Privacy Policy

Last updated: [YYYY-MM-DD]

This Privacy Policy explains how [LEGAL ENTITY] ("Formward", "we", "us", or "our") collects, uses, and protects personal data in connection with the Formward form-backend service at formward.eu (the "Service"). We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Swedish data-protection law. A defining principle of the Service is that your form-submission data stays in the EU (billing is handled by Stripe, which never receives form data; see section 6).

1. Who we are and our roles

[LEGAL ENTITY] is a company registered in Sweden with its registered office at [ADDRESS].

• We are the controller for the account data we collect to operate the Service and our business (see section 2).
• We act as a processor for the personal data contained in form submissions made by your website visitors. For that data, you (the Formward customer) are the controller; we process it on your behalf (see section 12).

Contact for privacy matters and our Data Protection Officer: privacy@formward.eu.
General contact: team@formward.eu.

2. What personal data we collect

2.1 Account data

When you register we collect your email address and store a securely hashed password. We never store your password in plain text. Authentication is handled by better-auth running on our own infrastructure; your credentials are not transmitted to any third-party identity provider.

2.2 Form submission contents

The core purpose of the Service is to receive the form submissions your website visitors send through your HTML forms. The contents of those submissions, arbitrary fields you define (e.g., name, message, the email address of your end-user), are stored in our database and displayed in your dashboard. You are the controller of this data; we process it on your behalf as a processor (see section 12).

2.3 IP addresses (pseudonymised)

To enable spam detection and rate limiting we process the IP address of the device that submits a form. We immediately pseudonymise the IP address using a keyed hash (HMAC-SHA-256 with a secret server-side salt) before storage, and store only that derived value. We do not write the raw IP address to disk. Keyed hashing means the stored value cannot be linked back to an IP address without our secret salt, which materially reduces the risk of re-identification compared with an unsalted hash. We do not treat the pseudonymised value as fully anonymous data: it remains personal data and is protected as such.

2.4 Billing data

Payment card details are handled exclusively by Stripe. We do not receive, process, or store card numbers. We retain the Stripe customer ID, subscription status, and invoice records necessary to manage your account and meet our accounting obligations.

2.5 Technical and usage logs

We keep minimal server-side logs (request timestamps, HTTP method, response codes) for security monitoring and service reliability. Where we record the IP address of an action for an audit trail, for example when an account holder accepts our Data Processing Agreement or when an operator performs an administrative action, we store it in the same pseudonymised (keyed-hash) form described in section 2.3 rather than as a raw IP address.

3. Legal bases for processing (GDPR Article 6)

• Performance of a contract (Art. 6(1)(b)): processing your account email, hashed password, and submission data is necessary to provide the Service you have contracted for.
• Legitimate interests (Art. 6(1)(f)): we process pseudonymised IP addresses and technical logs to prevent spam, detect abuse, secure the Service, and improve it. These interests do not override your rights given the privacy-preserving measures we apply (immediate keyed-hash pseudonymisation, no raw-IP storage).
• Legal obligation (Art. 6(1)(c)): we retain certain billing and transaction records as required by tax and accounting law.
• Consent (Art. 6(1)(a)): where we set non-essential cookies or run optional analytics, we seek your consent via our cookie consent manager. You may withdraw consent at any time.

4. How we use personal data

• to provide, operate, and maintain the Service;
• to deliver submission notifications to the form owner and, on paid plans, AI enrichment such as spam scoring and summarisation;
• to prevent spam, fraud, and abuse, and to secure the Service;
• to process payments and meet our legal and tax obligations;
• to communicate service notices, security alerts, and support responses.

5. Sub-processors

We use the following sub-processors, all located within the European Union or European Economic Area:

Optional anti-bot challenge. If a form owner enables the Cloudflare Turnstile anti-bot challenge on a form (off by default), the visitor's browser interacts with Cloudflare (USA) to solve the challenge. We do not send the visitor's IP address to Cloudflare, and any resulting transfer is covered by an appropriate Article 46 safeguard. Forms without Turnstile enabled involve no non-EU/EEA processing. See our Data Processing Agreement for the full sub-processor register.

We maintain a current list of sub-processors and will notify you of material changes in accordance with our Data Processing Agreement.

