Skip to main content

How is my data protected?

When you form an LLC, you're trusting us with sensitive personal and business information — your full legal name, social security number (or EIN), home or…

How is my data protected?

When you form an LLC, you're trusting us with sensitive personal and business information — your full legal name, social security number (or EIN), home or business address, and ownership details. Here's how we protect it.

Quick summary

  • Encryption: all data encrypted in transit (TLS 1.2+) and at rest (AES-256)

  • Access controls: only authorized FormationHub staff can access your account; access is logged

  • PCI compliance: payments processed through a PCI-DSS Level 1 compliant provider (we don't store card numbers)

  • PII allowlist: sensitive data (EIN values, SSN, signed documents) never leaves our systems — never sent to marketing tools, never logged in plaintext

  • No data selling: we don't sell customer data to third parties

  • Your rights: you can ask us to access, correct, or delete your data at any time by contacting [email protected]

Where your data lives

Production database

  • Hosted on US-based managed-database infrastructure

  • Encrypted at rest with AES-256

  • Daily backups, retained 7 days

  • Access restricted to authorized engineering staff only

  • Database admin actions are logged and reviewable

Document storage

  • All uploaded documents (Articles of Organization, EIN confirmation letters, signed Operating Agreements) live in encrypted cloud storage

  • Encrypted at rest

  • Files are NOT publicly accessible — only fetchable through authenticated API endpoints

  • Auto-purge for orphaned files

Payment data

  • We use a PCI-DSS Level 1 compliant payment processor

  • We don't store card numbers on our infrastructure

  • We only see the last 4 digits of cards (for display purposes)

  • Accepted payment methods: credit/debit card and Apple Pay

Customer data platform (CDP)

  • Lifecycle events flow to our marketing and support tools

  • A schema-enforced PII allowlist keeps these keys out of that pipeline entirely:

  • EIN values / tax IDs

  • SSN / ITIN

  • Date of birth

  • Signed PDF URLs

  • Passport / driver's license numbers

  • Only safe identifiers (email, phone, customer id, business name, state code) flow to destinations

Email / SMS / Phone

  • Transactional email via a managed email-delivery provider (auth links, receipts)

  • SMS via a managed SMS provider (where used)

  • Chat and voice via our customer-support platform — recorded for quality

What data we collect

Identification (required)

  • Full legal name

  • Email address

  • Phone number

  • Home address (for IRS / state filing requirements)

Business details (required to file)

  • Proposed business name

  • State of formation

  • Member / owner names and addresses

  • Business purpose

  • Registered Agent address (we provide this if you use our RA service)

Beneficial Owner Information (required for BOI filing only, if you buy that service)

  • Photo of government-issued ID

  • Date of birth

  • Tax identifier (SSN or ITIN)

Payment data (handled by our payment processor)

  • Card brand and last 4 digits (we see this)

  • Full card number (our payment processor sees this; we don't)

Optional

  • Profile photo

What we DON'T collect

  • Browsing history outside FormationHub's domains

  • Social media account info (unless you opt in to share)

  • Bank account credentials (we don't initiate ACH withdrawals)

  • Health information, biometrics, or other sensitive categories beyond what's needed for filings

Who has access

Your data

  • You (via authenticated portal)

  • Authorized FormationHub support staff — only for the duration of resolving your ticket; access is logged

  • Engineering staff — read-only access to production for debugging, write access only via deployed code

Vendors we work with

We work with a small number of vendors to run FormationHub, and each only receives what it needs to do its specific job:

  • A PCI-DSS Level 1 compliant payment processor (payments)

  • A US-based cloud-storage provider (document storage)

  • A managed marketing-email platform (only safe attributes)

  • A customer-support platform for chat / help center (only safe attributes)

  • An error-monitoring provider (PII-stripped before transmission)

  • A transactional-email provider (auth links, receipts)

Questions about a specific vendor? Email [email protected].

