Privacy statement

Last updated: April 26, 2026

At Formflow, your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your information when you use our website and services.


1. Information We Collect

We may collect the following types of information:

  • Personal Information: such as your name, email address, company details, or payment information when you sign up or make a purchase.

  • Usage Data: information about how you use our website and services, such as pages visited, features used, and time spent.

  • Cookies & Tracking: small files stored on your device to improve your browsing experience and help us analyze performance.


2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services.

  • Personalize your experience and recommend relevant templates or features.

  • Communicate with you about updates, offers, or support.

  • Process payments and manage your account.

  • Ensure security and prevent fraudulent activity.


3. How We Share Information

We do not sell your personal information.
We may share information with:

  • Service Providers who help us run our platform (e.g., hosting, analytics, payments).

  • Legal Obligations if required to comply with law, regulation, or legal process.

  • Business Transfers if we are involved in a merger, acquisition, or asset sale.


4. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Keep you signed in and remember your preferences.

  • Analyze usage to improve performance.

  • Show relevant marketing (where applicable).

Abandoned subscription, checkout, and signup tracking

We use cookies, tracking pixels, scripts, analytics tools, plugins, and similar technologies to understand how users and visitors interact with our website and platform.

This may include tracking when a user or visitor views or starts a signup page, pricing page, checkout page, subscription page, upgrade page, payment page, or similar conversion page and does not complete the relevant action.

Where SMS consent has been provided, we may use this information to determine when to send reminder messages, including SMS messages, relating to an abandoned subscription, abandoned checkout, abandoned signup, incomplete upgrade, incomplete registration, incomplete payment, or similar incomplete action.

You can disable cookies in your browser settings, but some features may not work properly.


5. Data Security

We take appropriate measures to protect your personal information against unauthorized access, alteration, or disclosure. However, no method of transmission or storage is 100% secure.


6. Your Rights

Depending on your location, you may have the right to:

  • Access, update, or delete your personal data.

  • Opt out of marketing emails at any time.

  • Request a copy of the information we hold about you.

To exercise these rights, please contact us at [email protected].


7. Third-Party Services

Our services may include links or integrations with third-party tools (e.g., payment gateways, analytics). These third parties have their own privacy policies, and we are not responsible for their practices.


8. Children’s Privacy

Our services are not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect data from children.


9. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.


10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:
Formflow
Email: [email protected]

.

11. SMS & text messaging communications

11.1 Scope of SMS communications

Formflow ("Formflow," "Company," "we," "us," or "our") may offer SMS and text messaging communications to users, customers, subscribers, and prospective customers who choose to opt in.

Our SMS program may include transactional, informational, account related, service related, promotional, marketing, and abandoned subscription, checkout, signup, or upgrade reminder messages. These messages may relate to your Formflow account, your use of the Formflow platform, your subscription, your form activity, your submission usage, product updates, offers, incentives, reminders, and other Formflow services.

SMS communications are optional. You are not required to opt in to SMS messages to create an account, use Formflow’s core services, or purchase a paid subscription.

Formflow may operate more than one SMS program. These may include:

(a) transactional and service related SMS alerts, such as form submission alerts, lead notifications, account notices, system alerts, and other messages related to a user’s use of the Formflow platform; and

(b) marketing and promotional SMS messages, such as product updates, offers, incentives, bonus submission related messages, abandoned subscription or checkout reminders, upgrade reminders, and other promotional messages.

Consent for one SMS program does not automatically mean consent for every SMS program. Where required, Formflow may request separate consent for transactional/service related SMS messages and marketing/promotional SMS messages.

11.2 SMS consent and opt-in

Formflow only sends SMS messages where consent has been provided through an approved opt-in method.

By submitting your mobile phone number and opting in to receive SMS messages from Formflow, you agree that Formflow may send text messages to the mobile number you provided. These messages may be sent using automated technology, including an automatic telephone dialing system or similar messaging technology, where permitted by applicable law.

