What we hold, where it lives, and who else can see it.
Everything we store about you, every third party we send it through, and how we respond when law enforcement asks for it. One page. No marketing language.
Report date: July 5, 2026
Operational snapshot
- Warrant canaryCurrent
- Government requests fulfilled0
- Confirmed data breaches0
- Ad / analytics trackingNone
Warrant Canary
What is true today
The statements below are kept current. Some categories of legal order can prevent us from updating them — that is why the absence of an update is itself the signal.
Current
As of July 5, 2026
As of July 5, 2026, none of the assertions below have changed. If this section ever stops updating, treat the silence as the message and seek independent confirmation before relying on the older statements.
In plain language
A warrant canary is a way to tell you something has changed when a court order says we can't say so directly. If a statement above ever disappears without explanation, treat the absence as the answer.
This is separate from the records we keep to register your LLC. Forming a company requires real name and address information that we retain and that we will produce in response to valid legal process. For details on what that means in practice, read the Privacy Policy.
Business Model
We charge for services. We do not sell data about you.
Most free privacy tools pay for themselves by selling what they learn about the people using them. We don't. The free tools on this site exist so you can use them without becoming the product. Paid services cover the cost of running the company.
Free Tools
No account required. Each tool's data handling is listed below in the exposure surface table.
Paid Services
LLC formation, data removal, and audits. Listed prices, no hidden upsell.
Customer Data
Your account exists so you can use our services. It is not bundled, scored, or sold to data brokers.
Directory & partners
Tools directory.We don't put affiliate links in our tool directory, and listings aren't paid placements. Tools are included and ranked on Privacy Protocol data — not because a vendor paid us.
Disclosed partners.When we send you to a partner on a specific step — like managed digital erasure or recommended business email after formation — we'll tell you next to the link if we may earn a commission. You can always use the service without our link.
Our primary revenue is paid services we operate (LLC formation and audits) — not directory clicks.
At a Glance
Headline numbers
Detailed retention and processor disclosures are below.
Government requests fulfilled
We will challenge requests we believe are overbroad.
Customer records disclosed
Confirmed breaches
Ad / tracking pixels
No Google Analytics, Facebook Pixel, or LinkedIn Insight.
Data Practices
Retention schedule
Neon Postgres holds the records below unless another store is named. Payment data lives with Stripe.
Data inventory
What we store, how long it lives, and which processor holds it when it isn't our database.
| Data type | Where it lives | Retention |
|---|---|---|
| Account identifiers (email, optional DERO address) | Neon | Until you delete your account. |
| Login sessions | Neon | Until logout or scheduled rotation. |
| Magic link tokens | Neon | Roughly 15 minutes, then expired. |
| Passkey credentials | Neon | Until you delete your account. |
| LLC formation records | Neon | Retained for legal and regulatory recordkeeping. |
| Paid privacy audit results | Neon | 72-hour rolling window, then deleted. |
| Privacy scanner results (public tool) | Neon | Up to 48 hours, then deleted. |
| AI assistant conversations | Neon | Rolling 7-day cleanup. |
| Stripe link + billing metadata | Neon + Stripe | Linked to your account until deletion. Card and bank details live with Stripe per their policy. |
| Public tools directory | Neon | Retained indefinitely. Reference material, no personal data. |
Trust Model
Where the limits actually sit
We sell privacy, but trust requires saying out loud where the architecture ends and legal process resumes.
Public tools
What each tool exposes
Browser Exposure
Runs entirely in your browser. Location lookups use ipapi.co; results are not stored.
Password Check
Runs in your browser using k-anonymity. Only a partial hash leaves your device.
DNS Leak Test
Runs entirely in your browser. We never see the result.
Threat Model
Runs in your browser. Your answers stay on your device.
Metadata Stripper
Your file is processed in memory and discarded as soon as the cleaned copy is returned.
Privacy Scanner
The URL you submit and its results are cached for up to 48 hours, then deleted.
Email Security / WHOIS
The address or domain you submit is used to run the lookup and is not retained as a profile.
Tools Directory
No personal profile. Routine searches are not logged for marketing.
Paid formation
Anonymous LLCs are architectural, not cryptographic
Forming an LLC is legal work, not encryption. State registries require a real person on file. Anonymous LLC structures keep your name off the public registry where state law allows — but we hold the records needed to respond to regulators, banks, and lawful court orders.
