Privacy Policy

This Privacy Policy explains how IncorpAssist (“we”, “us”, “our”) collects, uses, discloses, and safeguards information when you access or use our website at incorpassist.com (the “Service”). IncorpAssist is an educational tool that presents general, publicly available information about business incorporation options; it does not provide legal, tax, or professional advice of any kind. We are committed to protecting your privacy and handling any personal data in an open, transparent, and accountable manner consistent with our legal obligations.

Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood this Policy. This Policy does not constitute legal advice and should not be relied upon as such; it is a disclosure document only. Users of the Service who require legal advice on data protection matters should consult a qualified lawyer.

1. Data Controller

The data controller responsible for the personal data described in this Policy is IncorpAssist, operated from the United Kingdom. For all privacy-related enquiries, rights requests, and complaints, please contact: privacy@incorpassist.com

We are not currently required to appoint a Data Protection Officer (DPO) under Article 37 GDPR or UK GDPR, as we do not process special category data at scale or carry out systematic large-scale monitoring of individuals. The above email address is the primary point of contact for all data-related matters and rights requests.

We are not currently required to maintain an EU representative under Article 27 GDPR, as our processing of EEA residents’ data does not constitute large-scale, systematic processing. Should our processing activities change materially, we will review this position and appoint a representative as required.

2. Scope and Applicable Law

This Policy applies to all visitors and users of the Service worldwide. Where applicable, it specifically addresses compliance with:

• EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data
• UK GDPR: the EU GDPR as retained and amended in UK law by the European Union (Withdrawal) Act 2018, read together with the Data Protection Act 2018 (“DPA 2018”)
• UK PECR: the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), which govern cookies and similar technologies in the United Kingdom
• CCPA / CPRA: the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (effective 1 January 2023)
• Other US state privacy laws: including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Texas Data Privacy and Security Act (TDPSA), where applicable to our users
• Brazil LGPD: Lei Geral de Proteção de Dados (Federal Law No. 13,709/2018)
• Australia Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

References to “GDPR” throughout this Policy apply equally to UK GDPR unless the context expressly distinguishes between the two regimes.

3. Data We Collect and How

3.1 Server and Access Logs (Hosting Provider)

When you visit IncorpAssist, our hosting provider (Vercel Inc., 340 Pine Street, Suite 701, San Francisco, CA 94104, USA) automatically records standard HTTP server log data as part of the operation of its infrastructure. This may include:

• IP address (which may be used to derive approximate country or region)
• Browser type, version, and rendering engine
• Operating system and device category
• Referring URL (the page from which you navigated to our Service)
• URLs requested and timestamps
• HTTP response codes and approximate payload sizes

Vercel processes this data as our data processor under a formal Data Processing Agreement (DPA) incorporating Standard Contractual Clauses. Vercel is SOC 2 Type II certified and retains log data for up to 30 days for security, performance monitoring, and abuse prevention, after which logs are automatically deleted. We do not access individual log entries during ordinary operation. For details, see Vercel’s Privacy Policy.

3.2 Questionnaire Inputs (localStorage only, never transmitted to our servers)

When you use the jurisdiction recommendation wizard, your answers are saved to your browser’s localStorage under the key incorpassist-draft. This data is processed entirely by client-side JavaScript running within your browser. It is never transmitted to our servers and does not leave your device during normal use. It is cleared automatically when you complete or reset the wizard, or when you clear your browser’s site data.

3.3 Theme Preference (localStorage only, never transmitted to our servers)

Your chosen display theme (light or dark mode) is stored in localStorage under the key theme. This preference is read on page load to restore your chosen appearance. It is not transmitted to us at any point.

3.4 Cookie Consent Preference (localStorage only, never transmitted to our servers)

When you acknowledge our cookie notice, your preference is stored in localStorage under the key cookie-consent so that the notice is not displayed again on subsequent visits. This entry is stored locally on your device only and is never transmitted to our servers.

3.5 Google Fonts

Our website loads typefaces from Google Fonts, operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, via the domains fonts.googleapis.com and fonts.gstatic.com. When your browser requests font files, it transmits your IP address and browser user-agent string directly to Google’s servers as a technical necessity of the HTTP protocol. Google LLC acts as a separate, independent data controller for this processing. Google has publicly documented that data received via the Google Fonts API is not used to build advertising profiles and is not used for targeted advertising. For full details, see Google’s Privacy Policy.

