Legal
Privacy Policy
Effective April 2, 2026. We may update these documents from time to time; we will revise the effective date above and, where appropriate, provide additional notice (for example by email or a notice in the dashboard). If you continue to use the Service after changes take effect, you agree to the revised terms or policy. For questions, use Contact.
In short: We collect what we need to run Formsig, your account, the submissions your forms receive, and data needed for security and billing. We do not sell your personal information. If you are a Customer, you decide what your forms collect and how you use notifications; you are the controller for that End User data, and we act as a processor when we store and deliver it on your behalf (see Section 2).
1. Introduction
This Privacy Policy (“Policy”) describes how Formsig (“Formsig,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information in connection with our website at our domains, our customer dashboard and APIs, hosted form submission endpoints, and related services (collectively, the “Service”). It applies to visitors to our marketing site, registered account holders (“Customers”), and, where noted, individuals who submit information through forms that our Customers configure on the Service (“End Users”).
By using the Service, you agree to this Policy. If you do not agree, please do not use the Service. Our Terms of Service govern use of the product and work together with this Policy.
2. Controllers, processors, and form submissions
Customers as controllers. When you use Formsig as a Customer, you decide why and how personal information is collected through the forms and endpoints you configure, the purposes of processing, which fields to collect, and the legal basis (for example consent or contract) as between you and your End Users. You are responsible for providing any required notices to End Users and for responding to their rights requests regarding data you collected through your forms.
Formsig as processor. For personal information contained in form submissions and related files that End Users send to your Formsig endpoints, we process that information as a processor (or “service provider” / similar terms under U.S. state laws) on your behalf and only to provide the Service you instructed us to provide, such as storing submissions, showing them in your dashboard, sending notifications or webhooks you enable, and operating security and reliability controls. We do not use End User submission content to market to End Users or for our own separate business purposes beyond operating and improving the Service in accordance with our agreement with you and this Policy.
Formsig as controller. For personal information we collect about you as a visitor or Customer (for example account registration, billing metadata, support tickets, and technical logs about your use of the dashboard), we act as a controller and determine how and why that data is processed, as described in this Policy.
3. Personal information we collect
3.1 Account and profile information. When you register, we collect identifiers and contact details such as your name, email address, and password (stored using industry-standard hashing). We may collect optional profile information you choose to provide.
3.2 Billing information. If you subscribe to a paid plan, our payment processor (for example Stripe) collects payment card or bank details and billing address. We receive limited billing metadata (for example subscription status, last four digits of a card, or invoice identifiers) but do not store full payment card numbers on our servers.
3.3 Form submissions and Customer content. When an End User submits a form to a Customer’s Formsig endpoint, we process and store the fields the Customer configured (for example name, email, message text) and, where enabled, files or file metadata associated with the submission. The categories of data depend entirely on how each Customer builds their form.
3.4 Communications. If you contact us (for example through our contact form), we collect the information you provide (such as email address, subject, and message content) and may keep correspondence to resolve your request.
3.5 Technical and usage data. We automatically collect certain internet and device data when you interact with the Service, such as IP address, approximate location derived from IP, browser type, device identifiers, referring URLs, pages viewed, timestamps, and diagnostic logs. We use this information to operate, secure, and improve the Service and for abuse prevention.
3.6 Cookies and similar technologies. We use cookies and similar technologies only where needed for essential functionality (for example session management so you stay signed in), security (for example CSRF protection where applicable), and bot mitigation on some pages (for example Cloudflare Turnstile) when configured. We do not use cookies for cross-site tracking, behavioral advertising networks, or “tracking” you across unrelated sites. We do not sell personal information. You can control cookies through your browser settings; disabling strictly necessary cookies may limit sign-in or security features.
4. How we use personal information
We use personal information for the following purposes:
- Provide the Service: create and manage accounts, authenticate users, host form endpoints, store and display submissions, send notifications and webhooks you configure, and process transactions.
- Communicate with you: send transactional messages (verification, password reset, billing receipts, security alerts, service announcements) and respond to support requests.
- Security and abuse prevention: detect fraud, spam, and attacks; enforce rate limits; investigate incidents; and protect the rights and safety of Formsig, Customers, and third parties.
- Improve and develop: analyze aggregated or de-identified usage patterns, troubleshoot, and develop new features.
- Legal and compliance: comply with law, respond to lawful requests from public authorities, and enforce our terms and policies.
We do not sell your personal information as that term is defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). We do not use personal information for cross-context behavioral advertising as a sale of personal information.
