Privacy Policy

1. Introduction

RapidForm ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our form builder platform at rapidform.com ("the Service").

2. Information We Collect

Account Information: When you register, we collect your name, email address, and password. If you upgrade to a paid plan, payment is processed through Stripe — we do not store your credit card details.

Form Data: When someone submits a form you created, we collect and store the submission data on your behalf. This may include any information the form respondent provides (name, email, phone, file uploads, etc.). You are the data controller for this data; we are the data processor.

Usage Data: We collect information about how you use the Service, including form views, submission counts, pages visited, and feature usage. This helps us improve the product.

Technical Data: We automatically collect IP addresses, browser type, device information, and referring URLs for form submissions (stored as submission metadata) and for security purposes (rate limiting, spam prevention).

3. How We Use Your Information

• To provide, maintain, and improve the Service.
• To process payments and manage subscriptions.
• To send email notifications about form submissions (as configured by you).
• To send service-related communications (account updates, security alerts, billing).
• To enforce our Terms of Service and prevent abuse.
• To provide customer support.
• To generate anonymized, aggregated analytics about Service usage.

4. Data Sharing

We do not sell your personal data. Ever. We share data only with:

• Stripe: For payment processing. Subject to Stripe's Privacy Policy.
• OpenAI: If you use the AI form builder, your prompt is sent to OpenAI to generate form structures. No submission data is shared with OpenAI.
• Cloudflare: For custom domain SSL provisioning and CDN services.
• Email providers: To deliver notification emails about form submissions.
• Webhook endpoints: If you configure webhooks, submission data is sent to your specified URLs.

We may also disclose information if required by law or to protect our rights.

5. Data Storage and Security

Your data is stored on secure servers. We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS/TLS).
• Signed URLs for file upload access.
• Honeypot fields and rate limiting for spam prevention.
• CSRF protection on all form submissions.
• Hashed passwords (bcrypt).
• Role-based access control for team workspaces.

6. Data Retention

We retain your account data for as long as your account is active. Form submissions are retained until you delete them or delete your account. Deleted submissions are soft-deleted and permanently removed within 30 days. Upon account deletion, all associated data (forms, submissions, workspaces, integrations) is deleted within 30 days.

Submission quota records are retained for billing accuracy and are not affected by submission deletion.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate data.
• Deletion: Request deletion of your data.
• Portability: Export your submissions as CSV.
• Restriction: Request we limit processing of your data.
• Objection: Object to certain processing of your data.

To exercise these rights, contact us at [email protected].

8. GDPR Compliance

For users in the European Economic Area (EEA), we process personal data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for.
• Legitimate interest: Analytics, security, and product improvement.
• Consent: Where explicitly provided (e.g., marketing emails).

As a form builder, you are the data controller for data collected through your forms. We act as a data processor. You are responsible for providing appropriate privacy notices to your form respondents.

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies. Embedded forms do not set cookies on the hosting website.

10. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us.

11. Third-Party Links

Forms created with RapidForm may be embedded on third-party websites. We are not responsible for the privacy practices of those websites.

12. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via email. Continued use of the Service after changes constitutes acceptance.

13. Contact

For privacy-related questions or requests, contact us at [email protected].