3.6 Google Analytics 4 (GA4, Consent-Gated)

We use Google Analytics 4 (“GA4”), a web analytics service operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. GA4 is implemented with Consent Mode v2: analytics measurement is denied by default and only fully activated when you explicitly accept analytics cookies via our cookie consent banner. Your consent preference is stored in localStorage under the key cookie-consent and is respected on every subsequent visit.

When you deny analytics (default): GA4 operates in a cookieless signal mode. No client identifier is stored or transmitted. Google may use these cookieless signals for aggregate statistical modelling. No personal data is linked to your session.

When you accept analytics: GA4 collects the following data: anonymised client identifier (cookie-based), session identifier, approximate geographic location (country/city level, derived from IP address, which is not stored by Google in GA4), browser type and version, device category, referring URL, and the following custom events specific to our Service:

• quiz_started: fired when a user begins the recommendation wizard
• question_answered: fired at each wizard step (question ID only, no answer content transmitted)
• quiz_completed: fired when recommendations are generated (jurisdiction count only)
• affiliate_click: fired when a provider link is clicked (provider name and jurisdiction only)

What we do not collect via GA4: your questionnaire answers, the specific jurisdictions recommended to you, any financial inputs from the tax calculator, or any information that would identify you as an individual. GA4 is used solely to understand aggregate product usage patterns and improve the Service.

Google LLC acts as our data processor for GA4 under a Data Processing Agreement incorporating Standard Contractual Clauses. Google is certified under the EU-US Data Privacy Framework and relies on the UK IDTA for UK transfers. Google’s data retention for GA4 events is set to 14 months (the shortest available setting). For full details, see Google’s Privacy Policy and Google Analytics data privacy and security.

Opting out: You may withdraw consent at any time by clicking “Cookie Settings” in the footer or by clearing your browser’s site data for incorpassist.com. You may also install the Google Analytics Opt-out Browser Add-on.

3.7 Affiliate and Partner Links

The Service displays referral links to third-party formation service providers (including, without limitation, Stripe Atlas, Clerky, Osome, Sleek, and Healy Consultants). These links may contain affiliate or referral tracking parameters embedded in the URL query string. When you click such a link and navigate to a partner’s website, that site may collect personal data and set cookies subject to its own privacy and cookie policies. IncorpAssist may receive aggregate referral metrics (such as anonymised click-through or conversion counts) from partners. We do not receive your personal data from any partner as a direct result of your clicking a referral link.

3.8 No Account, Contact, or Payment Data

We do not operate user accounts. We do not collect your name, email address, postal address, or telephone number. We do not process payment card data. We do not operate mailing lists and do not send marketing communications. There is no registration or sign-up process on the Service.

4. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA and the United Kingdom, Article 6(1) GDPR requires a lawful basis for each processing activity involving personal data. Our processing activities and applicable legal bases are as follows:

Legitimate Interests Assessment (LIA): Summary

Where we rely on legitimate interests under Article 6(1)(f), we have conducted the three-stage assessment required under GDPR accountability obligations:

UK PECR: Cookies and Similar Technologies

Under the UK Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 6, storing or accessing information on a user’s device requires either the user’s consent or satisfaction of the “strictly necessary” exemption. We do not set first-party HTTP cookies. Our use of localStorage is strictly functional to the operation of the Service. We have implemented a notice-and-acknowledgment mechanism to ensure users are informed of our storage practices; however, we take the position that the specific localStorage entries we set qualify for the strictly necessary exemption under PECR and do not require active opt-in consent. Full details are set out in our Cookie Policy.

5. Purposes of Processing

We use the limited data we have access to for the following purposes, and no others:

• Serving and operating the website and its hosting infrastructure
• Ensuring the security of the Service and preventing, detecting, and investigating fraud, abuse, and technical attacks
• Diagnosing and resolving technical faults
• Enabling the recommendation wizard to function on a fully client-side basis
• Persisting your preferred display theme across browser sessions
• Storing your acknowledgment of the cookie notice to avoid repeat display
• Measuring aggregate product usage (e.g., quiz completion rates, affiliate link clicks) to improve the Service, via Google Analytics 4, subject to your cookie consent preference

We do not use any data for advertising, behavioural profiling, the training of artificial intelligence or machine learning models, automated decision-making with legal or similarly significant effects, or for any purpose incompatible with those stated above. We do not engage in secondary use of personal data.

