Privacy Policy

Last updated: January 2026

Information We Collect

We collect information you provide directly to us when you use our business formation and management services:

  • Account Information: Name, email address, password
  • Business Formation Data: Entity type, state of formation, business name, registered agent details, officer/member information, business address
  • Payment Information: Processed securely by Stripe (we do not store full credit card numbers)
  • Documents: Articles of organization, operating agreements, and other formation documents you upload
  • Sensitive Tax Information (EIN applications only): When you order an Employer Identification Number (EIN), either standalone or bundled with a business formation, we temporarily collect a Social Security Number (or ITIN) as the responsible party for your tax ID application. This data is encrypted at rest with AES-256-GCM and automatically purged from our database once the EIN has been issued. We do not collect SSNs for formations that do not include an EIN, for registered agent service, for state compliance, or for any other service.
  • Technical Information: IP address, browser type and version, device and operating system, and session identifiers — collected automatically to operate our platform, maintain security, and prevent fraud.
  • Communication Data: Support requests, feedback, and correspondence

How We Use Your Information

We use your information to:

  • Process your business formation orders through our licensed filing partners
  • Provide registered agent and state compliance services
  • Process payments and manage subscriptions
  • Store and manage your business documents securely
  • Send transactional emails and service notifications
  • Provide customer support
  • Improve our services and user experience

Sensitive Personal Information (California Residents)

Under the California Privacy Rights Act (CPRA), certain categories of personal information are classified as Sensitive Personal Information ("SPI"), including Social Security Numbers and tax identification numbers. When we collect an SSN or ITIN for EIN applications, we use and disclose that information only for the purposes for which it was collected, namely, submitting your EIN application to the IRS through our filing partner, and for related legal compliance, record-keeping, fraud prevention, and security purposes. We do not use your SPI for advertising, profiling, or any purpose that California residents have the right to limit under Cal. Civ. Code §1798.121. Because our use is already limited to permitted purposes, you do not need to separately exercise a Right to Limit to prevent other uses.

Third-Party Service Providers

We work with trusted third-party service providers to deliver our services. Your information may be shared with:

Business Formation Partners

Licensed filing agents who process your business formation orders and submit documents to state agencies on our behalf. We share entity details, officer and member names, business and mailing addresses, and (only when applicable to EIN applications) your encrypted SSN or ITIN with these partners to complete your filings.

Stripe

Payment processor. Handles all payment transactions securely. We do not store your full credit card information.

Amazon Web Services (AWS S3)

Secure document storage. Your formation documents and business filings are stored in encrypted AWS S3 buckets in the US (us-east-2 region).

Resend

Email service provider. Sends transactional emails such as account verification, order confirmations, and service notifications.

Cloudflare

Security and bot protection. Helps protect our website from malicious traffic and ensures secure connections.

Google (Optional)

OAuth authentication. If you choose to sign in with Google, we receive basic profile information (name, email) from Google.

Domain Registration Providers

Domain registrations are fulfilled through an ICANN-accredited third-party registrar. We share the domain name, registrant contact information (name, email, phone, address), and DNS configuration with the registrar to complete registration and handle ongoing management.

Product Analytics

We use privacy-respecting product analytics to understand how our platform is used and to improve the user experience. Analytics data is pseudonymous — authenticated users are referenced by an internal account identifier only, and we do not share your name, email address, or any personally identifying information with our analytics provider. Analytics data is used internally and is not sold or shared with advertisers.

Information Sharing and Disclosure

We never sell your personal information to third parties. We only share your information:

  • With service providers necessary to deliver our services (as listed above)
  • With state agencies when filing your business formation documents
  • When required by law or to protect our legal rights
  • With your explicit consent

Session Replay

To diagnose errors and improve product quality, we use session replay technology on a small sample of sessions and on sessions where a client-side error is detected. Session replays are recorded by our error-monitoring provider on a pseudonymous basis. Form input fields, including passwords, payment card numbers, Social Security Numbers, and any other fields users type into, are automatically masked and are never recorded. Replays are retained only for a short period and are accessible only to authorized CrowSmart personnel for debugging purposes.

