Your information is private. Full stop.

What we collect

We collect only what's necessary to form your business:

• Account information — your email address and a hashed (encrypted) password. We never store your password in plain text.
• Business information — your business name, entity type (LLC, S-Corp, etc.), and the state you are forming in.
• Filing information — your full name, mailing address, city, zip code, and phone number. This is required by the state to file your formation documents.
• Payment information — processed entirely by Stripe. We never see, store, or handle your credit card number.
• Usage data — basic server logs (IP address, browser type) used to keep the service running securely. These are not tied to your identity.

What we don't collect:we do not collect Social Security Numbers. The IRS EIN application requires a responsible party's SSN or ITIN, but you enter that directly on IRS.gov — we never see it, store it, or process it. We do not collect government-issued ID images, biometric data, precise geolocation, or other categories defined as “Sensitive Personal Information” under CPRA, Connecticut CTDPA, Colorado CPA, or similar state laws.

How we use it

We use your information exclusively to:

• File your LLC or business entity with the appropriate state agency
• Send you status updates on your filing
• Provide access to your dashboard and formation checklist
• Respond to your support requests

Nothing else. We do not use your information for advertising, profiling, or any purpose unrelated to your business formation.

We do not sell your personal information

We do not sell, rent, or trade your personal information for money, and we do not share it with advertisers or data brokers. The only third parties who receive any portion of your information are the service providers (sub-processors) we use to run the platform, listed below. We use the term “sub-processor” in the GDPR/CCPA sense: a vendor that processes data on our behalf under a contract that prohibits them from using it for their own purposes.

• State government agencies — your name, address, and business details are submitted to the state to form your entity. State filings are public records once accepted.
• Stripe, Inc. — processes your payment. We never see your card number. Stripe privacy policy.
• Vercel, Inc. — application hosting and serverless functions. Vercel privacy policy.
• Supabase, Inc. — authentication and Postgres database (built on Neon/AWS infrastructure). Supabase privacy policy.
• Resend, Inc. — sends transactional email (filing confirmations, login codes). Resend retains email-send logs (recipient, subject, delivery status) for its own deliverability and abuse-monitoring purposes per their policy. Resend privacy policy.
• New York Department of State open-data portal (data.ny.gov) — for New York filings only, we query the publicly available Active Corporations dataset by business name to confirm state acceptance. We do not send personal information, only the business name (which becomes public record once filed with the state).
• Anthropic, PBC — when you use our AI tools to generate business names or logo concepts, the prompt you submit (industry, description, vibe, business name) is sent to Anthropic's Claude API. Anthropic does not train models on API inputs. Anthropic privacy policy.
• Google LLC (Google Analytics 4) — on our public marketing pages we load Google Analytics 4 to measure aggregate traffic. GA may set cookies and collect a truncated IP, user-agent, and pseudonymous client identifier. We do not provide Google with your name, email, or filing details. Google privacy policy. To opt out site-wide, install the Google Analytics opt-out browser add-on.

We have not authorized any of these providers to use your information for their own marketing or advertising.

How we protect your data

• Passwords are hashed with bcrypt before storage — they are mathematically irreversible
• All data is transmitted over HTTPS/TLS
• Our database is hosted on Neon (SOC 2 Type II certified)
• We do not store payment card data of any kind

If we ever have a data breachinvolving your personal information, we'll notify you by email and the appropriate state regulators on the timelines required by the laws that apply to you — including the NY SHIELD Act (NY GBL § 899-aa), California Civ. Code § 1798.82, and the GDPR's 72-hour rule for EU/UK residents. We'll tell you what data was involved, what we're doing about it, and what you should do.

Data retention

We retain your account and filing data as long as your account is active, or as required to maintain records of the services we provided. You may request deletion of your account and associated data at any time by emailing us. Filed formation documents are a matter of public record with the state and cannot be retracted.

Your rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate information
• Request deletion of your account and data
• Receive a copy of your data in a portable format

To exercise any of these rights, email us at info@themidnightfounder.com.

Cookies and analytics

We use the following cookies and similar technologies:

• Strictly necessary — a session cookie that keeps you logged in. This cannot be disabled.
• Functional — a saved consent record (tmf-consent-v1) so we remember your cookie choice. A local chat-session identifier (tmf-chat-session-v1) so anonymous chat conversations stay connected across pages. A local chat-history cache (tmf-chat-history-v1) holding the messages you exchanged with the Founder Assistant in that browser tab, so the conversation survives page navigation. None of these leave your browser unless you send chat messages, which are also stored on our server under the chat-session identifier.
• Analytics — Google Analytics 4 (cookies prefixed _ga) on our public marketing pages in our production environment, to measure aggregate traffic. We do not load the GA script at all until you click “Accept analytics” in our cookie banner. We do not load any advertising or remarketing pixels.

You can disable analytics cookies through your browser settings, the Google opt-out add-on, or by enabling “Global Privacy Control” in your browser (we honor GPC signals as a CCPA opt-out).

AI tools and data processing

We use Anthropic, PBC (“Anthropic”) as a service provider to power certain AI-assisted features. When you use these features, the inputs you provide are sent to Anthropic's API and processed by their Claude models to generate the corresponding output.

