Legal

Privacy Policy

Effective: May 21, 2026 · Last updated: May 21, 2026

1. Overview

CCorp.com (“CCorp”, “we”, “us”) provides entity formation services and email infrastructure (alias forwarding and managed mailboxes) on customer-owned domains. This policy explains what personal information we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It applies to ccorp.com and to all related services we operate at api.ccorp.com, hooks.ccorp.com, and mail.ccorp.com.

2. Information we collect

We collect the minimum information needed to operate the services you request.

  • Account and signup data. Business name, contact email, phone (optional), domain name(s), and the mailbox(es) you want to create.
  • Waitlist data. If you join our waitlist, we store your email, business name, and domain (if provided) so we can invite you when capacity opens up.
  • Contact form data. Name, email, company (optional), topic, and message.
  • Email metadata. For mail we forward or store on your behalf we retain message envelope data (sender, recipient, timestamp, message ID, delivery status, bounce/complaint events) for deliverability, abuse prevention, and support purposes. We do not read message bodies except when required to investigate abuse, fraud, or a legal request.
  • Entity formation records. For corporation and LLC formations, the principal name, contact, business address, and any documents you provide for state filings or EIN issuance.
  • Operational logs. IP address, user-agent, and timestamp for security, rate-limiting, and fraud prevention.
  • Cookies. Strictly-necessary cookies for session and CSRF protection, and a small invite cookie set after you redeem a waitlist invite. We do not run third-party advertising cookies.

3. How we use it

  • To provide and operate the services you request (form your entity, set up your email, deliver and forward your messages).
  • To communicate transactional and service messages (verification emails, setup guides, deliverability alerts, billing).
  • To detect, prevent, and respond to fraud, abuse, deliverability violations, and security incidents.
  • To comply with legal obligations (subpoenas, court orders, lawful regulatory requests, retention required by tax law).
  • To improve our products and customer experience in aggregate, de-identified form.

We do not sell your personal information. We do not share it with advertisers and we do not use it to train third-party AI models.

4. Who we share it with

We use a small set of subprocessors to deliver the service. Each is contractually bound to handle data on our instruction:

  • Cloudflare — DNS, CDN, and web application firewall.
  • Vercel — web hosting for ccorp.com.
  • Postmark (ActiveCampaign) — transactional email delivery and bounce/complaint webhooks.
  • Spaceship and Porkbun — registrar APIs we call only when you ask to apply DNS records on your behalf.
  • Forward Email (self-hosted on our infrastructure) — open-source mail server we operate ourselves; data stays on infrastructure we control.

We may also share information with our registered-agent partners and state filing services when you ask us to form an entity on your behalf, and with legal/accounting counsel and law enforcement when legally required.

5. How long we keep it

  • Active account and mailbox data: while your account or service is active, plus a 90-day grace period after termination.
  • Email delivery metadata (bounces, complaints, deliveries): 24 months for deliverability and abuse defense.
  • Entity formation records, invoices, and tax records: 7 years (US tax/audit retention).
  • Waitlist data: deleted when you ask, or 24 months after the last interaction, whichever comes first.
  • Operational logs (IP, user-agent): 90 days.

6. Your rights

Depending on where you live, you may have the right to:

  • Access a copy of the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information, subject to legal retention requirements.
  • Object to or restrict certain processing.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

For GDPR purposes (EU/UK customers), CCorp is the data controller for the data described above and can be reached atprivacy@ccorp.com. For California residents (CCPA/CPRA), we do not sell or share personal information for cross-context behavioral advertising.

7. Security

We encrypt data in transit (TLS 1.2+) and at rest where supported by our infrastructure. Access to production systems is restricted to a small number of operators, audited, and protected by hardware MFA. We run automated bounce and complaint webhooks with auto-suspension thresholds to protect deliverability for all customers on shared infrastructure.

8. International transfers

Our infrastructure is operated primarily in the United States (Cloudflare global, Vercel iad1, Postmark US, our own servers in New Jersey). If you access CCorp from outside the United States, your information will be transferred to and processed in the United States.

9. Children

CCorp is not intended for use by anyone under 16. We do not knowingly collect personal information from children.

10. Changes

We will post any material changes to this policy on this page with a new “Last updated” date and, for material changes, notify active account holders by email at least 14 days before the change takes effect.

11. Contact

Questions about this policy or your data: privacy@ccorp.com. General inquiries: hello@ccorp.com.