Privacy statement

Last updated: September 23, 2025

At Formflow, your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your information when you use our website and services.


1. Information We Collect

We may collect the following types of information:

  • Personal Information: such as your name, email address, company details, or payment information when you sign up or make a purchase.

  • Usage Data: information about how you use our website and services, such as pages visited, features used, and time spent.

  • Cookies & Tracking: small files stored on your device to improve your browsing experience and help us analyze performance.


2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services.

  • Personalize your experience and recommend relevant templates or features.

  • Communicate with you about updates, offers, or support.

  • Process payments and manage your account.

  • Ensure security and prevent fraudulent activity.


3. How We Share Information

We do not sell your personal information.
We may share information with:

  • Service Providers who help us run our platform (e.g., hosting, analytics, payments).

  • Legal Obligations if required to comply with law, regulation, or legal process.

  • Business Transfers if we are involved in a merger, acquisition, or asset sale.


4. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Keep you signed in and remember your preferences.

  • Analyze usage to improve performance.

  • Show relevant marketing (where applicable).

You can disable cookies in your browser settings, but some features may not work properly.


5. Data Security

We take appropriate measures to protect your personal information against unauthorized access, alteration, or disclosure. However, no method of transmission or storage is 100% secure.


6. Your Rights

Depending on your location, you may have the right to:

  • Access, update, or delete your personal data.

  • Opt out of marketing emails at any time.

  • Request a copy of the information we hold about you.

To exercise these rights, please contact us at [email protected].


7. Third-Party Services

Our services may include links or integrations with third-party tools (e.g., payment gateways, analytics). These third parties have their own privacy policies, and we are not responsible for their practices.


8. Children’s Privacy

Our services are not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect data from children.


9. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.


10. Contact Us

If you have any questions about this Privacy Policy, please contact us at:
Formflow
Email: [email protected]

Annex II – Technical and Organisational Measures (TOMs)

The Processor (Formflow) maintains a comprehensive information security and privacy program designed to protect Customer Data. Measures are reviewed and updated periodically in line with industry standards.


1. Governance and Policies

• Documented Information Security Policy, Privacy Policy, and Acceptable Use Policy reviewed at least annually.

• Security program overseen by executive management; accountability assigned to Formflow’s CEO and CTO.

• Employees and contractors undergo background checks (where legally permissible) prior to engagement.


2. Personnel Security and Access Control

Role-based access control (RBAC) applied across systems; access limited to least privilege required for job function.

Multi-factor authentication (MFA) enforced for all administrative access (infrastructure, source code, SaaS consoles).

Onboarding/offboarding process ensures prompt granting/revocation of access; reviews performed at least quarterly.

• All staff with data access trained annually on GDPR, data handling, phishing awareness, and incident response.


3. Physical Security

• All Customer Data is hosted on Amazon Web Services (AWS) data centers with industry-standard certifications (ISO 27001, SOC 1/2/3, PCI-DSS).

• Physical access to servers is restricted by AWS and controlled via badge access, biometrics, and CCTV.


4. System & Network Security

TLS 1.2+ (HTTPS) enforced for all data in transit; HSTS enabled.

AES-256 encryption at rest for databases, object storage, and backups.

Cloudflare WAF/DDoS protection and CDN used for edge-layer defense.

• Network segmentation and security groups restrict lateral movement.

• Regular vulnerability scans; critical patches applied within 14 days.


5. Application Security

• Secure Software Development Lifecycle (SSDLC) with code reviews, dependency scanning, and CI/CD checks.

• Dependencies monitored for CVEs; automated updates and patching pipeline in place.

• API endpoints require authentication (JWT/Clerk) and authorization checks.


6. Data Management & Privacy

Data minimization: only data defined by Controller is collected; Formflow does not enrich Customer Data.

Data segregation: multi-tenant architecture with logical separation per customer.

Configurable retention: Controller may delete submissions or accounts at any time.

• Metadata logs retained only as long as necessary for security/operations.


7. Monitoring, Logging & Alerting

• Centralized logging of infrastructure and application events.

• Security events monitored via automated alerts (unauthorized access, privilege escalation, anomaly detection).

• Logs protected against tampering and retained for a defined period for forensic investigation.


8. Business Continuity & Disaster Recovery

• Automated daily backups of databases; tested restore procedures quarterly.

• Disaster recovery RTO (Recovery Time Objective): 24 hours.

• RPO (Recovery Point Objective): 24 hours.

• Services hosted in redundant AWS availability zones for resilience.


9. Incident Management

• Documented Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and lessons learned.

• Security incidents classified by severity; breach notifications to Controllers issued without undue delay (target <48h).

• Post-incident reviews conducted and corrective measures tracked.


10. Audit & Compliance

• Records of Processing maintained as required by Art. 30(2) GDPR.

• Regular internal audits of access rights and security configurations.

• Third-party attestations leveraged from AWS, Cloudflare, and other Sub-processors.


If you have any questions about this Privacy Policy, please contact us at: https://getformflow.io/
Email: [email protected]