Privacy Policy

Formai (“Formai”, “we”, “us”, “our”) provides an online platform for building, publishing, and collecting responses to web forms (the “Service”). This Privacy Policy explains what personal data we collect from users of the Service, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to our website, app, APIs, and any related services.

1. Who this policy applies to

This policy applies to two distinct categories of people:

Account holders — people who sign up for a Formai account to build forms (our customers).
Respondents — people who submit information through a form created by an account holder.

The data we collect, the legal basis for processing it, and your rights differ depending on which category you fall into. Where relevant we call this out explicitly below.

2. Controller and processor roles

For data relating to account holders (your account email, billing information, form configuration), Formai acts as a data controller — we decide why and how the data is processed.

For data submitted by respondents through a form (the responses themselves), Formai acts as a data processor on behalf of the account holder who created the form. The account holder is the controller of that response data and is responsible for providing respondents with appropriate notice and legal basis.

3. Data we collect

From account holders, we collect:

Account data: email address, name (if provided), hashed password or OAuth provider identifier, profile avatar URL.
Form content: the form titles, descriptions, fields, settings, and logic you create.
Billing data: plan tier, Stripe customer and subscription identifiers, subscription status, and renewal dates. We do not store card numbers or CVV codes — those are handled directly by Stripe.
Usage data: aggregate feature usage, AI generation counts, log records of API calls, and similar telemetry needed to operate the Service.
Communications: emails you send to support or in response to product communications.

From respondents who submit a form, we collect on behalf of the form's owner:

Submission content:any values you type, upload, or select in the form's fields.
Submission metadata: approximate IP address, user-agent string, referrer URL, and a timestamp. This is used for spam prevention, abuse detection, and basic analytics.
Event signals:form views, starts, completions, and abandonments — used to power the form owner's analytics dashboard.

We do not knowingly collect special-category personal data (e.g. health, biometric, political opinion) unless the account holder chooses to ask for it through their form. Account holders are responsible for ensuring they have a lawful basis to collect such data.

4. How we use your data

We process personal data to:

Provide, maintain, and secure the Service.
Authenticate users and prevent unauthorised access.
Process payments, manage subscriptions, and issue invoices.
Generate forms and field suggestions using our AI features when you ask us to.
Send transactional emails (account confirmations, billing receipts, security alerts).
Detect, investigate, and prevent spam, fraud, and abuse.
Comply with legal obligations and enforce our Terms.

We do not sell personal data, and we do not use submission content to train AI models.

5. Legal basis for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR/UK GDPR:

Contract (Art. 6(1)(b)) — to provide the Service you signed up for and to take pre-contractual steps at your request.
Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent fraud, improve features, and communicate non-marketing updates. You may object at any time.
Legal obligation (Art. 6(1)(c)) — to retain records required by tax, accounting, and other laws.
Consent (Art. 6(1)(a)) — for optional marketing communications and for any special-category data processing. You may withdraw consent at any time.

6. Cookies and similar technologies

We use a small number of first-party cookies and equivalent browser storage. We do not use third-party advertising or cross-site tracking cookies.

Strictly necessary: session cookies issued by Supabase to keep you signed in, CSRF-protection tokens, and feature-flag toggles. These cannot be disabled without breaking the Service.
Preferences: local storage to remember UI preferences (theme, sidebar state, drafts of forms in progress).
Analytics: aggregate, privacy-preserving counters for form views, starts, and completions. We do not set advertising IDs or share data with ad networks.

You can clear cookies and local storage through your browser settings at any time. Doing so will sign you out of Formai.

7. Third-party processors

We rely on a small set of vetted sub-processors to operate the Service. Each is bound by a data-processing agreement and processes data only on our instructions.

Supabase, Inc. (United States) — hosted PostgreSQL database, authentication, and file storage. Stores account data, form configurations, and submission content. supabase.com/privacy
Stripe, Inc. (United States) — payment processing, subscription management, and invoicing. Stripe receives your billing details directly; we only see customer/subscription identifiers and status. stripe.com/privacy
Anthropic, PBC (United States) — large language model API powering our AI form generation. We send the natural-language prompt you provide to build a form. We do not send respondent submission content to Anthropic. Anthropic does not train its models on API content. anthropic.com/privacy
Resend, Inc. (United States) — transactional email delivery (account, billing, and notification emails).
Vercel, Inc. (United States) — application hosting and content delivery network.

We will update this list when we add or change processors. If you would like a current list of sub-processors for a Data Processing Agreement, contact us at the address below.

8. Data retention

We retain account data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations, resolve disputes, and enforce our agreements. If you delete your account, account-level data is erased within 30 days and back-ups age out within 90 days.

Form submissions are retained until the account holder deletes them or closes the parent form. Account holders can export or delete submissions at any time from the dashboard.

Billing records may be retained for up to 7 years to comply with tax, accounting, and financial reporting laws.

9. International data transfers

Our infrastructure and sub-processors are primarily located in the United States. Where we transfer personal data outside the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses or the UK's International Data Transfer Addendum, together with supplementary measures where required.

10. Security

We protect data with TLS in transit, encryption at rest, role-based access controls, principle-of-least-privilege service keys, audit logging, and regular dependency review. No system is ever completely secure — please use a strong, unique password and enable multi-factor authentication if available.

If we become aware of a security incident affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by applicable law.

11. Your rights

Subject to local law, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectify — correct inaccurate or incomplete data.
Erase — request that we delete your data, subject to retention obligations.
Restrict or object — limit how we process your data, or object to processing based on legitimate interests.
Port — receive your data in a structured, machine-readable format.
Withdraw consent — for any processing that relies on consent, without affecting processing carried out before withdrawal.
Lodge a complaint with your local data protection authority.

California residents have additional rights under the CCPA/CPRA, including the right to know what categories of personal information we collect and to opt out of any sale or sharing. We do not sell or share personal information as those terms are defined under California law.

If you are a respondent who submitted data through a form, please contact the account holder who operates the form. We will assist them in fulfilling your request.

To exercise any right, email us at privacy@formai.app. We will respond within 30 days.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify account holders by email and post a notice in the dashboard at least 30 days before the changes take effect.

14. Contact

For any privacy question, request, or complaint, contact our privacy team at privacy@formai.app. For EU/UK representation enquiries, please reach out via the same address.