Forms Expert
Start Free
Legal

Privacy Policy

How we collect, process, and protect personal data when you use Forms Expert and the forms you build with it.

GDPRLast updated: June 5, 2026forms.expert
OverviewData we collectHow we use itLegal basisSharing & processorsRetentionYour rightsSecurityContact

Overview

Forms Expert (“we”, “us”) operates the form delivery engine at forms.expert. This policy explains what personal data we process as a controller for our own account holders and visitors, and as a processor for the form submissions our customers collect through us. We process personal data in line with the EU General Data Protection Regulation (GDPR).

GDPR is the only compliance framework we reference here. We do not claim HIPAA, SOC 2, ISO, or eIDAS certification.

Data We Collect

We collect only what we need to run the service:

  • Account data — name, email, and authentication details when you create a Forms Expert account.
  • Billing data — handled by our payment processor (Stripe); we store plan, status, and the last four digits of a card, never full card numbers.
  • Form submissions — the responses people send through forms you build. You are the controller of this data; we process it on your behalf.
  • Uploaded files — stored on S3 with SHA-256 checksums and validated by MIME and schema checks. We do not perform antivirus scanning.
  • Usage & consent — cookie-consent choices and basic product analytics. We do not store visitor country or region for consent records.

How We Use It

We use personal data to provide and secure the service: to deliver forms across the hosted page (/h/{slug}), the embeddable widget (/e/{slug}), and the REST API; to route submissions to your configured destinations (email, Telegram, and signed webhooks); to bill your plan; and to protect forms with honeypot, rate limiting, and CAPTCHA. We do not sell personal data.

Depending on the activity, we rely on one of the following lawful bases under Article 6 GDPR:

  • Contract — to provide the service you signed up for.
  • Legitimate interests — to secure, maintain, and improve the product.
  • Consent — for non-essential cookies and, where you act as controller, for the submissions you collect.
  • Legal obligation — to meet tax, accounting, and regulatory duties.

Sharing & Sub-Processors

We share data only with the processors needed to operate Forms Expert, under data-processing agreements:

  • Stripe — payment processing.
  • Anthropic — AI form generation, when you use that paid feature.
  • DeepL — content translation, on the Business plan.
  • Cloud infrastructure & S3 storage — hosting and file storage.

Data Retention

We keep account data for as long as your account is active and for a limited period afterward to meet legal obligations. Form submissions are retained according to your plan and your own settings; you can export or delete them at any time. Deleting your account removes associated personal data, subject to lawful retention requirements.

Your Rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. To exercise these rights, contact us using the details below. If we process data on a customer’s behalf, we will refer the request to that customer as the controller.

Security

We protect data in transit and at rest, scope access to what each role needs, and apply anti-abuse controls on forms (honeypot, rate limiting, CAPTCHA). Custom domains are verified via CNAME or TXT records. No method of transmission or storage is perfectly secure, and we do not claim certifications we do not hold.

Contact

Questions about this policy or your data? Reach us through our contact form — which, fittingly, runs on Forms Expert itself.