Privacy Policy

FormBlade is operated by Zoniax, a company registered in the European Union ("we", "us", "our"). This policy explains how we collect, use, and protect your information in accordance with the EU General Data Protection Regulation (GDPR) and applicable European data protection laws.

1. Information We Collect

Account information: When you register, we collect your email address, first name, last name, and a hashed version of your password. We never store passwords in plain text.

Google Sign-In: If you sign in with Google, we receive your email address, first name, and last name from your Google account. We do not receive or store your Google password.

Google connection: If you connect your Google account, we store OAuth access and refresh tokens securely in our database. We use these tokens to write form submission data to Google Sheets you select. Gmail email sending uses SMTP with app passwords, not OAuth.

Microsoft connection: If you connect your Microsoft account for sending emails, we store OAuth tokens in the same manner as described for Gmail above.

Form submission data: When someone submits a form you created, we store the submission data (form fields, optional IP address, optional user agent) on your behalf. You control what data is collected through your form's privacy settings.

File uploads: Form submissions may include file attachments. Files are stored on our servers with metadata (filename, size, content type). Storage limits apply per plan (100 MB to 10 GB). Files are deleted when their associated submission is deleted or when data retention periods expire.

Usage data: We collect basic usage metrics (page views, feature usage) to improve the service. We do not use third-party tracking or advertising cookies.

Payment information: Payment processing is handled by our payment providers (Paddle, PayPal). We do not store credit card numbers or bank details.

2. How We Use Your Information

• To provide and maintain the FormBlade service
• To authenticate your identity (including via Google Sign-In)
• To send form notification emails via your connected email provider (Gmail, Outlook, or third-party API)
• To send you email notifications about form submissions
• To send transactional emails (verification, password reset, security alerts)
• To enforce plan limits and usage quotas
• To improve the service and fix bugs

We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. We do not use your data, including data received from Google APIs, for serving advertisements.

3. Google API Services

FormBlade uses Google API Services in two ways:

• Google Sign-In (scope: userinfo.email): To authenticate your identity and create or access your FormBlade account. We receive your email address and name.
• Google Sheets (scope: spreadsheets): When you connect your Google account and configure a Google Sheets integration, FormBlade writes form submission data as rows to the spreadsheet you select. We only access spreadsheets you explicitly configure.

Gmail: FormBlade does not use the Gmail API. Gmail email sending is configured via SMTP with app passwords, which does not require OAuth or access to your Gmail account data.

Token storage: OAuth access tokens and refresh tokens for Google connections are stored securely in our database. Tokens are retained only as long as the connection is active. When you remove the connection or delete your account, all associated tokens are permanently deleted.

Revoking access: You can disconnect your Google account at any time from the Integrations page in your dashboard. This deletes the stored tokens. You can also revoke FormBlade's access directly from your Google Account permissions.

No human access: No human accesses your Google Sheets data, unless required for security purposes, to comply with applicable law, or with your explicit consent.

No advertising use: We do not use any data obtained from Google APIs to serve advertisements, build advertising profiles, or for any purpose other than providing the FormBlade service as described in this policy.

FormBlade's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Microsoft API Services

FormBlade uses Microsoft services in two ways:

• Microsoft Sign-In: To authenticate your identity using your Microsoft or Microsoft 365 account. We receive your email address, display name, and user profile information.
• Microsoft Graph Mail.Send (scope: Mail.Send): When you explicitly connect your Microsoft account on the Connections page, FormBlade can send form notification emails on your behalf via the Microsoft Graph API. We only use this permission to send emails — we do not read, scan, or access your mailbox contents.

Token storage: OAuth access tokens and refresh tokens for Microsoft connections are stored securely in our database, following the same practices described for Google above.

Revoking access: You can disconnect your Microsoft account at any time from the Connections page. You can also revoke FormBlade's access from your Microsoft account app permissions.

No human access: No human reads your Microsoft data or the content of emails sent via the Microsoft Graph API, unless required for security purposes, to comply with applicable law, or with your explicit consent.

FormBlade's use of Microsoft Graph API data complies with the Microsoft APIs Terms of Use.

5. Form Submission Data

You are the data controller for submissions collected through your forms. We act as a data processor on your behalf. This means:

• You decide what data to collect through your form fields
• You configure privacy settings (IP anonymization, consent, retention)
• You are responsible for having a privacy policy for your form users
• We store and process submission data only as needed to provide the service

6. Data Retention

Account data: Retained as long as your account is active. Deleted upon account deletion.

Submission data: Retained according to your form settings and the limits of your current plan. When submissions are deleted, associated files are also removed.

File uploads: Files follow the retention period of their associated submissions and your current plan.

OAuth tokens: Access and refresh tokens for connected email accounts (Gmail, Microsoft) are retained as long as the connection is active. Tokens are deleted when you remove the connection or delete your account.