6. Sharing and Disclosure of Data

We do not sell, rent, trade, broker, or otherwise disclose your personal data for commercial purposes. We share data only in the following limited circumstances:

7. International Data Transfers

IncorpAssist is operated from the United Kingdom. Accessing the Service may involve the transfer of personal data to and processing in the United States by our sub-processors, as set out below.

A full list of sub-processors and their transfer mechanisms is available on our Subprocessor page. A copy of any applicable transfer mechanism may be requested by contacting us at privacy@incorpassist.com.

8. Data Retention

We apply the principle of data minimisation and do not retain personal data for longer than is necessary for the purposes for which it was collected.

9. Security Measures

We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in accordance with Article 32 GDPR and good industry practice:

• All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). HTTP requests are automatically redirected to HTTPS.
• Our hosting infrastructure (Vercel) is SOC 2 Type II certified and maintains industry-standard physical, logical, and procedural security controls at its data centre and edge network facilities.
• Questionnaire data is processed exclusively client-side and is never stored on any IncorpAssist-operated server, eliminating server-side data breach risk for this category of data.
• We do not process payment card data, authentication credentials, or any sensitive personal information as defined under GDPR Article 9 or equivalent frameworks.
• Access to production infrastructure is restricted to authorised personnel and controlled via access management policies.

No method of transmission over the internet or method of electronic storage is completely secure. While we apply appropriate safeguards, we cannot guarantee absolute security. If you become aware of a security vulnerability or incident relating to the Service, please report it promptly to privacy@incorpassist.com.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR / UK GDPR. Where a breach is likely to result in a high risk to individuals, we will also notify affected data subjects without undue delay in accordance with Article 34 GDPR / UK GDPR.

10. Your Rights

EEA and UK Residents (GDPR / UK GDPR)

You have the following rights in relation to personal data we process about you:

• Right of access (Article 15): You may request a copy of the personal data we hold about you, together with supplementary information about how it is processed.
• Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data without undue delay.
• Right to erasure (Article 17): You may request deletion of your personal data where it is no longer necessary for the purposes collected, where you have withdrawn consent and no other lawful basis applies, or where processing is unlawful.
• Right to restriction of processing (Article 18): You may request that we restrict processing in specified circumstances, such as while the accuracy of data is being contested.
• Right to data portability (Article 20): You may receive personal data you have provided to us in a structured, commonly used, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to object (Article 21): You may object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary to establish, exercise, or defend legal claims.
• Rights in relation to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. This right is not engaged by our Service as described in Section 12.
• Right to lodge a complaint: You may complain to your competent national supervisory authority at any time. For UK residents: the Information Commissioner’s Office (ICO). For EEA residents: your national data protection authority (see Section 16 for contact details).

Practical note: Because we hold no personal data on our own servers beyond server logs retained by Vercel for up to 30 days and then automatically deleted, and all wizard data is stored locally in your browser, the most effective way to exercise your rights over locally stored data is to clear your browser’s localStorage directly. To exercise any of the above rights, contact us at privacy@incorpassist.com. We will acknowledge your request within 72 hours and respond substantively within 30 calendar days (extendable by a further two months for complex or numerous requests, with notice to you as required by Article 12(3) GDPR).

California Residents (CCPA / CPRA)

California residents have the following rights under the CCPA as amended by the CPRA (Cal. Civ. Code §1798.100 et seq.):

• Right to Know (§1798.100): You may request disclosure of the categories and specific pieces of personal information collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information.
• Right to Delete (§1798.105): You may request deletion of personal information we have collected from you, subject to exceptions under the statute.
• Right to Correct (§1798.106): You may request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale or Sharing (§1798.120): We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not engage in cross-context behavioural advertising. No opt-out action is required, but you may contact us if you have questions.
• Right to Limit Use of Sensitive Personal Information (§1798.121): We do not collect Sensitive Personal Information as defined by §1798.140(ae).
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising your CCPA/CPRA rights.
• Shine the Light (Cal. Civ. Code §1798.83): California residents may request, once per calendar year, a list of third parties to whom we have disclosed personal information for their own direct marketing purposes in the preceding year. We do not disclose personal information to third parties for their own direct marketing purposes.

