Effective April 20, 2026
When you create an account we collect your email address and password (hashed). When you connect OAuth providers (e.g., Gmail) we store the OAuth tokens needed to operate the integration.
When a form submission arrives at your endpoint we store the submitted payload (fields, values, IP address, user-agent, timestamp) so we can route it to your configured destinations and show it in your dashboard.
We log standard server-side request metadata (IP addresses, HTTP headers, response codes) for security and debugging purposes.
We do not sell your data or your end-users' submission data to third parties.
Data is stored in PostgreSQL on servers located in the United States. Backups are encrypted at rest. We retain submission data as long as your account is active. When you delete a form, its submissions are deleted. When you close your account, all associated data is deleted.
We use a small number of sub-processors to operate the service:
Each processor receives only the data necessary to perform their function.
We use a single session cookie to keep you logged in. We do not use tracking cookies or third-party advertising pixels.
You can export or delete your submissions from within the dashboard at any time. To close your account and delete all associated data, contact us. If you are subject to GDPR or CCPA and have a request regarding personal data, use the same contact page and we will respond within 30 days.
All traffic is encrypted via HTTPS. Passwords are hashed with bcrypt. API keys are stored as hashed values and displayed in full only once at creation. If you discover a security vulnerability, please report it via the contact page.
If we make material changes we will update the effective date at the top of this page and, for significant changes, notify you by email.
Questions about this policy? Get in touch.