Compliance presets: If you enable GDPR, CCPA, LGPD, or PIPEDA compliance, default retention periods are applied automatically: GDPR 365 days, CCPA 730 days, LGPD 365 days, PIPEDA 730 days. You can adjust these settings within the options available on your plan.

Analytics data: We store aggregate daily and monthly counters per form (submission count, view count, spam count, notification count) for up to 3 years. These counters contain no personal data — only totals.

Telegram credentials: If you configure Telegram notifications, your bot token and chat ID are stored in the database alongside other form settings. These are deleted when you remove the configuration or delete the form.

7. Data Security

• All data is transmitted over HTTPS (TLS encryption)
• Passwords are hashed with bcrypt
• OAuth tokens and API credentials are stored encrypted in the database
• Database access is restricted to the application server
• IP anonymisation zeroes the last octet of IPv4 addresses (e.g. 1.2.3.4 becomes 1.2.3.0) or the last group of IPv6 addresses
• JWT tokens are used for authentication with short expiry (30 minutes)
• In the event of a data breach involving personal data, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and all associated data
• Export your submission data (CSV, JSON, Excel)
• Disconnect third-party accounts (Google, Microsoft) and delete associated tokens
• Revoke Google access via Google Account permissions
• Revoke Microsoft access via Microsoft app permissions
• Object to certain processing activities

To exercise these rights, contact us at privacy@formblade.com.

9. Cookies

We use minimal cookies:

• Authentication tokens: Stored in localStorage (not cookies) for session management
• Theme preference: Stored in localStorage to remember your light/dark mode choice

We do not use advertising, analytics, or third-party tracking cookies.

10. Third-Party Services

We use the following third-party services to operate FormBlade:

• Google: Google Sign-In for authentication; Google Sheets API for writing form submission data to user-selected spreadsheets. Gmail sending uses SMTP, not OAuth. Google Privacy Policy.
• Microsoft: Microsoft OAuth for authentication; Microsoft Graph API for sending emails on behalf of users who connect their Microsoft account. Microsoft Privacy Statement.
• Cloudflare: CDN, DDoS protection, and DNS. All HTTP requests pass through Cloudflare before reaching our servers. Cloudflare may log IP addresses and request metadata for security purposes. Cloudflare Privacy Policy.
• Email providers: Brevo, Resend, SendGrid, Mailgun, Postmark — used for sending notification emails when users configure these providers or as a global fallback. When you configure a custom SMTP server, your SMTP credentials are stored in our database and used to send emails on your behalf. Each provider has its own privacy policy.
• Telegram: When you enable Telegram notifications, submission data (form field values) is sent to the Telegram Bot API using the bot token you provide. FormBlade acts as an intermediary — messages are delivered to the chat ID you specify. Telegram Privacy Policy.
• Captcha providers: When you enable captcha on a form, the visitor's IP address and captcha response token are sent to the selected provider (Google reCAPTCHA, hCaptcha, Cloudflare Turnstile, or GeeTest) for verification.
• Webhooks: When you configure webhooks, submission data is sent to the external URL(s) you specify. You are responsible for the privacy and security of data received at your webhook endpoints.
• Payment provider: Paddle for subscription billing. We do not store credit card details. Paddle Privacy Policy.

10a. Form Widget & Embedded Forms

FormBlade forms can be embedded on third-party websites via HTML snippets, iframes, or the JavaScript widget. When a visitor loads an embedded form, their browser makes a request to our servers (formblade.com) which passes through Cloudflare. We count page views per form as aggregate numbers (no personal data). The form submission itself is subject to all the same privacy settings configured on that form (IP anonymisation, consent, retention).

11. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases as defined by the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the FormBlade service you signed up for
• Legitimate interest (Art. 6(1)(f)): Service improvement, security monitoring, and fraud prevention
• Consent (Art. 6(1)(a)): Where you have given explicit consent (e.g., connecting your Google account)
• Legal obligation (Art. 6(1)(c)): Where required by EU law (e.g., tax records for paid subscriptions)

12. International Data Transfers

Our servers are located in the European Union (Germany). Submission data is stored and processed within the EU.

When you use Google Sign-In or connect your Gmail account, data is transferred to Google's servers, which may be located outside the EU. Google processes this data under their own privacy policy and applicable data transfer mechanisms.

When you configure third-party email providers (e.g., Brevo, Resend, SendGrid), submission notification data may be transferred to their servers outside the EU. You are responsible for ensuring such transfers comply with applicable data protection laws.

13. Data Protection Officer

For GDPR-related inquiries, you may contact our data protection contact at dpo@formblade.com.

14. Supervisory Authority

If you are in the EU and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

15. Children's Privacy

FormBlade is not intended for use by children under 16. We do not knowingly collect data from children.

16. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of significant changes. The "Last updated" date at the top reflects the most recent revision.

17. Contact

For privacy-related questions or requests:

Email: privacy@formblade.com
Company: Zoniax