Where we use AI

• Business name suggestions. Inputs sent: industry, description, and any vibe or style notes you provide. Output: candidate names, taglines, and rationale.
• Logo generation. Inputs sent: business name, industry, mood/color preferences, and optional description. Output: SVG logo concepts.
• Launch announcement email. Inputs sent: business name and recipient email address (to personalize tone). Output: a draft email you can edit before sending from your own mail client.
• Operating Agreement “polish” (optional). Only if you click the polish button on a custom clause. Inputs sent: the clause heading and the plain-English body you typed. Output: a formal rewrite that you accept or reject before it replaces your text.
• Operating Agreement pre-flight check (optional). Only if you click the run-check button on the review step. Inputs sent: your questionnaire answers (no email, no name beyond what you entered). Output: flags about inconsistencies between answers.
• Founder Assistant chat. If you open the chat widget in the bottom-right corner. Inputs sent: the messages you type and, when you are signed in, your current company's name, state, filing phase, and EIN status (used to give context-aware help). Output: short text answers about the platform and LLC formation basics. Conversations are stored on our side for support and abuse review. The chat widget also sets a local browser identifier (tmf-chat-session-v1) so anonymous conversations can be continued across pages — see Cookies and analytics below.

How long we keep AI inputs.We retain chat messages, Operating Agreement polish inputs, pre-flight inputs, name-generation inputs, and logo-generation inputs for up to 12 months for support, quality review, and abuse monitoring, then delete them. You can request earlier deletion at the address below. Inputs already transmitted to Anthropic are governed by Anthropic's own retention practices (linked below).

What Anthropic does with your inputs. Anthropic acts as our sub-processor. As of the effective date of this policy, Anthropic's Commercial Terms of Service state that Anthropic does not use Commercial Services inputs or outputs to train their models. Anthropic retains inputs only for the operational and abuse-monitoring purposes set out in their Privacy Policy and Commercial Terms. Anthropic processes data in the United States. Anthropic's terms can change; the controlling statement at any later time is whatever Anthropic's then-current terms say, and we'll update this policy if Anthropic's posture changes in a way that affects our customers.

International transfers. If you are in the EEA, UK, or Switzerland and use these features, your inputs will be transferred to and processed in the United States. Anthropic relies on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the safeguard for these transfers.

Your choices. Use of AI features is optional. You can complete the formation flow without generating names, a logo, or a launch email, and you can draft an Operating Agreement without the polish or pre-flight features. To request deletion of any inputs we've stored on our side, email info@themidnightfounder.com. Inputs already transmitted to Anthropic are governed by Anthropic's own retention and deletion practices linked above.

No automated decision-making with legal effect. The AI features described here generate suggestions, drafts, and informational flags. We do not use AI to make automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22.

Your California privacy rights (CCPA / CPRA)

If you are a California resident, you have the right to: (1) know what categories of personal information we collect and the purposes for which we use it; (2) access the specific personal information we hold about you; (3) request deletion of your personal information; (4) request correction of inaccurate personal information; (5) limit the use of sensitive personal information; and (6) not be discriminated against for exercising these rights.

Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

How to exercise your rights. For deletion or data export of an active account, log in first — we'll verify the request from inside your authenticated session. If you can't log in (lost access, account already closed), email info@themidnightfounder.comwith the subject line “CCPA Request” from the email on file; we'll verify by confirming you control that mailbox and may ask additional questions to match the account, in line with the verification rules in 11 CCR § 7060. For requests touching Sensitive Personal Information, we apply stricter matching consistent with that regulation. We don't collect SPI from customers (see “What we don't collect” above), so in practice this section rarely applies.

Your rights in the EEA, UK, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, our legal bases for processing your personal data are: (a) performance of a contract (to form your business); (b) compliance with a legal obligation (state filing records); and (c) our legitimate interests in operating, securing, and improving the service. You have the right to access, rectify, erase, restrict, port, and object to processing, and to lodge a complaint with your supervisory authority. We do not currently target advertising at users in the EEA/UK and do not engage in automated decision-making with legal effect.

Children

The service is intended for users 18 and older and is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us information, email info@themidnightfounder.com and we will delete it.

Refund and dispute policy

The full refund policy is set out in Section 4 of our Terms of Service, and the full disputes / arbitration policy is set out in Section 11. The summary below describes the policy and how we handle your personal information when you request a refund or initiate a payment dispute.

Refund eligibility

• Service fee. Our service fee is $0, so there is nothing on our side to refund. You pay only the mandatory state filing fee.
• Before your filing is submitted to the state. You may request a full refund of the state filing fee at any time before we submit your formation documents to the state. Orders placed outside business hours are held for a short grace period before submission to give you a reasonable cancellation window.
• After your filing is submitted to the state. The state filing fee is collected by the state, not by us, and cannot be recovered once the state has accepted or begun processing your filing. Refunds are not available for that portion of your order.
• How to request. Reply to your order-confirmation email or write to info@themidnightfounder.com. We will confirm whether your filing has been submitted before processing the refund.

Payment disputes and chargebacks

If you initiate a chargeback or payment dispute with your card issuer, Stripe will notify us and share the dispute record (transaction details, dispute reason code, and any evidence the issuer provides). To respond, we may need to submit evidence back to Stripe and your issuer, including: your order details, the email address on the account, timestamps of account activity, the formation documents we prepared on your behalf, and the status of any state filing submitted for you. We share only what is necessary to respond to the dispute. Dispute records are retained by us and by Stripe for as long as required by card-network rules and applicable law (typically up to several years).

We encourage you to contact us at info@themidnightfounder.com before filing a chargeback — most issues can be resolved faster through a direct refund where eligible.

Other disputes

Any other dispute, claim, or controversy arising out of or relating to the service is governed by the binding individual arbitration clause in Section 11 of our Terms of Service. If you exercise your right under that section to opt out of arbitration within the stated window, or for matters that fall outside arbitration, venue is the state and federal courts located in New York County, New York.

Changes to this policy

If we make material changes, we will update the effective date above and notify you by email. Continued use of the service after changes constitutes acceptance.

Contact

Questions? Email us at info@themidnightfounder.com.