FormaGet Started

Privacy Policy

Last updated: March 31, 2026

1. Introduction

Forma ("Company", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our form builder and submission management service ("Service").

Please read this policy carefully. By using the Service, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored securely using bcrypt hashing)
  • Workspace and organization information
  • Billing information (processed by Stripe; we do not store full card numbers)

2.2 Form Submission Data

When end users submit forms you create, we collect and store the submission data on your behalf. This may include any information the form collects (names, emails, messages, etc.). You are the data controller for this information; we act as a data processor.

2.3 Usage Data

We automatically collect:

  • IP addresses and approximate location
  • Browser type and version
  • Device information
  • Pages visited and features used
  • Time spent on pages and click patterns

2.4 Cookies and Tracking

We use essential cookies for authentication and session management. We may use analytics cookies to understand how the Service is used. You can control cookie preferences through your browser settings.

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent fraudulent or unauthorized activity
  • Personalize and improve your experience

4. Information Sharing

We may share your information with:

  • Service Providers: Third parties that help us operate the Service (hosting, payment processing, email delivery)
  • Integrations: Third-party services you choose to connect (Slack, Google Sheets, etc.)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

We do not sell your personal information to third parties.

5. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure password hashing (bcrypt)
  • Regular security assessments
  • Access controls and authentication
  • Database backups and disaster recovery

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. Form submission data is retained according to your workspace settings or until you delete it.

After account deletion, we may retain certain information for up to 30 days for backup purposes, and may retain anonymized or aggregated data indefinitely.

7. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have certain data protection rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request limitation of processing
  • Portability: Request transfer of your data
  • Objection: Object to processing of your data
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us.

8. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to say no to the sale of personal information
  • Right to access your personal information
  • Right to equal service and price (non-discrimination)

We do not sell personal information. To exercise your rights, contact us at the address below.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data during international transfers.

10. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us immediately.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.

14. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) for GDPR compliance, please contact us.

Terms of ServiceDocumentationBack to Home