Privacy Policy

Version: 1.0

Last Updated: 2025-12-01

1. Introduction

StaticForm ("we", "our", or "us") is committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Privacy Policy explains how we collect, use, store, and protect your personal data.

2. Data Controller

StaticForm is the data controller for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:

  • Email: support@staticform.app

3. Personal Data We Collect

3.1 Account Information

  • Email address
  • External authentication ID (from OAuth providers)
  • Account creation and update timestamps

3.2 Form Submission Data

  • Form submissions and their content
  • File uploads associated with submissions
  • IP addresses (IPv4 and IPv6) for spam prevention
  • HTTP request headers for security analysis
  • Submission timestamps

3.3 Usage Data

  • Form creation and management activities
  • Credit transactions and payment information
  • Collaboration and invitation data
  • Audit logs of system activities

3.4 Cookies

We use HTTP-only cookies for authentication and session management. These cookies are essential for the operation of our service and cannot be disabled.

4. Legal Basis for Processing

We process your personal data based on the following legal bases:

  • Contract Performance: To provide our form submission service as agreed in our Terms of Service
  • Legitimate Interests: For spam prevention, security, and fraud detection
  • Consent: For marketing communications (where applicable)
  • Legal Obligation: To comply with legal and regulatory requirements

5. How We Use Your Data

We use your personal data to:

  • Provide and maintain our form submission service
  • Process form submissions and deliver them to form owners
  • Prevent spam and ensure security
  • Process payments and manage credits
  • Send important service notifications
  • Comply with legal obligations
  • Improve our services (with anonymized data)

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with:

  • Service Providers: Cloud storage providers (S3-compatible) for file storage
  • Payment Processors: Stripe for payment processing. Stripe processes payment data in accordance with their Data Processing Addendum, which includes Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.
  • Legal Authorities: When required by law or to protect our rights

All third-party service providers are contractually obligated to protect your data and comply with GDPR requirements. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Account Data

  • Active Accounts: We retain your account data for as long as your account is active and for a period after account closure as required by law.
  • Inactive Accounts: If you have not logged in for 2 years, we will automatically delete your account and all associated data, except payment information.
  • Payment Information: Payment records are retained for 7 years as required by government regulations for financial administration. This is handled by our payment processor (Stripe) and is separate from your account data.

7.2 Form Submissions

  • Form submissions are retained indefinitely unless you delete them or your account is deleted.
  • You can delete individual submissions at any time through your account.

7.3 Deletion

When your data is deleted, it is permanently removed from our systems and cannot be recovered. We will send you email notifications at 30 days, 7 days, and 1 day before your account is scheduled for deletion due to inactivity.

7.4 Other Data

  • IP Addresses: Stored for spam prevention; may be anonymized after 30 days
  • Audit Logs: Retained for compliance and security purposes

You can request deletion of your data at any time by deleting your account or contacting us.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Request deletion of your data
  • Right to Restrict Processing (Article 18): Limit how we use your data
  • Right to Data Portability (Article 20): Receive your data in a machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing communications

To exercise these rights, please contact us at support@staticform.app or use the data export and deletion features in your account settings.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (HTTPS/TLS)
  • Secure authentication mechanisms
  • Regular security assessments
  • Access controls and audit logging
  • Secure file storage

10. Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will:

  • Notify the supervisory authority within 72 hours (Article 33)
  • Notify affected users without undue delay (Article 34)
  • Provide information about the nature of the breach and recommended actions

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

11.1 Payment Processing

When you make a payment, your payment data is processed by Stripe, which operates in the United States and other countries outside the EEA. Stripe's Data Processing Addendum includes Standard Contractual Clauses (SCCs) that provide adequate protection for your personal data in accordance with GDPR requirements. Stripe is certified under various security standards and complies with applicable data protection laws.

11.2 Cloud Storage

If we use cloud storage providers (such as AWS S3) located outside the EEA, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses, to protect your data.

12. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes and update the "Last Updated" date. Continued use of our service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or wish to exercise your rights, please contact us:

  • Email: support@staticform.app