Consent to receive SMS messages is not a condition of purchasing any property, goods, or services from Formflow. You may use Formflow’s core services without consenting to receive SMS marketing messages.

SMS consent is collected separately from email marketing consent and separately from general account registration. Providing a phone number alone does not constitute consent to receive SMS messages. You must take an affirmative action to opt in, such as checking an unchecked consent box, submitting an SMS signup form, confirming your consent through a double opt-in process, or otherwise expressly agreeing to receive SMS messages from Formflow.

Where required or appropriate, including for certain abandonment reminder messages, Formflow may use double opt-in confirmation before adding a mobile number to its SMS subscriber list.

11.3 Promotional incentives for SMS subscribers

Formflow may offer optional incentives to users who choose to opt in to SMS communications. These incentives may include additional monthly submission allowances, bonus submissions, feature access, promotional benefits, discounts, or other usage based benefits.

For example, Formflow may offer an additional monthly submission allowance to users who subscribe to SMS communications and remain subscribed.

Participation in any SMS incentive program is voluntary. If you unsubscribe from SMS communications, withdraw your SMS consent, or otherwise become ineligible for the SMS incentive, Formflow may remove or discontinue the associated incentive or bonus benefit.

Removing an SMS incentive does not prevent you from using Formflow’s core services. It only removes the additional benefit that was offered in connection with SMS participation.

11.4 Types of SMS messages we may send

If you opt in to SMS communications, Formflow may send you messages including, but not limited to:

  • Account notifications and platform alerts

  • Form submission notifications

  • Usage and submission limit notifications

  • Subscription, billing, and plan related reminders

  • Product updates and feature announcements

  • Promotional offers, discounts, incentives, and marketing messages

  • Onboarding reminders and activation messages

  • Abandoned subscription, abandoned checkout, or abandoned signup reminders

  • Opt-in confirmation messages

  • Opt-out confirmation messages

  • Support related responses where initiated by you

The exact messages you receive may depend on your account settings, your consent status, your location, your interaction with Formflow, your subscription status, and your activity on our website or platform.

11.5 Abandoned subscription, checkout, and signup reminders

Formflow may send abandoned subscription, abandoned checkout, abandoned signup, or similar reminder messages by SMS where you have provided the required consent.

Formflow’s website and platform use cookies, tracking pixels, scripts, analytics tools, plugins, and similar technologies to help identify when a user or visitor interacts with a signup page, pricing page, checkout page, subscription page, upgrade page, payment page, or similar conversion page and does not complete the relevant action.

This information may be used to determine when to send reminder messages, including SMS messages, about an abandoned subscription, abandoned checkout, abandoned signup, incomplete upgrade, incomplete registration, incomplete payment, or similar incomplete action.

If you receive an abandoned subscription, checkout, signup, or upgrade reminder by SMS, it is because you provided SMS consent and your activity indicated that you started but did not complete the relevant action.

Where required by applicable law, carrier rules, or messaging platform rules, Formflow will apply additional safeguards to abandonment reminder messages, which may include double opt-in, limiting the number of SMS reminders, and sending such reminders within the required time window after the triggering event.

11.6 How we collect and use mobile phone numbers

We may collect your mobile phone number when you:

  • Enter it into a Formflow signup form, account form, checkout form, subscription form, upgrade page, or SMS opt-in form

  • Add it to your account settings

  • Request SMS notifications or alerts

  • Participate in an SMS incentive, promotion, or bonus submission program

  • Contact support and provide your phone number

  • Otherwise provide your phone number to Formflow and give the required consent

We use mobile phone numbers to:

  • Send SMS messages you have consented to receive

  • Confirm and manage your SMS subscription status

  • Process opt-in and opt-out requests

  • Provide account, platform, subscription, and service related notices

  • Send promotional, marketing, abandoned subscription, abandoned checkout, or abandoned signup messages where permitted

  • Administer SMS incentives, including bonus submission allowances

  • Maintain records of SMS consent and compliance

  • Prevent fraud, abuse, or unauthorized use of our SMS program

  • Comply with legal, carrier, messaging provider, and regulatory requirements

11.7 Message frequency and carrier costs

Message frequency varies. The number of SMS messages you receive may depend on your account activity, your subscription status, your form activity, your usage levels, your interaction with Formflow, your participation in promotions or incentives, and the SMS programs you have opted into.

