Privacy Policy

Last updated: 2025-10-09

Welcome to Form Factory (“we”, “us”, “our”). This policy explains what we collect, why we collect it, how we use it, and the choices you have. By using Form Factory, you agree to this policy. This page is for transparency and is not legal advice.

What we collect

• Account data: name, email, password hash (if you sign up with email), and Google account identifier when you use “Continue with Google”.
• Workspace data: tenant/workspace name, members, and roles.
• Form content: questions, options, rules, and configuration you create.
• Responses: end-user answers (including file uploads) submitted to your forms. You control this content.
• Operational data: logs, device and browser information, IP addresses (or hashed derivatives), timestamps, and basic analytics for reliability and abuse prevention.
• Communications: emails we send/receive (e.g. sign-in, password reset, notifications).

How we use information

• Provide, secure, and improve the service.
• Authenticate users and maintain sessions.
• Send essential emails (verification, resets, notices).
• Show admin insights (counts, timestamps) to workspace owners.
• Detect, prevent, and investigate abuse or outages.

Legal bases

If you are in the EU/UK, we rely on: (i) performance of a contract (providing the service); (ii) legitimate interests (security, abuse prevention, product improvement); and (iii) consent where required (e.g., certain cookies/analytics).

Processors & infrastructure

We use reputable providers to run Form Factory:

• Hosting & build: Vercel
• Database: PostgreSQL (Neon)
• Edge/CDN & DNS: Cloudflare
• Email delivery: Zoho Mail (SMTP)
• Federated login: Google (OAuth 2.0)
• Object/file storage: The storage configured for your deployment

These providers may process data in various countries. We use them only to provide the service and require appropriate safeguards.

Cookies & similar technologies

• Essential: session cookies for authentication and form access tokens (e.g., magic links).
• Optional: lightweight analytics or performance metrics (if enabled). You can block non-essential cookies.

Data retention

• Account & workspace data: retained while your account is active. You can request deletion.
• Form content & responses: retained until the workspace owner deletes them or the workspace is deleted.
• Operational logs: kept for a limited time for security and troubleshooting.

Your rights

Depending on your region (e.g., Canada’s PIPEDA, EU/UK GDPR), you may have rights to access, correct, export, or delete your personal data, and to object or restrict certain processing.

End-user respondents should contact the form owner (the organization that sent the form) about their submissions. We act as a processor for that content.

Security

We use industry-standard protections such as encryption in transit (TLS), hashed passwords, role-based access, and least-privilege practices. No system is perfectly secure; please protect your account with a strong, unique password and do not share credentials.

Children

Form Factory is not directed to children under 13 (or the age of digital consent in your jurisdiction). If you believe a child provided personal data, contact us and we will take appropriate steps.

International transfers

Your information may be processed outside your country. Where required, we implement safeguards such as standard contractual clauses with our processors.

Changes to this policy

We may update this policy from time to time. We will revise the “Last updated” date and, if changes are material, provide a more prominent notice.

Contact

Questions or requests? Email [email protected].

Mailing address available upon request for rights requests.