Privacy & Cookie Policy

CORPBOLT LLC, a Wyoming limited liability company, trading as CORPBOLT ("CORPBOLT", "we", "us", or "our"), operates corpbolt.com and the related customer, admin, and agent portals (the "Services").

We help individuals and companies form U.S. business entities (LLC / corporation), obtain EINs, coordinate registered-agent and business-address services, and provide an ongoing customer portal.

This Policy applies to Personal Data processed through:

• the corpbolt.com website and any subdomain we control;
• the customer portal, admin portal, and agent portal;
• inbound and outbound communications (email, live chat, phone);
• the formation, EIN, registered-agent, business-address, mail-handling, and document-generation workflows;
• our marketing and security operations.

CORPBOLT acts as a controller of Personal Data for the purposes described in this Policy. For business customers that engage CORPBOLT to process Personal Data on their behalf, CORPBOLT acts as a processor under a written Data Processing Addendum — see Security & Trust.

This Policy does not apply to (a) Personal Data processed by independent third parties under their own privacy notices (e.g., Stripe, Mercury, Wise); (b) Personal Data that becomes part of a public record after a government filing; or (c) the content of websites we link to.

4.1 Identifiers and contact data. Full legal name; preferred name; date of birth; email address; phone number(s); home, business, mailing, and registered-office addresses; country of citizenship and country of residence.

4.2 Government-issued identifiers (Sensitive). SSN, ITIN, EIN of related entities, U.S. or foreign passport number, national ID, driver's-license number, and (where required) images of government IDs. Government-ID images and verification metadata are collected and processed by our identity-verification vendor Sumsub when KYC is required.

4.2a Biometric data (Sensitive — KYC only). Where KYC requires it, Sumsub may collect a short selfie or liveness video and produce a biometric template to confirm that you are the person shown on the ID. The template is stored by Sumsub, not by CORPBOLT. See §8 and §14 for the consent and rights that apply.

4.3 Beneficial-ownership and entity data. Ownership and control percentages; manager / officer / director / agent designations; FinCEN identifiers; entity history; supporting documents you upload.

4.4 Financial and commercial data. Pricing tier, package selection, order history, invoices, refund history, tax IDs, billing address, last four digits of the payment method. We do not store full payment-card numbers; card data is collected and tokenized by Stripe.

4.5 Account and authentication. Account ID, hashed password, multi-factor authentication factors, session identifiers, roles (customer, agent, admin), preferences, and audit-log entries.

4.6 Filing, document, and correspondence data. Articles of organization / incorporation, operating agreements, EIN confirmation letters, business licenses, registered-agent correspondence, mail scans for users who use our address service, support tickets, chat transcripts, and PDF outputs. Where the package includes EIN facilitation, the SS-4 (and any related authorization form, such as Form 8821) is built and e-signed through our e-signature vendor Anvil.

4.7 Technical, device, and usage data. IP address, approximate location derived from IP, browser and OS type and version, device type, screen size, language, timezone, referrer URL, pages viewed, click and scroll behavior, search terms entered on the help center, performance and crash data, and unique session identifiers.

4.8 Marketing and engagement data. Email opens and clicks (where allowed by law), webinar registrations, content downloads, survey responses.

4.9 Security and abuse data. Google reCAPTCHA risk scores, Stripe Radar signals, login attempts, abuse signals, and Cloudflare edge / WAF signals.

4.10 Inferred and derived data. Audience segments, risk tier, support priority, lifetime value, and feature-adoption metrics.

4.11 Children. The Services are not directed to anyone under 18. We do not knowingly collect data from anyone under 18.

We process Personal Data for these purposes, and only when one of the legal bases in §7 applies.

• P1 — Provide and deliver the Services. Run the formation wizard, prepare and submit filings, coordinate registered-agent and business-address services, generate and store documents, maintain your account and portal, deliver customer support.
• P2 — Process payments and prevent fraud. Charge and refund through Stripe; screen suspicious orders; comply with payment-network requirements.
• P3 — Verify identity (KYC/AML). Collect ID documents, run sanctions screening, comply with U.S. and applicable foreign anti-money-laundering rules.
• P4 — Comply with legal obligations. Tax records, BOI/FinCEN-related communications, responses to lawful requests, regulatory examinations.
• P5 — Keep the Services secure. Detect abuse, block credential stuffing, rate-limit, run reCAPTCHA, monitor for intrusion.
• P6 — Communicate with you. Order confirmations, document delivery, support replies, status updates, mandatory notices, satisfaction surveys.
• P7 — Improve and develop the Services. Diagnose bugs, measure performance, run aggregated analytics, conduct user research.
• P8 — Marketing, advertising, and lead nurture. Newsletters, product announcements, offers about CORPBOLT, and consent-gated social-proof widgets (consent-based where required; otherwise on the basis of an existing customer relationship). Paid advertising and measurement on platforms including Google Ads / Google Tag and Meta (Pixel and Conversions API), where consent permits — for campaign optimization, conversion attribution, retargeting, fraud-invalid-traffic protection, and audience building. Opt-out at any time (§11.2).
• P9 — Defend legal claims, enforce contracts, and exercise rights. Investigate breaches of the Terms, defend or bring litigation, enforce billing.
• P10 — Corporate transactions. Disclose data in connection with diligence, merger, acquisition, or financing, subject to confidentiality and post-closing notice.