What we hold
- The legal name and address required to file your LLC
- The intake information the filing partner needs to complete your filing — citizenship status, member or manager structure, ownership breakdown, and any scenario-specific details you provide during the post-payment intake
- Stripe billing records linked to your account if you pay by card
What stays off public filings
- Member and manager names on state filings where law allows substitution (Wyoming and New Mexico are the strongest; Delaware lets less be omitted and we'll tell you so up front)
- Your home address — we substitute the registered agent address across every member, manager, contact, principal, and mailing field
Architecture
What we've shipped to limit what we hold — and what's being built next
A formation service has to receive some real information from you because state filings require a real person on file. We're shipping the architecture to minimize what we hold beyond that floor. The list below is honest about what already works and what is in active development.
Shipped today
- Encrypted formation document delivery (Dead Drop): formation documents are encrypted to your wallet's public key and stored as ciphertext. The wallet-only download path is in active development — today the default document download still serves the plaintext copy directly.
- Identity-blind DERO checkout: if you pay with DERO, no email, card, or other personal identifier is collected at the payment step.
- Filing partner is blinded to your address: we substitute our registered-agent address across every field the filing partner receives.
- No third-party analytics in production: no Google Analytics, no Facebook Pixel, no LinkedIn Insight, no Sentry, no Plausible, no session replay.
In active development
- Wallet-only Dead Drop read path: so wallet-authenticated clients only ever receive encrypted documents.
- Per-formation encryption of intake data: so the intake information we collect is not held in raw form by us or visible to internal staff without an explicit decrypt action.
- Multi-factor authentication for any internal account that could view client data, plus an audit log of every internal access.
- A cleanup pass on internal logs to remove any names or addresses that might appear in error traces or runtime output.
- Stripe path tightening: we'll narrow what we persist from Stripe checkout to the minimum needed for refunds and disputes.
The point of listing the in-progress work here is so that you can hold us to it. When we complete a line above, the entry moves to the “Shipped today” column. If a line stalls or gets dropped, that change shows up here before it shows up anywhere else.
Dependencies
Every third party we use
These companies see some of your data while doing their job. We list them here so nothing about the stack is hidden.
Operational processors
A short summary of each. We can provide a full DPIA or SOC report on request for diligence work.
Infrastructure
- Hosting
- Bare-metal VPS we operate. Application and routing logs rotate on a fixed schedule.
- Neon
- Our database host. Data is encrypted at rest. Neon has provider-level access and can be served with legal process directly.
- Stripe
- Payments. Card and bank account details live with Stripe; we store only the link to your Stripe customer record.
Feature-plane services
- ipapi.co
- Maps your IP to a coarse city/region for the Exposure tool. Your browser calls them directly — we don't proxy it.
- OpenStreetMap
- Map tiles for the Exposure tool. No tracking pixels.
- Venice.ai
- Powers AI-assisted features when you enable them. Your prompts leave our servers for inference.
- Resend
- Sends magic-link login emails only. No marketing campaigns run through this.
- Have I Been Pwned
- Checks whether your password or email appears in known breaches using k-anonymity. Only a partial hash is sent.
We don't run Google Analytics, Facebook Pixel, or LinkedIn Insight. If that ever changes, this page is updated before the new tracking script ships.
Tools directory sources
The open community lists we started from. Each links back to the original so you can review the upstream.
- Awesome Privacy
- Community-curated privacy tool inventory
- KYCnot.me
- Merchants reviewed for KYC posture — informs our crypto coverage
- DuckDuckGo Favicon Proxy
- Loads website favicons without calling Google's servers
Things we will never do
What we don't build is part of the product. Listing it makes the boundary public.
- Sell customer data to anyone
- Use persistent advertising identifiers
- Run hidden session recording
- Share customer profiles with ad networks
- Keep permanent IP logs for behavioral scoring
- Require social login (Google / Facebook) by default
- Require a phone number to sign in
- Add tracking scripts not disclosed here
Incident playbook
No system is perfect. If we ever have a material breach, the following commitments take effect.
- 1.Notify affected accounts within 72 hours of confirming the scope.
- 2.Publish what happened, what was exposed, and when — in plain language.
- 3.Coordinate with Stripe and other processors if billing data was affected.
- 4.Publish a post-incident report showing what we changed in response.
- 5.Prevent the same failure from happening again — not just write an apology.