01Scope & roles
This Privacy Policy applies to File.Business, Inc., a Delaware corporation with its registered office at 101 N Monroe St, Suite 800, Tallahassee, FL 32301, United States ("File.Business," "we," "us," "our"), and to all of our products and services accessible at file.business, app.file.business, our mobile applications, and any related domains (collectively, the "Services").
For most of the information we process about visitors and account holders, we act as a data controller (the entity that determines how and why personal information is processed). For information processed on behalf of our business customers (for example, payroll data about their employees), we typically act as a data processor (or "service provider" under the CCPA), and our customer acts as the controller. The Data Processing Agreement linked to your account governs that relationship and is incorporated by reference.
If you have not yet entered into an account agreement with us, this Privacy Policy is the entire framework that governs our processing of your information.
02Information we collect
Sources
We collect personal information from four sources.
- Directly from you when you create an account, form a business, contact our team, or use any part of the Services.
- From your devices and use of the Services, including log data, device identifiers, browser type, IP address, time stamps, pages viewed, and similar telemetry.
- From third parties, including payment processors (Stripe), identity verification providers, government agencies (Secretary of State offices, FinCEN, IRS), credit bureaus where you have given consent, and business partners.
- From your interactions with our communications, including email open and click tracking and SMS delivery receipts.
Categories of personal information
The categories below are written to match both the GDPR Article 14 framework and the CCPA/CPRA categorization.
| Category | Examples |
|---|---|
| Identifiers | Name, email address, postal address, phone number, account username, IP address, government-issued ID number where required for filings |
| Customer records | Billing address, payment card last 4 and expiry, bank account information for payouts (where applicable), name and signature on contracts |
| Commercial information | Products purchased, subscriptions, transaction history, invoicing data |
| Internet/device data | Device type, OS, browser, screen size, pages visited, referring URL, session duration, error logs |
| Geolocation data | Approximate location derived from IP address. We do not collect precise geolocation unless you specifically enable it. |
| Professional or employment information | Job title, employer (when relevant to filings), employee data submitted to our payroll service (about your employees) |
| Audio, voice, electronic information | Voicemail and call recordings (only for the Communications product, with consent), customer-support call recordings (with notice) |
| Financial information | Bank account, routing numbers, payroll amounts, tax filings, business accounting data (you upload or generate this) |
| Inferences | Predicted preferences and aptitudes derived from the above, used to recommend services or content |
| Sensitive personal information | Social Security Number (only when required for IRS or state filings), driver's license or passport number (only when required by BOI, banking KYC, or i-9), precise geolocation (only if you opt in) |
We do not collect special categories of data under GDPR Article 9 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) except where you voluntarily provide such information (for example, in a support request) or where strictly necessary to complete a regulatory filing you have asked us to make.
03How we use the information
We use personal information to:
- Provide the Services. Form entities, prepare and submit government filings, run payroll, send communications, store documents, process payments, and any other purpose you have asked us to fulfill.
- Operate and improve the platform. Monitor performance, detect bugs, run A/B tests, train internal models, and improve features.
- Communicate with you. Send service notifications, transactional emails, deadline reminders, security alerts, billing receipts, and, with your consent, marketing communications you can opt out of at any time.
- Comply with law. Meet our obligations under federal, state, and international law including tax, anti-money-laundering, sanctions, court orders, and regulatory inquiries.
- Protect rights and prevent harm. Investigate fraud, abuse, and security incidents; enforce our Terms of Service and Acceptable Use Policy; defend against claims; protect the safety of users and third parties.
Legal bases for processing (EU, UK, Swiss residents)
Under the GDPR and UK-GDPR, we process personal information only when one or more of the following legal bases applies:
- Performance of a contract (Article 6(1)(b)): processing necessary to provide the Services you have signed up for.
- Legitimate interests (Article 6(1)(f)): our interest in operating the business, preventing fraud, securing the platform, and improving the product, balanced against your interests and rights.
- Compliance with a legal obligation (Article 6(1)(c)): tax filings, AML/KYC, court orders, and similar.
- Consent (Article 6(1)(a)): marketing communications, non-essential cookies, optional product features. You can withdraw consent at any time.
- Vital interests (Article 6(1)(d)): rare; only in life-or-death situations.
Where we rely on legitimate interests, we conduct a balancing test and document our assessment. You have the right to object to processing on this basis (see Section 8).
05Retention
We retain personal information for as long as is necessary to provide the Services, fulfill the purposes set out in this Policy, and meet our legal obligations. After that, we delete or anonymize the data.
Specific retention periods include:
- Active account data: retained for the life of your account.
- Filings and tax records: retained for at least 7 years after the filing year (most jurisdictions require this) and longer where state law requires.
- Payroll records: at least 4 years per IRS Publication 15 and 4-7 years per state requirements.
- Communications (call recordings, voicemail): 90 days unless flagged for legal hold.
- Server access logs: 90 days.
- Marketing data: until you unsubscribe, plus 30 days for processing.
- Closed accounts: we retain a minimal record (name, account ID, closure date, reason) for 7 years for fraud prevention and dispute resolution. All other data is deleted within 30 days of closure unless a legal hold applies.