Message and data rates may apply. Your mobile carrier may charge you for SMS messages or data usage according to your mobile plan. Formflow is not responsible for charges imposed by your mobile carrier.

Delivery of SMS messages is subject to carrier availability, network availability, device compatibility, and other factors outside Formflow’s control. Formflow does not guarantee that SMS messages will be delivered, delivered on time, or remain available on your device.

11.8 Opting out of SMS messages

You may opt out of SMS messages at any time.

To stop receiving SMS messages from Formflow, you can reply STOP to any SMS message from Formflow. You may also use any unsubscribe link provided in a message, update your SMS preferences inside your Formflow account where available, or contact us at [email protected].

After you opt out, Formflow will stop sending SMS messages to the opted out number, except that we may send a one time confirmation message confirming your opt-out request.

If you opt out of SMS messages, you may lose access to any SMS based incentive, bonus submission allowance, promotional benefit, or similar benefit that required an active SMS subscription.

Opting out of SMS messages does not automatically unsubscribe you from email communications. You must separately unsubscribe from email communications where applicable.

11.9 Help and support

You may reply HELP to an SMS message from Formflow for help or support information.

You may also contact Formflow at:

Email: [email protected]
Website: https://getformflow.io/

11.10 No sale or sharing of SMS opt-in data

Formflow does not sell, rent, disclose, transfer, or share SMS opt-in data, SMS consent records, or text messaging consent status with third parties or affiliates for their own marketing or promotional purposes.

Text messaging originator opt-in data and consent will not be shared with any third parties for marketing purposes.

This includes your mobile phone number, SMS opt-in status, SMS consent records, opt-in timestamps, opt-in source, opt-out status, and any records showing that you consented to receive SMS messages from Formflow.

The above commitment applies even if other sections of this Privacy Policy describe circumstances where we may share personal information with service providers, business partners, affiliates, successors, or other third parties.

11.11 Limited service provider disclosures for SMS delivery

Formflow may disclose mobile phone numbers and SMS related data to service providers strictly as needed to operate the SMS program. This may include telecommunications carriers, SMS delivery providers, messaging platforms, compliance vendors, analytics providers, customer support tools, and infrastructure providers.

These providers may process SMS related data only as needed to help us deliver messages, manage consent, process opt-outs, maintain compliance records, prevent fraud or abuse, troubleshoot delivery issues, or operate the Formflow service.

Formflow does not authorize these service providers to use SMS opt-in data or SMS consent records for their own independent marketing purposes.

11.12 Legal disclosures

Formflow may disclose SMS related data where required to comply with applicable law, regulation, subpoena, court order, lawful government request, carrier requirement, messaging provider requirement, or legal process.

We may also disclose SMS related data where we believe disclosure is reasonably necessary to protect the rights, safety, security, or integrity of Formflow, our users, our SMS program, our service providers, telecommunications networks, or the public.

11.13 Data retention and consent records

Formflow may maintain records of SMS consent, SMS opt-in activity, SMS opt-out activity, message delivery activity, and related compliance records.

These records may include:

  • Mobile phone number

  • Date and time of opt-in

  • Method of opt-in

  • Source of opt-in

  • Consent language shown at the time of opt-in

  • IP address or device information where applicable

  • Double opt-in confirmation records where applicable

  • Date and time of opt-out

  • Message history and delivery status

  • Records relating to SMS incentive eligibility

Formflow may retain these records for as long as reasonably necessary to operate the SMS program, comply with legal obligations, resolve disputes, enforce agreements, maintain suppression lists, and demonstrate compliance with applicable SMS laws, carrier rules, and messaging provider requirements.

