Privacy Policy

Effective Date: March 14, 2026  |  Last Updated: March 14, 2026

Entity Lane LLC (“Entity Lane,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at entitylane.com, our client portal, and our business formation and registered agent services (collectively, the “Services”).

1. Categories of Information We Collect

Category	Examples	Purpose	Sold or Shared for Advertising?
Identifiers	Name, email, phone number, mailing address	Account creation, communication, filings	No
Business Information	Entity name, type, state of formation, member/manager names, EIN, registered agent details	Filing formation documents, compliance monitoring, registered agent service	No
Financial Information	Payment method type, billing address, transaction history	Processing payments, invoicing, refunds	No
Documents	Articles of Organization, Operating Agreements, EIN confirmations, Certificates of Authority, service of process documents	Document storage, forwarding, compliance records	No
Usage Data	Pages visited, time on site, clicks, navigation patterns	Improving our website and services	No
Device Information	Browser type, operating system, IP address, device identifiers	Security, fraud prevention, analytics	No
Communications	Emails, support messages, chat transcripts	Customer support, service improvement	No

Sensitive Personal Information

Certain services (such as EIN filing) may require us to process sensitive information including Social Security Numbers or Tax Identification Numbers. This data is:

• Collected only when strictly necessary to complete the specific service you requested.
• Transmitted directly to the IRS or relevant government agency over encrypted connections.
• Never stored on our servers after the filing is complete.
• Never used for any purpose other than the specific filing you authorized.

2. How We Use Your Information

• Service delivery: Process LLC formations, foreign qualifications, registered agent appointments, annual report filings, and other business services you request.
• Compliance monitoring: Track filing deadlines and send automated reminders at 60, 30, and 7 days before due dates.
• Document management: Store, organize, and forward legal and government documents received on your behalf.
• Payment processing: Process transactions, send receipts, and manage billing.
• Communication: Respond to support requests, send service updates, and provide account notifications.
• Service improvement: Analyze aggregated, de-identified usage data to improve our website and services.
• Legal compliance: Fulfill legal obligations and respond to lawful government requests.
• Security: Detect, prevent, and respond to fraud, unauthorized access, and other security incidents.

Legal Basis for Processing

• Contract performance: Processing necessary to provide the services you purchased (formation filings, registered agent service, compliance monitoring).
• Consent: When you voluntarily provide information or opt in to communications.
• Legal obligation: When we are required to retain records or respond to lawful requests.
• Legitimate interest: Improving our services, preventing fraud, and ensuring platform security.

3. What We Do NOT Do

These are absolute commitments, not marketing language:

• We do not sell your personal information to any third party, for any reason, under any circumstance. This includes data brokers, insurance agents, marketers, and lead aggregators.
• We do not share your information for cross-context behavioral advertising or targeted advertising of any kind.
• We do not use advertising trackers for retargeting or behavioral advertising (no Facebook Pixel, ad retargeting pixels, or similar technologies). We use Google Analytics for aggregate website usage analysis only — see Section 6.
• We do not monetize your data in any way beyond providing the services you paid for.
• We do not sell or disclose your EIN, SSN, or tax information to anyone other than the government agency processing your filing.

4. When We Share Information

We share your information only in these limited circumstances:

Recipient	What We Share	Why
State agencies (Secretary of State, tax authorities)	Formation documents, annual reports, foreign qualification filings	Required to file on your behalf
IRS	EIN application data	Required to obtain your EIN
Stripe (payment processor)	Payment card data (transmitted directly from your browser to Stripe)	Payment processing. Stripe is PCI DSS Level 1 certified.
Supabase (infrastructure)	Account and entity data (stored in our database)	Cloud infrastructure. Supabase maintains SOC 2 Type 2 certification.
Google Analytics (website analytics)	De-identified usage data: pages visited, session duration, referral source, general geographic region, device/browser type	Understanding aggregate website traffic and improving our services. We do not enable advertising features, user-ID tracking, or data sharing with Google for ad purposes.
Resend (email delivery)	Email address, message content for transactional emails	Sending account confirmations, compliance alerts, and document notifications
Registered agent service providers	Entity name and registered address	Accept service of process at the physical address designated for your entity
Law enforcement	As required by valid legal process	Compliance with subpoenas, court orders, or applicable law. We will notify you unless legally prohibited.

We do not share your information with any parties not listed above. We do not have affiliate marketing programs, referral data sharing, or third-party analytics providers that receive personally identifiable information.

5. Data Security

Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all pages and API endpoints with no fallback to unencrypted connections.
• At rest: All data stored in our database is encrypted using AES-256 encryption. Database backups are encrypted before storage.
• Documents: Business formation documents, legal filings, and uploaded files are encrypted at rest in secure cloud storage with access restricted to your authenticated account.

Payment Security

• All payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider (the highest level of payment security certification).
• Your credit card number is transmitted directly from your browser to Stripe. It never touches our servers. We do not store, process, or have access to your full card number at any time.
• We retain only a transaction reference ID and last four digits of your card for billing records.