• P1: Contract — Art. 6(1)(b). Sensitive Data: Art. 9(2)(a) explicit consent; or Art. 9(2)(g) substantial public interest (filings).
• P2: Contract; Legitimate interests (fraud) — Art. 6(1)(b)/(f).
• P3: Legal obligation — Art. 6(1)(c). Sensitive Data: Art. 9(2)(g) substantial public interest (sanctions/AML); Art. 9(2)(a) explicit consent for biometric KYC via Sumsub.
• P4: Legal obligation — Art. 6(1)(c). Sensitive Data: Art. 9(2)(g).
• P5: Legitimate interests — Art. 6(1)(f).
• P6: Contract; Legitimate interests — Art. 6(1)(b)/(f).
• P7: Legitimate interests — Art. 6(1)(f).
• P8: Consent — Art. 6(1)(a); or Legitimate interests (existing-customer soft opt-in where permitted).
• P9: Legitimate interests; Legal claims — Art. 6(1)(f) / Art. 9(2)(f).
• P10: Legitimate interests — Art. 6(1)(f). Sensitive Data: Art. 9(2)(f) where applicable.

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms and you may object at any time (§12). Where we rely on consent, you may withdraw at any time without affecting the lawfulness of processing before withdrawal.

LGPD bases mirror these conditions under Art. 7 / Art. 11. PIPEDA / Quebec Law 25 require knowledge or consent and a clearly identified purpose.

We process Sensitive Data only when we have a clear and lawful reason — typically because a U.S. federal or state agency requires it for the filing you have asked us to make, or because U.S. anti-money-laundering or sanctions law requires us to verify identity.

For residents of states that require opt-in consent for sensitive-data processing (currently New Jersey and Maryland) and for individuals subject to GDPR / UK GDPR / FADP, you must affirmatively consent at intake; you can withdraw consent at any time, in which case we may be unable to provide the Service that required the data. California residents have the right to limit the use and disclosure of Sensitive Personal Information.

Biometric data for KYC. Where we use Sumsub for identity verification, biometric processing (face match / liveness) relies on explicit consent under GDPR Art. 9(2)(a) and equivalent provisions, in addition to the substantial-public-interest basis for sanctions and AML compliance. You may decline biometric verification, in which case we will offer a manual document-review alternative where available; if no alternative is available, we may be unable to complete onboarding for legal-compliance reasons.

When CORPBOLT submits a filing (Articles of Organization with a Secretary of State, an EIN application with the IRS, etc.), some of the information you provide may become part of a public record maintained by the government. CORPBOLT cannot recall that information once it is public.

FinCEN BOI. CORPBOLT does not automatically file a BOI report with FinCEN on your behalf unless you have purchased a specific BOI filing add-on. BOI rules may be modified, paused, or replaced; you are responsible for your reporting obligations.

Registered agent. If your package includes registered-agent service, the third-party registered agent is the public point of contact for service of process and government correspondence; their privacy and retention practices apply to the data they handle.

We use limited automated decision-making for:

• Fraud and abuse prevention — Google reCAPTCHA risk scoring, Stripe Radar, internal rules, and Cloudflare edge / WAF signals.
• Identity verification (KYC/AML) — Sumsub performs document checks, sanctions / PEP / adverse-media screening, and (where you consent) biometric face match / liveness. The Sumsub WebSDK loads inside the KYC flow only.
• Personalization and recommendations — suggesting filings, packages, or content based on your stated goals and behavior.
• Product analytics — aggregate metrics and pseudonymous user-level event analysis.
• Advertising measurement and audience modelling — when consent permits, Google Ads / Google Tag, Meta Pixel and Meta CAPI, and equivalent platforms may infer audience segments or look-alike audiences from the events we send. These platforms perform their own automated processing under their own privacy policies. You may opt out of this category of processing via §11.2 (Cookie Settings, GPC, or email).

Decisions that would have a legal or similarly significant effect on you (e.g., declining onboarding after a sanctions hit, freezing a refund, terminating an account) are subject to human review before final action. You may request human review, express your point of view, and contest the decision via §16. This satisfies GDPR Art. 22 and equivalent U.S. state provisions.

EU AI Act. Where Sumsub's identity-verification system or any other third-party AI system we use is classified by its provider as a "high-risk AI system" under the EU AI Act (Regulation (EU) 2024/1689), CORPBOLT acts as a deployer. We rely on the provider's conformity assessment and apply the deployer obligations relevant to our use.

We do not use customer Personal Data to train third-party generative-AI foundation models. Where staff use AI tools to draft replies, a human reviews and approves before sending.

• Email: privacy@corpbolt.com (subject: DSAR — [right] or OPT OUT — [type]).
• Phone: +1 (307) 300-2206 (leave a voicemail with your name, callback, and the right you want to exercise).
• Mail: CORPBOLT LLC — Privacy Office, 1309 Coffeen Ave, Ste 1200, Sheridan, WY 82801, USA.

We acknowledge within 10 business days and respond within the statutory deadline — typically 30 days under GDPR / UK GDPR (extendable once by two further months for complex requests with notice), and 45 days under most U.S. state laws (extendable once by 45 days with notice). We may verify your identity proportionately to the sensitivity of the request, and we do not discriminate against you for exercising any right.