Privacy Policy | FormFlow

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in with Google OAuth, we receive your name, email, and profile picture from Google.

Form Submission Data

We store the data submitted through your forms on behalf of you and your end users. This may include names, email addresses, messages, and any other fields you define. You are the data controller for this information; we act as a data processor.

Automatically Collected Information

For each form submission, we may collect:

IP address (used for geolocation and spam detection)
Approximate geographic location (country, city) via ip-api.com
Browser user agent
Referring URL and UTM parameters

2. How We Use Your Information

To provide and maintain the Service
To send email notifications about form submissions
To detect and prevent spam using AI scoring and CAPTCHA verification
To provide analytics and usage statistics
To process payments via our payment processor
To communicate with you about your account and service updates

3. Third-Party Services

We use the following third-party services to operate FormFlow:

Turso — Database hosting and storage
Resend — Email delivery for notifications and auto-responses
Dodo Payments — Payment processing for subscriptions
ip-api.com — IP geolocation lookup
Google — OAuth authentication (optional)
reCAPTCHA / Turnstile / hCaptcha — Spam protection (when enabled by form owner)

Each of these services has its own privacy policy. We only share the minimum data necessary for each service to function.

4. Cookies

FormFlow uses only essential cookies required for authentication and session management via NextAuth.js. We do not use tracking cookies or third-party advertising cookies.

5. Data Retention

We retain your account data and form submissions for as long as your account is active. Upon account deletion, we will remove your data within 30 days. You may export your submissions at any time via CSV/JSON export or the REST API.

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

Access — Request a copy of the personal data we hold about you
Rectification — Request correction of inaccurate data
Erasure — Request deletion of your data
Portability — Export your data in a machine-readable format
Objection — Object to processing of your data

To exercise any of these rights, contact us at privacy@formslist.com.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (HTTPS), hashed passwords (bcrypt), and hashed API keys. However, no method of transmission over the internet is 100% secure.

8. Children's Privacy

FormFlow is not directed at children under 13. We do not knowingly collect data from children under 13. If we learn that we have collected such data, we will delete it promptly.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

10. Contact

For privacy-related questions, contact us at privacy@formslist.com.