FormaGet Started

Privacy Policy

Last updated: April 16, 2026

1. Introduction

Forma ("Company", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our form builder and submission management service ("Service").

Please read this policy carefully. By using the Service, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we store the following in our database:

  • Name and email address
  • Password (stored as a one-way bcrypt hash — we cannot read your password)
  • Workspace names and membership roles
  • Notification preferences

If you sign in with Google or GitHub, we receive your name, email, and profile image from the provider. We do not receive or store your social account password.

2.2 Form Submission Data

When end users submit forms you create, we store the submission data in our database on your behalf. This may include any information the form collects, such as:

  • Names, email addresses, phone numbers, and free-text responses
  • File uploads (stored on Amazon S3)
  • Booking date and time selections
  • IP address and approximate geolocation (country, city) of the person who submitted the form

You, as the form creator, are the data controller for submission data. We act as a data processor and store this data so you can access it through your dashboard.

2.3 Payment Information

All payment processing is handled by Stripe. We do not store, process, or have access to credit card numbers, CVVs, or full payment credentials. What we store:

  • Stripe customer ID and subscription ID (opaque identifiers, not card data)
  • Subscription plan type and billing period
  • Whether a payment was completed (status only — not card details)

Stripe is PCI DSS Level 1 certified. For details on how Stripe handles payment data, see Stripe's Privacy Policy.

2.4 Usage and Analytics Data

We automatically collect:

  • IP addresses and approximate geolocation (for form submission analytics)
  • Form view counts and submission counts
  • Field interaction and drop-off tracking (which form fields users interact with)

2.5 Cookies and Sessions

We use essential cookies for authentication and session management only. We use a secure, HTTP-only session token (JWT) that expires after 30 days. We do not use third-party advertising or tracking cookies.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent fraudulent or unauthorized activity
  • Personalize and improve your experience

4. Information Sharing

We share data only with the services needed to operate Forma:

  • Stripe — payment processing. Receives your email and billing details when you subscribe or accept form payments.
  • Resend — transactional email delivery. Receives recipient email addresses for automation emails, broadcasts, and notifications.
  • Amazon Web Services (S3) — file storage. Stores files uploaded through forms.
  • Amazon Bedrock — AI form generation. Receives form descriptions you provide (no submission data is sent).
  • User-configured integrations: If you connect Slack, Google Sheets, webhooks, or other services, submission data is sent to those services as you configure.

We do not sell, rent, or trade your personal information to third parties. We do not use your submission data for advertising or profiling.

We may disclose information when required by law, court order, or to protect the safety of our users or the public.

5. Data Security

We implement the following measures to protect your data:

  • All data in transit is encrypted via TLS/HTTPS (HTTP/2 with HSTS preload)
  • Passwords are hashed using bcrypt (one-way — we cannot read them)
  • API keys are hashed before storage (only a masked prefix is visible)
  • Role-based access control limits who can view or modify data within workspaces
  • Rate limiting on all API endpoints to prevent abuse
  • Input validation and SSRF protection on webhook and integration URLs
  • The application runs as a non-root system user with limited privileges
  • Database is not accessible from the public internet (localhost only)
  • Automated daily database backups with 14-day retention
  • Firewall restricts access to only necessary ports (HTTPS, SSH)

Credit card information is never transmitted to or stored on our servers — all payment processing occurs on Stripe's PCI-compliant infrastructure.

No system is 100% secure. If you discover a security vulnerability, please report it to us at our contact page.

6. Data Retention

We retain your data as follows:

  • Account data: Retained for as long as your account is active. You can delete your account from Settings, which removes your profile and personal data.
  • Form submission data: Retained until you delete it or delete the form. You control this data and can delete individual submissions or entire forms at any time.
  • Uploaded files: Retained on Amazon S3 until the associated form or submission is deleted.
  • Database backups: Retained for 14 days and then automatically deleted.
  • Workspace data: When a workspace is deleted, all associated forms, submissions, integrations, and files are permanently removed.

7. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have certain data protection rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request limitation of processing
  • Portability: Request transfer of your data
  • Objection: Object to processing of your data
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us.

8. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to say no to the sale of personal information
  • Right to access your personal information
  • Right to equal service and price (non-discrimination)

We do not sell personal information. To exercise your rights, contact us at the address below.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data during international transfers.

10. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us immediately.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.

14. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) for GDPR compliance, please contact us.

Terms of ServiceDocumentationBack to Home