Yes. You can start on our free form builder plan with no credit card, publish a form in minutes, and begin collecting leads right away. The plan is free forever and includes up to 25 submissions per month, with upgrades available anytime.

Formflow is a no-code form builder that provides a visual workflow tool for creating complex interactive forms. It includes easy interactive logic, real-time email validation, and a style editor. Perfect for marketers and business owners wanting to create customizable and engaging forms in minutes.

What type of online forms can I build with Formflow?

With Formflow, you can build any type of online form — from simple contact forms to complex surveys, lead generation forms, job applications, event registrations, and quizzes. Conditional logic adapts forms to user responses, all without coding.

Can Formflow send submission data to another database?

Yes, Formflow integrates with Google Sheets, Zapier, HubSpot, Airtable, and more. Submission data is sent automatically with no technical complexity required.

Can I build customized forms with Formflow?

Yes. Formflow's style editor lets you fully customize fonts, colors, and layout to match your brand. No coding knowledge needed.

Can I create multi-step or complex forms?

Yes. Formflow's visual workflow builder makes it easy to create multi-step forms with conditional logic, branching paths, and interactive elements.

Privacy statement

Last updated: February 19, 2026

At Formflow, your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your information when you use our website and services.

1. Information We Collect

We may collect the following types of information:

Personal Information: such as your name, email address, company details, or payment information when you sign up or make a purchase.
Usage Data: information about how you use our website and services, such as pages visited, features used, and time spent.
Cookies & Tracking: small files stored on your device to improve your browsing experience and help us analyze performance.

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our services.
Personalize your experience and recommend relevant templates or features.
Communicate with you about updates, offers, or support.
Process payments and manage your account.
Ensure security and prevent fraudulent activity.

3. How We Share Information

We do not sell your personal information.
We may share information with:

Service Providers who help us run our platform (e.g., hosting, analytics, payments).
Legal Obligations if required to comply with law, regulation, or legal process.
Business Transfers if we are involved in a merger, acquisition, or asset sale.

4. Cookies & Tracking Technologies

We use cookies and similar technologies to:

Keep you signed in and remember your preferences.
Analyze usage to improve performance.
Show relevant marketing (where applicable).

You can disable cookies in your browser settings, but some features may not work properly.

5. Data Security

We take appropriate measures to protect your personal information against unauthorized access, alteration, or disclosure. However, no method of transmission or storage is 100% secure.

6. Your Rights

Depending on your location, you may have the right to:

Access, update, or delete your personal data.
Opt out of marketing emails at any time.
Request a copy of the information we hold about you.

To exercise these rights, please contact us at [email protected].

7. Third-Party Services

Our services may include links or integrations with third-party tools (e.g., payment gateways, analytics). These third parties have their own privacy policies, and we are not responsible for their practices.

8. Children’s Privacy

Our services are not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:
Formflow
Email: [email protected]

11. SMS & Text Messaging Communications

11.1 Scope and Nature of SMS Communications

Formflow ("Company," "we," "us," or "our") operates a software-as-a-service platform that enables registered account holders ("Users") to build and deploy online forms. As part of the platform's functionality, Users may elect to receive transactional SMS notifications — including form submission alerts, account activity updates, and system-generated notifications — directly to a mobile number of their choosing. These messages are strictly operational and transactional in nature. Formflow does not send marketing, promotional, or advertising content via SMS.

11.2 Consent and Opt-In

SMS notifications are strictly opt-in. No User will receive SMS communications from Formflow without first affirmatively consenting through the authenticated Formflow platform. The consent mechanism requires the User to:

(a) manually enter their mobile phone number into the designated SMS notification field within the platform;

(b) actively check an unchecked, non-mandatory consent checkbox acknowledging their agreement to receive SMS notifications; and

Consent is collected on a per-User, per-session basis and is never implied, assumed, or inferred from any other agreement, account creation, or prior interaction. Consent to receive SMS messages is not a condition of access to or use of the Formflow platform or any of its features.

11.3 Types of Messages Sent

Users who opt in to SMS notifications may receive the following categories of messages:

Form submission notifications (e.g., "A new response has been submitted to your form")
Account and system activity alerts
Form publishing confirmations
Opt-in confirmation and opt-out acknowledgment messages
Support-related responses where initiated by the User

Formflow does not send unsolicited marketing, promotional, or third-party advertising content via SMS under any circumstances.

11.4 Message Frequency and Costs

Message frequency varies depending on the User's form configuration and account activity. Standard account notification messages are triggered by User-defined events. Users should anticipate receiving messages commensurate with their form submission volume. Message and data rates may apply depending on the User's mobile carrier plan. Formflow is not responsible for any charges imposed by a User's mobile carrier.

11.5 Non-Disclosure of SMS Opt-In Data — No Third-Party Sharing

Formflow does not sell, rent, transfer, disclose, or otherwise share any User's mobile phone number, SMS opt-in consent data, or text messaging consent records with any third party, affiliate, partner, or advertiser for marketing, promotional, or any other commercial purpose.

Mobile opt-in information — including the fact of consent, the date and time of consent, the consented mobile number, and any associated consent records — is expressly excluded from all data sharing arrangements described elsewhere in this Privacy Policy, including any sharing with service providers, business partners, or successors.