06Security
We use industry-standard technical and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our controls include:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- SOC 2 Type II independently audited controls
- Role-based access controls with least-privilege defaults and quarterly access reviews
- Mandatory two-factor authentication for employee access
- 24/7 security monitoring, intrusion detection, and incident response procedures
- Vulnerability scanning, third-party penetration testing, and a coordinated vulnerability disclosure program
- Vendor risk assessment and contractual data-protection requirements for all subprocessors
- Employee security training, background checks for engineering roles, and confidentiality obligations
No security measure is perfect. If we become aware of a security incident affecting your personal information, we will notify you and the relevant authorities as required by law. Our breach notification commitment is described in our Security Policy.
07International data transfers
File.Business is headquartered in the United States. Personal information we collect may be transferred to and processed in the United States or other countries where we or our service providers operate. These countries may have data protection laws that differ from the laws of your country.
When we transfer personal information out of the European Economic Area, United Kingdom, or Switzerland, we use one or more of the following safeguards:
- European Commission Standard Contractual Clauses (2021 modules) and the UK International Data Transfer Agreement / Addendum for transfers to controllers and processors in third countries
- The EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework for transfers to participating US recipients (we are self-certified)
- Your explicit consent after being informed of the risks
- The derogations under Article 49 where applicable (necessary for the performance of a contract, for example)
Copies of the safeguards we rely on are available upon request to privacy@file.business.
08Your rights
Subject to local law and limited exceptions (for example, where producing data would adversely affect another person's rights), you have the following rights with respect to your personal information. The specific rights that apply to you depend on where you live.
EEA, UK & Switzerland (GDPR / UK-GDPR / FADP)
- Right of access (Article 15): obtain a copy of the personal information we hold about you.
- Right to rectification (Article 16): correct inaccurate or incomplete data.
- Right to erasure (Article 17): have your personal information deleted, subject to legal-hold and other exceptions.
- Right to restriction (Article 18): restrict processing in specific circumstances.
- Right to data portability (Article 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Article 21): object to processing based on legitimate interests, including direct marketing.
- Rights related to automated decisions (Article 22): not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
- Right to withdraw consent (Article 7(3)): where processing is based on consent.
- Right to lodge a complaint: with your local supervisory authority (a list is available at edpb.europa.eu/about-edpb/about-edpb/members).
To exercise these rights, email privacy@file.business or visit your account settings. We will respond within one month (or three months for complex requests, with notice).
California (CCPA / CPRA)
California residents have additional rights. See our dedicated California Notice for the full disclosure, including the right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to opt out of sale/sharing (we do not sell or share for cross-context behavioral advertising), and right to non-discrimination.
Other US states
Residents of Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), Nebraska (NDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Oregon (OCPA), Rhode Island (RIDTPPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA) have rights including the right to access, correct, delete, port, and opt out of targeted advertising, sale of personal data, and certain profiling. Email privacy@file.business to exercise any of these rights.
Canada (PIPEDA & Quebec Law 25)
Canadian residents have the right to access, correct, withdraw consent, and complain to the Office of the Privacy Commissioner of Canada. Residents of Quebec have additional rights including the right to portability and rights related to automated decision-making under Law 25.
Brazil (LGPD)
Brazilian residents have the rights enumerated in Article 18 of the LGPD, including confirmation of processing, access, correction, anonymization, blocking, deletion, portability, information about sharing, and withdrawal of consent.
Australia (Privacy Act 1988)
Australian residents have rights under the Australian Privacy Principles (APPs), including the right to access and correct personal information. You may complain to the Office of the Australian Information Commissioner if you are dissatisfied with our response.
How we verify requests
To protect your information, we verify rights requests by matching the information in the request to information we already hold (typically email and account verification). For sensitive requests (deletion, full export), we may require additional verification. We do not require an account to make a request, but we may not be able to fulfill some requests without one.
09Cookies & tracking technologies
We and our service providers use cookies, web beacons, pixels, mobile SDKs, and similar technologies to operate the Services, remember preferences, analyze usage, and (with your consent) deliver relevant marketing. The full inventory and how to opt out are in our Cookie Policy. We respect the Global Privacy Control (GPC) signal as a request to opt out of sale/sharing under applicable US state laws.
10Automated decision-making
We use algorithmic processing to detect fraud and abuse, to recommend services, and to monitor for compliance deadlines. These uses do not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22. If we ever introduce processing that would have such effects, we will provide additional disclosures, offer the ability to obtain human intervention, and respect your right to contest the decision.
11Children
The Services are not directed to and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@file.business and we will delete it. We comply with the Children's Online Privacy Protection Act (COPPA) where applicable.
12Changes to this policy
We will post any material changes to this Policy on this page and update the "Last updated" date at the top. For material changes that affect rights or how we use information, we will provide additional notice (by email, in-product banner, or both) at least 30 days before the change takes effect, unless a shorter period is required by law. Continued use of the Services after the effective date constitutes acceptance.
Prior versions of this Policy are archived and available on request.
13Contact us
The data controller is File.Business, Inc., 101 N Monroe St, Suite 800, Tallahassee, FL 32301, United States. You can reach us by:
- Email: privacy@file.business for any privacy or data request
- Data Protection Officer: dpo@file.business
- EU Representative (Article 27 GDPR): VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland
- UK Representative: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom
- Postal mail (US): File.Business, Inc., Attn: Legal, 101 N Monroe St, Suite 800, Tallahassee, FL 32301
Requesting your data, deletion, or correction
The fastest path is from your account settings (Settings → Privacy → Manage data). If you do not have an account, email privacy@file.business with your full name, the email address you have used with us, the request type, and (for verification) one piece of correlating information. We respond within 30 days, free of charge, up to twice per year.