Privacy

The privacy policy.

Last reviewed April 2026.

Incorporator is a magazine about forming U.S. companies. We collect what we need to run the site and answer your questions, and nothing else. In practice that means request logs at the edge, a hashed record of affiliate clicks, the email addresses of newsletter subscribers, and the contents of any message you send through the contact form.

What we do not do is worth naming too. We run no third-party analytics. We load no ad networks. We do not use session replay. We do not fingerprint browsers. We do not sell data, and we have no integration through which selling data would be possible even if we wanted to.

Data we collect

Five categories, each with a retention window.

Every category of personal data that touches our infrastructure is in the table below. If it's not here, we don't have it.

Request logs

Debugging and abuse investigation. Captured automatically by Cloudflare at the edge.

7 days

Hashed IPs on affiliate clicks

Fraud screening on /go/:slug redirects. SHA-256 over the raw IP plus a salt that rotates every 24 hours, so the hash is not reversible the day after it is written.

180 days

Newsletter email addresses

To deliver the issue you asked for. Double opt-in; the address is not added to the list until you confirm the link.

Retained while subscribed; deleted 30 days after unsubscribe

Contact-form submissions

To answer your question. Stored in D1 until the thread is closed, then purged on a rolling schedule.

12 months

Admin session tokens

Bearer tokens for editorial staff. Held in the browser's sessionStorage. No server-side cookie is set for any public visitor.

Cleared on tab close

Subprocessors

One vendor, named in full.

We run the entire site on Cloudflare. There is no secondary analytics vendor, no CRM, no email marketing platform, no ad server. If that changes, this section changes with it.

Cloudflare, Inc.

Sole subprocessor

Purpose. Hosting, edge compute (Workers), database (D1), object storage (R2), key-value (KV), vector search (Vectorize), image delivery (Images), email routing, DNS. The entire stack.

Location. Global edge; data at rest in D1 stored in a region selected at deploy time. The primary replica is in North America.

Retention. Follows the per-category windows listed above. Cloudflare's own sub-processor terms apply.

Your rights

GDPR Articles 15 through 21.

If you are in the European Union, the United Kingdom, or a jurisdiction that has adopted a comparable regime, you have the following rights over the personal data we hold on you. Email privacy@incorporator.org or use the contact form. Reference this page in your subject line and we will route the request correctly.

Access

A copy of what we hold on you, in a machine-readable format on request.
Rectification

Correction of anything inaccurate. Tell us what's wrong and we'll fix it.
Erasure

Deletion of your records, subject to any legal retention obligation (we rarely have one).
Portability

Your data exported as JSON, delivered by email. Same scope as the access right.
Objection and restriction

Tell us to stop processing a particular category. We'll stop unless we can show a compelling legal ground, which for a magazine's reader data we almost never can.
Withdraw consent

Unsubscribe from the newsletter at any time from the footer link in any issue, or email us.

California residents (CCPA / CPRA).

California adds four rights on top of the list above. They apply regardless of whether you're a subscriber or just a reader.

Right to know

The categories and specific pieces of personal information we've collected on you in the last 12 months.
Right to delete

Deletion of personal information we hold, with the same exceptions as under GDPR.
Right to opt out of sale

We do not sell personal information and have no mechanism to sell it. There is nothing to opt out of. This sentence itself is the opt-out notice the statute asks for.
Right to non-discrimination

Exercising any of these rights will not change the content you see on the site or the newsletter you receive.

Turnaround. We target 30 days for a complete response. Complex requests (full export, cross-system reconciliation) can extend to 60 days, which is the statutory ceiling under both regimes. If we need the extra time, we will say so before day 30 and explain why.

Zero on the public site.

The public site sets no first-party cookies and loads no third-party cookies. You will not see a consent banner here because there is nothing to consent to.

The admin area, which the reading public does not see, uses the browser's sessionStorage to hold a bearer token for signed-in editors. It never leaves the origin and is cleared when the tab closes.

If a future change introduces a cookie of any kind, it ships in the same release as an update to this page and a note in the change log at the bottom.

Children

No content for anyone under 13.

Incorporator is written for adults forming companies. We do not target content at children under 13, we do not knowingly collect their data, and we do not use their information for any marketing purpose. If we receive a subscription or contact request from someone we have reason to believe is under 13, we delete the record on discovery and reply to the address from which the request came.

International transfers

Cloudflare's global edge.

The site runs on Cloudflare's global network. Requests from within the European Union and the United Kingdom are typically routed through a regional data center in that area. Data at rest (our D1 database, R2 object storage) lives in a region selected at deploy time. Transfers out of the EEA rely on Cloudflare's Standard Contractual Clauses, which are part of their standard Data Processing Addendum.

Incidents

72 hours, in public.

In the event of a data breach, we will post a written notice on our trust center within 72 hours of confirming the incident, and email everyone whose data was materially affected. The notice will name what happened, what was accessed, what we have done in response, and what (if anything) we need you to do.

Contact

Privacy requests.

Email privacy@incorporator.org for any exercise of the rights above, any correction, or any question about how your data is handled. We acknowledge within five business days and respond on the 30 / 60-day clock described above. You can also reach the same inbox through the contact form if you'd rather not email directly.

Change log

Every material update, dated.

April 2026

Initial comprehensive rewrite. Prior versions stubbed the subprocessor list and did not name retention windows.

Material changes will be dated here. Stylistic edits travel in git history.