Privacy Policy

This policy explains what data FormFlow (“we”, “us”) collects, why, and what happens to it. FormFlow is a form-backend service operated for the customers who create accounts with us (“customers”) and, indirectly, for the people who submit forms that our customers run (“submitters”).

The two roles we play

For customer account data we are the controller. When you sign up, we decide what we collect and why, as described below.

For form submission data we are a processor. The contents of submissions sent to a customer’s form belong to that customer, who determines what is collected through their form. We store and process it only on their instructions, under our Data Processing Agreement. If you submitted a form and want your data corrected or deleted, the form owner is your first point of contact; we support them in fulfilling such requests, and we honour deletion requests we receive directly where we can identify the data.

Data we collect

Account data — your email address, optional display name, account and workspace names, plan and billing status, and security-relevant events (sign-ins, key creation, configuration changes) in an audit log.

Submission data, on behalf of customers — the fields and files a submitter sends to a customer’s form, plus technical metadata attached to each submission: IP address, country derived from it, user agent, and the referring page. Metadata is used for spam protection, rate limiting and aggregate analytics.

Operational data — service logs and aggregate usage metrics (submission counts, spam ratio, delivery latencies). Aggregates contain no submission contents.

We do not sell personal data, run advertising, or use third-party advertising trackers on this site.

Where data lives

FormFlow runs entirely on Cloudflare’s infrastructure (Workers, D1, R2, KV). Data is stored within Cloudflare’s network with European Union jurisdiction settings for primary storage; as a global edge network, Cloudflare may process requests at the location nearest to the requester. Transfers outside the EU/EEA are covered by the EU Standard Contractual Clauses incorporated into Cloudflare’s data processing terms.

Transactional email (magic links, submission notifications) is delivered through Resend. Recipient addresses and message contents pass through Resend solely for delivery.

Retention

• Submissions are kept for the retention window configured on the form, capped by the customer’s plan (e.g. 7 days on the free plan, 90 days on Pro, 1 year on Team), then deleted automatically. Files in R2 are deleted together with their submission.
• Account data is kept for as long as the account exists and deleted within 30 days of account deletion, except records we must keep for legal or billing reasons.
• Audit logs are kept for up to 1 year.

Legal bases (GDPR)

Where the GDPR applies, we process account data to perform our contract with you (Art. 6(1)(b)), operational and security data in our legitimate interest of running a secure service (Art. 6(1)(f)), and billing records to meet legal obligations (Art. 6(1)(c)). Submission data is processed on the instructions of the customer, who is responsible for their own legal basis.

Your rights

You can access, correct, export or delete your account data at any time — most of it directly in the console, the rest by emailing us. EU/EEA residents additionally have the rights to restriction, objection and data portability, and may lodge a complaint with their supervisory authority.

Cookies

The marketing site sets no cookies. The console sets a single, strictly necessary session cookie (ff_session) after sign-in. No analytics or advertising cookies.

Changes & contact

We’ll announce material changes to this policy on this page and, for significant changes, by email. Questions and privacy requests: contact@formflow.cc.