fresh one anytime if it expires
Because the email link can sign you in, keep your email account secure too — use a strong, unique password on your inbox and be cautious about who has access to it.
Phishing awareness
The most common attack pattern against FormationHub customers is phishing:
⚠️ Emails asking you to "verify your EIN" — we never email asking for your EIN
⚠️ Emails with urgent language ("Your LLC is about to be dissolved! Click here!") — real notices come from state Secretaries of State, not from "LLC Compliance Department"
⚠️ Calls claiming to be from the IRS asking for SSN — real IRS calls don't ask for SSN
⚠️ DMs on social media offering "expedited formation" — never legitimate
Legitimate FormationHub emails only come from [email protected] or [email protected]. If you get something claiming to be from us from any other address, don't click any links — forward it to [email protected] instead.
When in doubt, sign in to your portal directly (don't click email links) and check status. Or open a chat with us to verify.
Common questions
"Is my data shared with other countries?"
Our primary infrastructure is US-based. A small number of the vendors we use may process data outside the US as part of their standard operations, using appropriate safeguards for any cross-border transfer.
"How long do you keep my data?"
Active customers: kept for as long as you're using our service
Inactive customers (no service activity for 3+ years): we email asking if you want to delete or keep
Closed accounts: most data deleted within 30 days; records we're legally required to keep are retained only as long as the law requires
Payment records: per our payment processor's retention policy
"Can I get my data deleted right after my LLC is dissolved?"
Yes — email [email protected] to start the process. Keep in mind some records may need to be kept for a period required by tax law even after you request deletion.
Next steps
Sign in and review your account: https://www.formationhub.com/member/login
Concerned about something specific? Email [email protected] — we typically reply within about an hour.