5. Legal bases (EEA, UK, and similar jurisdictions)
Where the GDPR, UK GDPR, or similar laws apply to processing for which Formsig is the controller (for example account and billing data), we rely on one or more of: (a) Contract, processing necessary to provide the Service you requested; (b) Legitimate interests, for example securing the Service, improving reliability, and preventing abuse, balanced against your rights; (c) Consent, where we ask for it (you may withdraw consent at any time without affecting prior processing); and (d) Legal obligation, where required by law.
Where we act as a processor for End User data in form submissions, the Customer is responsible for determining the legal basis for that collection and for providing any required notices to End Users. We process such data on documented instructions from the Customer (including the configuration of forms, notifications, and webhooks) and as described in this Policy and our Terms of Service.
6. How we disclose personal information
We disclose personal information in the following circumstances:
- Service providers and subprocessors: We engage vendors to help us operate the Service, such as cloud hosting and edge networks (for example Cloudflare), email delivery (for example Resend), payment processing (for example Stripe), and analytics or logging tools we may use in aggregated form. They process data on our instructions and are contractually required to protect it.
- Legal and safety: We may disclose information if we believe in good faith that disclosure is required by law, legal process, or government request, or to protect the rights, property, or safety of Formsig, our users, or others.
- Business transfers: If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will require the successor to honor this Policy or notify you of changes.
- With your direction: For example, when you configure webhooks, email notifications, or integrations that cause data to be sent to third-party systems you control.
A current list of material subprocessors we use to provide the Service is available upon request through our contact form.
7. International transfers
Formsig is operated from the United States and may use infrastructure in the United States and other countries. If we transfer personal information from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, we implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms permitted by law. You may contact us for more information about such safeguards.
8. Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer period is required or permitted by law.
Active accounts. We keep your account data and associated configuration while your account remains open. Submissions remain available in your dashboard until you delete them or delete the associated form or account, subject to the backup window below.
After you delete data or close your account. When you delete individual submissions or forms, or when you delete your account, we remove or anonymize that data from active systems within a commercially reasonable period. Residual copies may persist in encrypted backups for a limited period, typically on the order of seven (7) to thirty (30) days, after which they are overwritten or expired according to our infrastructure provider’s backup rotation. We do not guarantee a shorter window than our providers’ standard cycles.
Logs and security. Technical and security logs may be kept for a shorter or rolling window (often days to weeks) for abuse prevention, debugging, and compliance, unless a longer hold is required for an investigation or legal obligation.
Legal holds. We may retain certain information longer where required to comply with law, resolve disputes, or enforce our agreements.
9. Security
We implement technical and organizational measures designed to protect personal information, including encryption in transit (HTTPS), access controls, authentication, monitoring, and rate limiting. No method of transmission or storage is completely secure; we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for configuring your forms and integrations responsibly.
10. Your privacy rights, deletion, and choices
Depending on your location, you may have rights to access, correct, delete, or export personal information we hold about you; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority.
Customers. You can access, export, and delete individual form submissions and manage your account data through the dashboard where the product provides those controls. You may also delete your account, which removes your forms and associated submissions from active systems as described in Section 8.
To exercise rights that are not self-service, or for privacy requests directed to Formsig as controller, contact us through the contact form. We will respond in accordance with applicable law and may need to verify your identity. If you are an End User and want to access or delete data you submitted through a Customer’s form, contact that Customer first; we may assist them in responding to validated requests where appropriate.
11. California residents
If you are a California resident, the CCPA/CPRA may grant you specific rights regarding personal information. Categories of personal information we collect are described in Section 3. Purposes of use are described in Section 4. We disclose personal information to service providers as described in Section 6. You may have the right to know, delete, correct, and opt out of certain sharing (we do not sell personal information). You may designate an authorized agent to make a request where permitted by law.
12. Children’s privacy
The Service is not directed to children under thirteen (13) years of age (or a higher age if required by local law), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us through the contact form and we will take appropriate steps to delete it.
13. Automated decision-making
We do not use personal information for automated decision-making that produces legal or similarly significant effects solely by automated means. We may use automated tools for security, spam detection, and operational routing.
14. Changes to this Policy
We may update this Policy from time to time. We will post the updated Policy on this page and revise the “Effective” date at the top. Where changes are material, we will provide additional notice as required by law (for example by email or dashboard notification). Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Policy where permitted by law.
15. Contact us
For privacy-related questions or requests (including subprocessors list, data protection inquiries, and rights requests), use the contact form on our website. We will do our best to respond promptly.