Who we WILL NOT share with

  • Marketing data brokers

  • Targeting / advertising networks (beyond Google Ads conversion-pixel for our OWN remarketing, not for third-party targeting)

  • Other service providers (CPAs, attorneys, etc.) — only with your explicit consent

Legal compliance disclosures

We may disclose data when: - Compelled by a valid US legal subpoena - Required by FinCEN for BOI reporting (this is what BOI IS) - Required by the IRS in response to a legitimate inquiry about a specific filing - Necessary to investigate suspected fraud or abuse of our service

We do NOT proactively share customer data with law enforcement without a court order.

Your data rights

Access

  • Request a copy of the data we hold about you: email [email protected] and we'll send it to you

  • Get a list of the vendors we use: in this article

Correct

  • Update your name and phone number yourself in the portal (Account Settings)

  • Email address changes and business name changes require contacting support — open a chat or email [email protected]

Delete

  • Request account deletion: email [email protected]

  • We delete most data within 30 days

  • Some data (formation records, tax-related records) we're required to keep for a period set by law before it can be deleted

  • Payment records stay with our payment processor per their retention policy

Portability

If you'd like a copy of your data to move to another service, email [email protected] and we'll provide what we can in a standard, machine-readable format.

Stop marketing

  • Click "unsubscribe" in any marketing email

  • Or email [email protected] and we'll update your communication preferences

  • Note: transactional emails (receipts, filing confirmations, support replies) are sent regardless of marketing preferences

Incidents and breaches

We take data security seriously and work to prevent incidents before they happen. If a security incident ever affected your data, we would notify affected customers, explain what data was involved, and let you know what to do next.

If you're ever concerned that your information may have been affected by an incident — ours or someone else's — contact us right away at [email protected].

How to report a security concern

  • Suspected vulnerability: email [email protected]

  • Phishing / impersonation: forward the email to [email protected]

  • Lost or stolen device with FormationHub access: change your password immediately, then email [email protected]

  • You think you've been the victim of fraud using your FormationHub account: call us at +1 (888) 695-5281 — our chat and phone lines are answered live — or email [email protected] (we typically reply within about an hour)

Signing in securely

You can sign in to your FormationHub account two ways:

  • With your password

  • With a one-time email link — request one at the sign-in page. The link is valid for 1 hour and can be used as many times as you need within that hour; just request a fresh one anytime if it expires

Because the email link can sign you in, keep your email account secure too — use a strong, unique password on your inbox and be cautious about who has access to it.

Phishing awareness

The most common attack pattern against FormationHub customers is phishing:

  • ⚠️ Emails asking you to "verify your EIN" — we never email asking for your EIN

  • ⚠️ Emails with urgent language ("Your LLC is about to be dissolved! Click here!") — real notices come from state Secretaries of State, not from "LLC Compliance Department"

  • ⚠️ Calls claiming to be from the IRS asking for SSN — real IRS calls don't ask for SSN

  • ⚠️ DMs on social media offering "expedited formation" — never legitimate

Legitimate FormationHub emails only come from [email protected] or [email protected]. If you get something claiming to be from us from any other address, don't click any links — forward it to [email protected] instead.

When in doubt, sign in to your portal directly (don't click email links) and check status. Or open a chat with us to verify.

Common questions

"Is my data shared with other countries?"

Our primary infrastructure is US-based. A small number of the vendors we use may process data outside the US as part of their standard operations, using appropriate safeguards for any cross-border transfer.

"How long do you keep my data?"

  • Active customers: kept for as long as you're using our service

  • Inactive customers (no service activity for 3+ years): we email asking if you want to delete or keep

  • Closed accounts: most data deleted within 30 days; records we're legally required to keep are retained only as long as the law requires

  • Payment records: per our payment processor's retention policy

"Can I get my data deleted right after my LLC is dissolved?"

Yes — email [email protected] to start the process. Keep in mind some records may need to be kept for a period required by tax law even after you request deletion.

Next steps

Did this answer your question?