Privacy policy
How we handle personal data when you use FormTo's marketing site, dashboard, and hosted form endpoints.
Last updated: April 6, 2026
Who we are
FormTo provides hosted form endpoints, a web dashboard, notifications, and related services (collectively, the "Services"). This policy describes how we process personal data in connection with the Services and our public website.
Data Controller: FormTo, operated by its owner, Poland.
Data Protection Officer (DPO): FormTo has not appointed a formal DPO at this time, as it is not required at our current scale under GDPR Art. 37. Privacy-related questions, data subject requests, and complaints should be directed to: contact@formto.dev.
Scope
This policy applies to:
- Visitors of the FormTo marketing website (e.g. pages at our public site domain where this policy is hosted).
- Customers who create an account and use the FormTo dashboard, API, webhooks, email features, and related product functionality.
- End users who submit data through HTML forms, scripts, or other clients configured to post to FormTo-hosted endpoints (e.g.
api.formto.dev).
Data we process
The table below summarizes the categories of personal data we process, their sources, and the legal basis under GDPR where applicable.
| Category | Examples | Source | Legal basis |
|---|---|---|---|
| Account / identity | Email, name, profile photo | You (via Clerk) | Contract (Art. 6(1)(b)) |
| Authentication events | Login times, device type, IP address | Clerk | Contract / Legitimate interest (Art. 6(1)(b)(f)) |
| Submission data | All form fields submitted by End Users | End Users via your forms | Contract with Customer; Legitimate interest (Art. 6(1)(b)(f)) |
| Billing | Subscription status, customer ID (not card numbers) | Polar.sh | Contract (Art. 6(1)(b)) |
| Usage & technical logs | API calls, errors, IPs, timestamps | Automatic | Legitimate interest (Art. 6(1)(f)) |
| Support communications | Email content, contact details | You | Legitimate interest (Art. 6(1)(f)) |
| Marketing (if opted in) | Email address for newsletters | You (opt-in) | Consent (Art. 6(1)(a)) |
Purposes and legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on appropriate legal bases such as: contract (providing the Services you request), legitimate interests (security, abuse prevention, product improvement, and internal analytics that do not override your rights), and legal obligation where required. Where we ask for consent (e.g. certain marketing cookies), you may withdraw it at any time.
Retention periods
We retain personal data for as long as necessary for the purposes described in this policy, and to comply with legal obligations. The specific retention periods are:
| Data type | Retention period |
|---|---|
| Account data | Duration of account + 2 years after closure |
| Submission data | Until deleted by Customer or account closure + 30-day backup window |
| Authentication / session logs | 90 days |
| Billing records | 7 years (Polish accounting law — Ustawa o rachunkowości) |
| Support communications | 2 years after resolution |
| Security / abuse logs | 12 months |
Your responsibilities toward end users
If you embed or configure forms that collect data from your visitors, you are typically an independent controller (or co-controller in some setups) for that relationship. You should provide your own privacy notice to end users, obtain consent where required, and only collect data you are allowed to process. FormTo processes submission data on your instructions to deliver the Services described in our Terms.
Sharing and subprocessors
We share data with service providers who help us run the Services. Each subprocessor is bound by contractual obligations to protect data and process it only on our instructions. The current list of subprocessors is:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | Authentication & identity management | USA (SCCs apply) |
| Polar.sh | Subscription & billing management | EEA / USA (SCCs where applicable) |
| Supabase | Database, file storage & serverless functions | EU (Frankfurt) |
| Netlify / Railway / Vercel | Hosting & infrastructure | USA / EEA (SCCs apply) |
| Resend | Transactional email delivery | USA (SCCs apply) |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914). We will notify Customers of changes to this list with at least 14 days' prior notice.
We may also disclose information if required by law or to protect rights, safety, and integrity of the Services.
International transfers
We and our providers may process data in the European Economic Area, the United Kingdom, the United States, and other countries. Where we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms, unless another valid transfer tool applies.
Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit for submissions to our public API and access controls for the dashboard. A non-legal overview is on our Security & reliability page.
Data breach notification
In the event of a personal data breach affecting Submission Data, FormTo will notify affected Customers within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. The notification will include available details about the nature of the breach, data categories and volumes affected, likely consequences, and mitigation measures taken or planned.
Customers, as controllers of End User data, are responsible for assessing their own obligations to notify supervisory authorities (e.g. UODO) and, where required under GDPR Art. 34, affected End Users.
Your rights (GDPR)
If the GDPR or UK GDPR applies to you, you have the following rights with respect to personal data we hold about you as a Customer or visitor. Response timelines are measured from receipt of a verifiable request:
- Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy. We will respond within 30 days.
- Right to rectification (Art. 16): Correct inaccurate or incomplete data. We will act without undue delay.
- Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your data where no overriding legal ground exists. We will respond within 30 days; exceptions apply where retention is required by law (e.g. billing records under Polish accounting law).
- Right to restriction of processing (Art. 18): Request that we limit processing in certain circumstances (e.g. while accuracy is contested).
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), where processing is based on consent or contract and carried out by automated means.
- Right to object (Art. 21): Object to processing based on legitimate interests; we will cease processing unless we demonstrate compelling legitimate grounds.
- Right to lodge a complaint: You may lodge a complaint with the Polish supervisory authority, UODO (Urząd Ochrony Danych Osobowych), at uodo.gov.pl, or with the supervisory authority in your country of residence or place of work.
To exercise any of these rights, contact us at contact@formto.dev. We may need to verify your identity before fulfilling a request.
California residents — CCPA rights
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following additional rights:
Right to know
You may request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which we collected it; (c) the business or commercial purposes for collecting it; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we have collected about you.
Right to delete
You may request deletion of personal information we have collected from you, subject to exceptions (e.g. where retention is required to complete a transaction, detect security incidents, or comply with a legal obligation).
Right to opt out of sale or sharing
FormTo does not sell personal information to third parties, nor does it share personal information for cross-context behavioral advertising purposes. There is nothing to opt out of in this respect.
Right to non-discrimination
We will not discriminate against you for exercising any CCPA rights — we will not deny Services, charge different prices, or provide a different level of quality because you exercised a privacy right.
Shine the Light (Cal. Civ. Code § 1798.83)
California residents may request information about disclosure of personal information to third parties for their own direct marketing purposes during the preceding calendar year. FormTo does not share personal information with third parties for direct marketing purposes.
To exercise CCPA rights, contact us at contact@formto.dev.
Automated decision-making
FormTo does not make automated decisions with legal or similarly significant effects about individuals based on personal data. Automated processes used for abuse detection and rate limiting do not produce individualized decisions affecting legal rights.
Sensitive data
The forms Customers create using FormTo may be configured to collect sensitive categories of personal data (e.g. health information, financial data, or other special categories under GDPR Art. 9), depending entirely on the fields the Customer includes. FormTo does not knowingly collect sensitive data on its own behalf.
Customers are responsible for ensuring they have an appropriate legal basis (e.g. explicit consent under GDPR Art. 9(2)(a)) before collecting special category data through their forms. If you are an End User and have concerns about sensitive data you submitted via a Customer's form, please contact that Customer directly.
Children
The Services are not directed to children. The minimum age to create an Account is: 16 years in the EEA (per GDPR Art. 8); and 13 years in the United States (per COPPA). In jurisdictions with a higher minimum age requirement, that local minimum applies. We do not knowingly collect personal data from individuals below the applicable minimum age. If you believe we have inadvertently collected such data, please contact us and we will take appropriate steps to delete it.
Cookies
We use cookies and similar technologies on the marketing site and in the app as described in our Cookie notice.
Changes
We may update this policy from time to time. We will post the revised version on this page and update the "Last updated" date. Where changes are material, we will provide additional notice as appropriate (for example via email or an in-app message).
This policy is provided for transparency. It is not legal advice. For contractual terms governing use of the Services, see our Terms of service.