6. Data residency and international transfers

All submission data and account data are stored on servers operated by Hostup AB in Sweden. Transactional email is processed by Mailjet/Sinch within the EU (France). AI enrichment (paid plans only) is performed by Mistral AI within the EU (France). Subscription billing is handled by Stripe (EU contracting entity in Dublin, Ireland; parent Stripe, Inc. in the United States), which processes the paying customer's own billing data — name, email, billing address, and payment-method details — partly in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework. Stripe never receives form-submission content or submitter personal data.

By default, we do not transfer form-submission data — the personal data of the people who fill in your forms — outside the European Union or European Economic Area (EU/EEA). This is a deliberate architectural choice: every sub-processor that touches form-submission data was selected on the basis of EU/EEA residency, which removes the need for transfer mechanisms such as Standard Contractual Clauses for that data. There are two US touchpoints, both separate from form-submission content: the optional Cloudflare Turnstile anti-bot challenge (off unless a form owner enables it), where the related browser interaction with Cloudflare (USA) is covered by an appropriate Article 46 safeguard; and Stripe, which processes the paying customer's billing data partly in the US under Standard Contractual Clauses and the EU–US Data Privacy Framework.

7. Cookies

We use a minimal set of cookies. Essential cookies keep you logged in and store your consent choices; optional analytics and marketing categories are only activated with your consent via our consent manager. See our Cookie Policy for full details and to manage your preferences.

8. Your rights under GDPR

As a data subject you have the following rights, subject to applicable conditions:

• Access (Art. 15): request a copy of the personal data we hold about you.
• Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
• Erasure (Art. 17): request deletion where there is no overriding lawful basis for continued processing.
• Restriction (Art. 18): ask us to restrict processing in certain circumstances.
• Portability (Art. 20): request your data in a structured, machine-readable format.
• Objection (Art. 21): object to processing based on legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise these rights, contact privacy@formward.eu or use your account settings. We will respond within the statutory period (generally one month). You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), or the supervisory authority in your country of residence.

Where the personal data relates to a submission you made through a form operated by a Formward customer, that customer is the controller; please direct your request to them. We will assist the customer in responding as their processor.

9. Retention

• Form submissions: retained according to the plan and the retention window configured by the customer, unless deleted earlier.
• Account data: retained while your account is active; after account deletion we remove your email and associated data within a reasonable period, except where retention is required by law.
• Pseudonymised IP addresses (submissions): retained for the same period as the submission they are associated with. Pseudonymised IPs captured for audit trails (DPA acceptance, operator actions) are retained for as long as we keep the associated audit record.
• Billing records: retained for the period required by applicable tax and accounting legislation.
• Backups: data may persist in encrypted backups for a limited period after deletion before being overwritten on the normal backup-rotation cycle.

10. Security

We apply technical and organisational measures proportionate to the risk:

• passwords are salted and hashed (better-auth) before storage;
• IP addresses are pseudonymised with a keyed hash (HMAC-SHA-256 with a secret salt) immediately on receipt; raw IP values are never persisted;
• data is encrypted in transit (TLS 1.2+) and at rest;
• access to production systems follows the principle of least privilege and is limited to authorised personnel;
• all infrastructure is located within the EU (Sweden).

See our Security page for more detail. No system is completely secure; if you believe you have found a vulnerability, contact security@formward.eu.

11. Children

The Service is not directed at children. Consistent with GDPR Article 8, we do not knowingly collect personal data from children under 16 without the consent of a parent or legal guardian. If you believe a child has provided us with personal data without appropriate consent, contact us and we will delete it promptly.

12. Your responsibilities as a customer (controller)

When you use Formward to collect submissions, you are an independent controller of your end-users' personal data. You are responsible for:

• having a valid lawful basis for collecting and processing the data your forms gather;
• publishing your own privacy notice to your end-users describing how you use their data and that Formward processes it on your behalf;
• responding to data-subject requests relating to submissions you collect (we will assist as your processor);
• not using the Service to collect special-category data without appropriate safeguards.

A Data Processing Agreement (DPA) governing our processing on your behalf is available, and can also be requested from privacy@formward.eu.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date and, where appropriate, notify registered users by email. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

14. Contact

For any questions about this policy or our data practices, contact us at:

[LEGAL ENTITY]
[ADDRESS]
Privacy / DPO: privacy@formward.eu
General: team@formward.eu