11.14 Location based SMS services

Formflow does not currently use precise location tracking for SMS marketing.

If Formflow later offers location based SMS services, we will update this Privacy Policy to describe what location data is collected, how it is collected, how it is used, and how users can control that collection and use.

11.15 Compliance

Formflow’s SMS program is intended to comply with applicable SMS and text messaging requirements, which may include the Telephone Consumer Protection Act, FCC rules, CTIA Messaging Principles and Best Practices, The Campaign Registry requirements, wireless carrier rules, state consumer protection laws, and other applicable privacy and marketing laws.

Because SMS laws and carrier requirements may change, Formflow may update its SMS practices, consent flows, disclosures, and this Privacy Policy from time to time.

Annex II – Technical and Organisational Measures (TOMs)

The Processor (Formflow) maintains a comprehensive information security and privacy program designed to protect Customer Data. Measures are reviewed and updated periodically in line with industry standards.


1. Governance and Policies

• Documented Information Security Policy, Privacy Policy, and Acceptable Use Policy reviewed at least annually.

• Security program overseen by executive management; accountability assigned to Formflow’s CEO and CTO.

• Employees and contractors undergo background checks (where legally permissible) prior to engagement.


2. Personnel Security and Access Control

Role-based access control (RBAC) applied across systems; access limited to least privilege required for job function.

Multi-factor authentication (MFA) enforced for all administrative access (infrastructure, source code, SaaS consoles).

Onboarding/offboarding process ensures prompt granting/revocation of access; reviews performed at least quarterly.

• All staff with data access trained annually on GDPR, data handling, phishing awareness, and incident response.


3. Physical Security

• All Customer Data is hosted on Amazon Web Services (AWS) data centers with industry-standard certifications (ISO 27001, SOC 1/2/3, PCI-DSS).

• Physical access to servers is restricted by AWS and controlled via badge access, biometrics, and CCTV.


4. System & Network Security

TLS 1.2+ (HTTPS) enforced for all data in transit; HSTS enabled.

AES-256 encryption at rest for databases, object storage, and backups.

Cloudflare WAF/DDoS protection and CDN used for edge-layer defense.

• Network segmentation and security groups restrict lateral movement.

• Regular vulnerability scans; critical patches applied within 14 days.


5. Application Security

• Secure Software Development Lifecycle (SSDLC) with code reviews, dependency scanning, and CI/CD checks.

• Dependencies monitored for CVEs; automated updates and patching pipeline in place.

• API endpoints require authentication (JWT) and authorization checks.


6. Data Management & Privacy

Data minimization: only data defined by Controller is collected; Formflow does not enrich Customer Data.

Data segregation: multi-tenant architecture with logical separation per customer.

Configurable retention: Controller may delete submissions or accounts at any time.

• Metadata logs retained only as long as necessary for security/operations.


7. Monitoring, Logging & Alerting

• Centralized logging of infrastructure and application events.

• Security events monitored via automated alerts (unauthorized access, privilege escalation, anomaly detection).

• Logs protected against tampering and retained for a defined period for forensic investigation.


8. Business Continuity & Disaster Recovery

• Automated daily backups of databases; tested restore procedures quarterly.

• Disaster recovery RTO (Recovery Time Objective): 24 hours.

• RPO (Recovery Point Objective): 24 hours.

• Services hosted in redundant AWS availability zones for resilience.


9. Incident Management

• Documented Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and lessons learned.

• Security incidents classified by severity; breach notifications to Controllers issued without undue delay (target <48h).

• Post-incident reviews conducted and corrective measures tracked.


10. Audit & Compliance

• Records of Processing maintained as required by Art. 30(2) GDPR.

• Regular internal audits of access rights and security configurations.

• Third-party attestations leveraged from AWS, Cloudflare, and other Sub-processors.


If you have any questions about this Privacy Policy, please contact us at: https://getformflow.io/
Email: [email protected]