Data Security

We implement industry-standard security measures to protect your information:

  • Encrypted data transmission (HTTPS/TLS)
  • Encrypted password storage
  • Secure document storage in AWS S3 with encryption at rest
  • Regular security audits and monitoring
  • Limited employee access to personal data

Data Breach Notification

Despite the security measures described above, no system can be guaranteed to be fully secure. In the event that we discover an unauthorized access, acquisition, use, or disclosure of your personal information that creates a real risk of harm, we will notify you without unreasonable delay, consistent with applicable federal and state data breach notification laws. Notification will be sent to the email address associated with your account and may also be posted on our website or otherwise communicated as required by law. We will also notify applicable state attorneys general, regulators, or other authorities as and when required. Our notification will describe, to the extent then known, the nature of the incident, the categories of information involved, the steps we are taking in response, and actions you can take to protect yourself.

Data Retention

We retain personal information only for as long as necessary to deliver our services, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements. Specific retention periods vary by data category:

  • Account information (name, email, password hash, two-factor secrets): retained for the life of your account. When you delete your account, this information is removed within thirty (30) days, except where longer retention is required by law.
  • Social Security Numbers and tax IDs (EIN applications only): automatically purged from our database once the EIN has been issued by the IRS. SSNs are never retained for longer than is necessary to complete the application.
  • Business formation records and filed documents: retained for up to seven (7) years following formation or the relevant filing, consistent with IRS and state recordkeeping standards. After that period, documents may be deleted or archived.
  • Billing and transaction records: retained for up to seven (7) years to comply with tax and financial recordkeeping obligations. Payment card details are never stored by us; card data is held only by Stripe under its own retention policy.
  • Registered agent and state compliance records: retained for the duration of your subscription and for a reasonable period afterward to document our performance of the service, typically up to seven (7) years after the subscription ends.
  • Domain registrations: retained for as long as the domain is registered in your account, plus a reasonable period afterward to support transfers, renewals, and disputes.
  • Session data and technical logs (IP address, user agent, session tokens): retained for up to ninety (90) days, or longer where needed to investigate security incidents or fraud.
  • Support correspondence: retained for up to three (3) years from the last interaction to assist with future inquiries and improve our services.
  • Audit logs and administrative records: retained for up to seven (7) years to document administrative actions taken on your account and to comply with accountability obligations.
  • Session replays: recorded on a small sample of sessions and on error sessions, retained by our error-monitoring provider for up to ninety (90) days.

You may request deletion of your account and personal data at any time through our contact form, as described in the Your Rights section. Where legal retention obligations apply, we will retain the minimum information needed to satisfy those obligations and delete the rest.

International Data Transfers

Your information is stored on servers located in the United States (AWS us-east-2 region). By using our services, you consent to the transfer and processing of your information in the United States.

Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites you visit. Because there is no industry-standard interpretation of DNT signals, we do not currently respond to DNT signals differently than to other browsing activity. You can manage tracking through the cookie-control mechanisms described in our Cookie Policy and through your browser's privacy settings.

Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate information
  • Request deletion of your data (subject to legal retention requirements)
  • Opt out of marketing communications
  • Export your data (data portability)
  • Withdraw consent for optional data processing

To exercise any of these rights, submit a request through our contact form with "Data Request" in the subject line, or email us directly at support@crowsmart.com. We will verify your identity as the account holder before processing the request and respond within thirty (30) days. Some data may be retained after deletion where required by law (for example, formation records may be subject to IRS or state recordkeeping requirements), and we will explain any such retention in our response.

Accessibility

CrowSmart is committed to making our website and services accessible to users of all abilities. We design and test our platform against the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA and currently score approximately 90 on Lighthouse accessibility audits across our primary marketing and dashboard pages. Accessibility is an ongoing effort, and we continue to improve color contrast, keyboard navigation, screen-reader support, and focus management over time. If you experience any accessibility barrier on our site, please contact us through our contact form or at support@crowsmart.com, and we will work to resolve the issue.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at support@crowsmart.com

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.