Authentication and Access Controls

• Passwords are cryptographically hashed using bcrypt and never stored in plaintext.
• Sessions are managed with signed JSON Web Tokens (JWTs) with automatic expiration.
• Row-Level Security (RLS) is enforced at the database level, ensuring users can only access data belonging to their own account — even in the event of an application-level vulnerability.
• Administrative access to production systems requires multi-factor authentication.

Infrastructure

• Our database and authentication infrastructure is provided by Supabase, which maintains SOC 2 Type 2 certification and undergoes regular third-party security audits.
• Our application servers are hosted in a hardened environment with automated security updates, firewall rules, and intrusion detection.
• All data is stored in data centers located in the United States.

Incident Response

In the event of a data breach that compromises your personal information, we will:

• Notify affected users within 72 hours of confirming the breach, or as required by applicable state law (whichever is sooner).
• Provide a clear description of what data was affected and what steps we are taking.
• Notify applicable state attorneys general as required by law.
• Offer identity monitoring services if sensitive personal information (SSN, financial data) was compromised.

No system is 100% secure. While we implement and maintain commercially reasonable security measures, we cannot guarantee absolute security. We encourage you to use a strong, unique password for your Entity Lane account.

6. Cookies and Tracking

Cookie Type	Purpose	Set By	Duration
Essential / Authentication	Session management, login state, CSRF protection	Entity Lane	Session / 7 days
Preferences	Remember your settings (e.g., selected state)	Entity Lane	1 year
Analytics	Aggregate website usage: pages visited, session duration, referral source, general location (country/region level), device and browser type	Google Analytics (GA4)	Up to 2 years

Google Analytics

We use Google Analytics 4 (GA4) to understand how visitors use our website in aggregate. GA4 collects de-identified usage data including pages visited, time on site, referral sources, and general geographic region. This data helps us improve our website and understand which content is most useful.

What Google Analytics does NOT collect on our site:

• Your name, email address, or any account information
• Business formation details or documents
• Payment or financial information

We have disabled:

• Google Ads integration and remarketing
• User-ID tracking (we do not link analytics data to your Entity Lane account)
• Data sharing with Google for advertising purposes

Opt out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, which is available for all major browsers. You can also block analytics cookies through your browser settings.

We do not use:

• Advertising or retargeting cookies
• Social media tracking pixels (Facebook Pixel, etc.)
• Cross-site behavioral tracking
• Fingerprinting or similar persistent identification techniques

Do Not Track

We respect Do Not Track (DNT) browser signals. You can also opt out of analytics tracking using the Google Analytics opt-out add-on linked above or by adjusting your browser cookie settings.

7. Data Retention

Data Type	Retention Period
Account information (name, email)	Life of account + 30 days after deletion request
Business formation documents	Life of entity + 7 years
Compliance and filing records	Life of entity + 7 years
Payment transaction records	7 years (tax and legal compliance)
Support communications	3 years after last contact
Usage and analytics data	12 months (aggregated and de-identified)
Sensitive information (SSN for EIN filing)	Deleted immediately after filing is complete

8. Your Privacy Rights

Regardless of where you live, we provide every Entity Lane user with the following rights:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request deletion of your account and personal data. We will fulfill deletion requests within 30 days, subject to legal retention requirements (e.g., tax records).
• Portability: Request your data in a machine-readable format (JSON or CSV).
• Opt-out: Opt out of non-essential communications at any time via the unsubscribe link in any email or through your account settings.

To exercise any of these rights, email privacy@entitylane.com. We will verify your identity and respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know what personal information we collect, use, and disclose (see Section 1).
• Right to delete your personal information, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to limit use of sensitive personal information. We use sensitive personal information (such as SSN) only to perform the specific service you requested.
• Right to non-discrimination. We will not deny you services, charge different prices, or provide a different quality of service for exercising your privacy rights.

Colorado, Connecticut, Virginia, Texas, and Oregon Residents

Residents of these states have similar rights under the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), Texas Data Privacy and Security Act (TDPSA), and Oregon Consumer Privacy Act (OCPA), including rights to access, correct, delete, and port their data, and to opt out of targeted advertising and data sales. As stated above, we do not sell data or engage in targeted advertising. To exercise your rights, contact privacy@entitylane.com.

9. International Data

Entity Lane is based in the United States and our services are directed to US businesses and residents. All data is stored in data centers located within the United States. We do not transfer personal data outside of the United States. If you access our services from outside the US, you consent to the transfer and processing of your data in the United States.

10. Children’s Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on this page with a new “Last Updated” date.
• Notify registered users via email at least 30 days before material changes take effect.
• Provide a summary of what changed.

12. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a data-related concern, contact us at:

Entity Lane LLC
Email: privacy@entitylane.com
Response time: Within 5 business days for general inquiries; within 30 days for formal data requests.