To be explicitly clear: text messaging originator opt-in data and consent will not be shared with any third parties under any circumstances.

The only exceptions to this non-disclosure obligation are:

(a) disclosure to telecommunications carriers and SMS infrastructure providers strictly as necessary to transmit the messages the User has consented to receive; and

(b) disclosure required by applicable law, regulation, valid court order, or lawful government process, in which case Formflow will notify the affected User to the extent permitted by law.

11.6 Opt-Out and Unsubscription

Users may withdraw their consent to receive SMS messages at any time by:

Replying STOP to any SMS message received from Formflow (which will immediately suppress all further SMS communications to that number);
Navigating to SMS notification settings within the authenticated Formflow platform and disabling SMS notifications; or
Contacting Formflow directly at [email protected] with a written request to opt out.

Upon receipt of a STOP message or opt-out request, Formflow will cease sending SMS messages to the designated number promptly and in accordance with applicable TCPA and CTIA requirements. A single opt-out confirmation message will be sent to acknowledge the request. No further messages will be sent thereafter unless the User affirmatively re-consents.

11.7 Help and Support

Users may reply HELP to any SMS message from Formflow to receive support contact information. Users may also contact Formflow at any time at [email protected] or via the support portal at getformflow.io.

11.8 Compliance

Formflow's SMS communications program is designed and operated in compliance with:

The Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227
FCC regulations implementing the TCPA, 47 C.F.R. § 64.1200
CTIA Messaging Principles and Best Practices (as updated)
The Campaign Registry (TCR) A2P 10DLC registration standards
Applicable state telemarketing and consumer protection laws, including but not limited to the Florida Telephone Solicitation Act (FTSA) and the California Consumer Privacy Act (CCPA)

11.9 Recordkeeping

Formflow maintains timestamped records of User SMS opt-in consent, including the date, time, method of consent, and mobile number consented, for a minimum period of four (4) years, in accordance with applicable regulatory requirements and CTIA best practices.

Annex II – Technical and Organisational Measures (TOMs)

The Processor (Formflow) maintains a comprehensive information security and privacy program designed to protect Customer Data. Measures are reviewed and updated periodically in line with industry standards.

1. Governance and Policies

• Documented Information Security Policy, Privacy Policy, and Acceptable Use Policy reviewed at least annually.

• Security program overseen by executive management; accountability assigned to Formflow’s CEO and CTO.

• Employees and contractors undergo background checks (where legally permissible) prior to engagement.

2. Personnel Security and Access Control

• Role-based access control (RBAC) applied across systems; access limited to least privilege required for job function.

• Multi-factor authentication (MFA) enforced for all administrative access (infrastructure, source code, SaaS consoles).

• Onboarding/offboarding process ensures prompt granting/revocation of access; reviews performed at least quarterly.

• All staff with data access trained annually on GDPR, data handling, phishing awareness, and incident response.

3. Physical Security

• All Customer Data is hosted on Amazon Web Services (AWS) data centers with industry-standard certifications (ISO 27001, SOC 1/2/3, PCI-DSS).

• Physical access to servers is restricted by AWS and controlled via badge access, biometrics, and CCTV.

4. System & Network Security

• TLS 1.2+ (HTTPS) enforced for all data in transit; HSTS enabled.

• AES-256 encryption at rest for databases, object storage, and backups.

• Cloudflare WAF/DDoS protection and CDN used for edge-layer defense.

• Network segmentation and security groups restrict lateral movement.

• Regular vulnerability scans; critical patches applied within 14 days.

5. Application Security

• Secure Software Development Lifecycle (SSDLC) with code reviews, dependency scanning, and CI/CD checks.

• Dependencies monitored for CVEs; automated updates and patching pipeline in place.

• API endpoints require authentication (JWT) and authorization checks.

6. Data Management & Privacy

• Data minimization: only data defined by Controller is collected; Formflow does not enrich Customer Data.

• Data segregation: multi-tenant architecture with logical separation per customer.

• Configurable retention: Controller may delete submissions or accounts at any time.

• Metadata logs retained only as long as necessary for security/operations.

7. Monitoring, Logging & Alerting

• Centralized logging of infrastructure and application events.

• Security events monitored via automated alerts (unauthorized access, privilege escalation, anomaly detection).

• Logs protected against tampering and retained for a defined period for forensic investigation.

8. Business Continuity & Disaster Recovery

• Automated daily backups of databases; tested restore procedures quarterly.

• Disaster recovery RTO (Recovery Time Objective): 24 hours.

• RPO (Recovery Point Objective): 24 hours.

• Services hosted in redundant AWS availability zones for resilience.

9. Incident Management

• Documented Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and lessons learned.

• Security incidents classified by severity; breach notifications to Controllers issued without undue delay (target <48h).

• Post-incident reviews conducted and corrective measures tracked.

10. Audit & Compliance

• Records of Processing maintained as required by Art. 30(2) GDPR.

• Regular internal audits of access rights and security configurations.

• Third-party attestations leveraged from AWS, Cloudflare, and other Sub-processors.

If you have any questions about this Privacy Policy, please contact us at: https://getformflow.io/
Email: [email protected]