Privacy Policy

1. Introduction

Welcome to NowCorp ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our EIN registration service.

By using our service, you agree to the collection and use of information in accordance with this Privacy Policy. This policy is compliant with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Personal Information

When you register for an account and use our service, we collect:

• Account Information: Name, email address, phone number, password
• Business Information: Business name, EIN (if applicable), business address
• Form SS-4 Data: All information required for IRS Form SS-4 submission
• Identity Verification: Government-issued ID information (when required)
• Payment Information: Billing address, payment method details (processed securely through Stripe)

2.2 Technical Information

• Log Data: IP address, browser type, operating system, pages visited
• Device Information: Device fingerprint for trusted device detection
• Cookies: Session cookies, authentication cookies, preference cookies
• Analytics: Usage patterns, feature interactions (via Vercel Analytics)

2.3 Communications

• Messages sent through our platform
• Email correspondence
• SMS verification codes
• Customer support interactions

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: Processing EIN applications, submitting Form SS-4 to the IRS
• Account Management: Creating and maintaining your account, authentication
• Communication: Sending transactional emails, application status updates, SMS verification codes
• Security: Fraud prevention, two-factor authentication, audit logging
• Payment Processing: Billing for subscription plans and services
• Service Improvement: Analytics, error tracking, feature development
• Legal Compliance: Meeting IRS requirements, tax obligations, legal requests

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

• Consent (Article 6(1)(a)): You have given explicit consent via registration checkbox
• Contract Performance (Article 6(1)(b)): Processing is necessary to provide our services
• Legal Obligation (Article 6(1)(c)): IRS submission requirements, tax compliance
• Legitimate Interests (Article 6(1)(f)): Fraud prevention, service improvement

5. Data Sharing and Disclosure

5.1 Third-Party Services

We share your information with trusted third-party service providers:

• Stripe: Payment processing (PCI-DSS compliant)
• SendGrid: Transactional email delivery
• Twilio: SMS verification codes
• Vercel: Hosting and analytics
• AWS S3: Secure file storage
• Google reCAPTCHA: Bot protection

5.2 Government Agencies

We submit Form SS-4 data to the Internal Revenue Service (IRS) on your behalf as part of the EIN application process. This is necessary for service delivery and legal compliance.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All sensitive data encrypted at rest and in transit (TLS/SSL)
• SSN Protection: Social Security Numbers encrypted using HashiCorp Vault Transit engine
• Access Control: Role-based access control, admin-only features
• Authentication: Password hashing (bcrypt), two-factor authentication (2FA)
• Session Management: Secure session cookies, trusted device detection
• Rate Limiting: Protection against brute-force attacks
• Audit Logging: Comprehensive logging of security events

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

7.1 Right to Access (Article 15)

You can access your personal data through your account dashboard at any time.

7.2 Right to Rectification (Article 16)

You can update your profile information, email, and phone number in Settings → Profile.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can delete your account and all associated data in Settings → Security → Delete Account. This requires email or SMS verification for security. Deletion is permanent and irreversible.

7.4 Right to Data Portability (Article 20)

You can download your SS-4 forms as PDFs. Contact support for a complete data export in JSON/CSV format.

7.5 Right to Object (Article 21)

You can object to certain data processing activities, such as analytics, by adjusting your cookie consent preferences.

7.6 Right to Withdraw Consent (Article 7(3))

You can withdraw consent at any time by modifying your cookie preferences or deleting your account.

7.7 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe your data protection rights have been violated.

8. Cookies and Tracking

We use cookies to provide and improve our service. You can control cookie usage through our cookie consent banner with three levels:

• Essential Cookies: Required for authentication and core functionality (cannot be disabled)
• Functional Cookies: Enhance UX with features like 2FA remember and preferences
• Analytics Cookies: Help us understand usage patterns (optional)

You can change your cookie preferences at any time by clearing browser cookies and reloading the page.

9. Data Retention

We retain your data for the following periods:

• Active Accounts: Data retained while your account is active
• Inactive Accounts: Data retained for 3 years after last login, then anonymized
• Submitted Forms: SS-4 forms retained for 7 years for IRS compliance
• Financial Records: Payment records retained for 7 years for tax purposes
• Audit Logs: Security logs retained for 1 year
• Deleted Accounts: All data permanently deleted within 30 days of deletion request

10. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses (SCCs) where required by GDPR.

11. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by posting a notice on our website. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us:

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Important: NowCorp does NOT sell your personal information.

15. Compliance Summary