To submit a CCPA/CPRA request, please contact us at privacy@incorpassist.com with the subject line “CCPA/CPRA Rights Request.” We may need to verify your identity before processing certain requests. We will not charge a fee unless a request is manifestly unfounded or excessive.

Other US State Privacy Rights

Residents of the following US states have rights broadly equivalent to those described above under their respective state privacy laws. These rights typically include the rights to access, correct, delete, and port personal data, and to opt out of targeted advertising and certain forms of profiling:

• Virginia: Consumer Data Protection Act (VCDPA, Va. Code Ann. §59.1-571 et seq.)
• Colorado: Colorado Privacy Act (CPA, C.R.S. §6-1-1301 et seq.)
• Connecticut: Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-515 et seq.)
• Texas: Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code §541.001 et seq.)

We do not engage in targeted advertising or profiling with legal or similarly significant effects. To exercise any of these rights, contact us at privacy@incorpassist.com.

Summary of Personal Information Collected: CCPA Categories (§1798.140)

11. Children’s Privacy

The Service is directed exclusively to adults (18 years of age or older) making commercial and business formation decisions. It is not intended for, and we do not knowingly collect personal data from, individuals under the age of 16. If you are a parent or guardian and believe that a child has provided personal data in connection with the Service, please contact us at privacy@incorpassist.com and we will take prompt steps to delete such data.

12. Automated Decision-Making and Profiling

The jurisdiction recommendation engine processes the answers you enter into the wizard using a deterministic, rules-based, weighted scoring algorithm that runs entirely within your browser as client-side JavaScript. No server-side automated decision-making occurs. IncorpAssist does not build individual user profiles and does not conduct behavioural profiling. No decisions producing legal or similarly significant effects are made about any user. Article 22 GDPR (and equivalent provisions in UK GDPR and other applicable laws) is therefore not engaged.

The recommendations generated by the Service are informational and educational in nature only and do not constitute legal, tax, financial, accounting, or professional advice of any kind. Users should obtain independent professional advice from qualified practitioners before making incorporation, structure, or tax-related decisions.

13. Cookies and Tracking Technologies

For full details of how we use cookies and similar storage technologies, please read our Cookie Policy. In summary:

• We do not set first-party HTTP cookies.
• We use browser localStorage for wizard state, theme preference, and cookie consent preference. This data never leaves your device.
• Google Analytics 4 may set analytics cookies if you accept via the cookie banner; Google Fonts and affiliate partners (on active link-click) may also set third-party cookies subject to their own policies.
• Vercel (hosting infrastructure) may set strictly necessary infrastructure cookies for load balancing and security purposes.
• We use no analytics cookies, tracking pixels, or advertising technologies.

14. Third-Party Websites

The Service contains links to third-party websites, including formation service providers, government resources, and professional advisers. These websites operate independently of IncorpAssist and are governed by their own privacy and cookie policies. We have no control over, and accept no responsibility for, the privacy practices, content, or data security of such websites. Visiting a linked website does not imply our endorsement of it. We encourage you to read the privacy policy of every third-party website you visit before submitting personal information.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance, technology, or our data practices. When we do, we will revise the “Last updated” date at the top of this page. Where changes are material and significantly affect your rights or our processing activities, we will provide a prominent notice on the Service homepage for a reasonable period following the change. Continued use of the Service after any such update constitutes your acknowledgment of the revised Policy.

16. Contact and Complaints

For any questions, concerns, or rights requests relating to this Privacy Policy or your personal data, please contact us:

If you are not satisfied with our response to a complaint, you have the right to escalate to your competent supervisory authority:

• United Kingdom: Information Commissioner’s Office (ICO): ico.org.uk
• European Union: Your national data protection authority, listed at edpb.europa.eu
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD): gov.br/anpd
• Australia: Office of the Australian Information Commissioner (OAIC): oaic.gov.au