Privacy Policy

1. Introduction

FormGenius (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our form builder service at formgenius.co.uk.

FormGenius is operated by 3rd Sector Tech, registered with the Information Commissioner's Office (ICO) under registration number ZC092818.

2. How FormGenius Handles Data

FormGenius handles three distinct types of data, each with different security models:

2a. Form Designs (templates you build)

Free Tier: Your form designs are stored entirely in your browser's localStorage. We cannot see, access, or collect your form designs. When you clear your browser data, your designs are permanently deleted from your device.

Pro Tier: Your form designs are stored on our secure servers to enable cloud saving and cross-device sync. Form designs are protected by strict access controls (only you can access your own projects), encryption at rest on the database server, and TLS encryption for all data in transit. We may have technical access to form design data for the purpose of providing the service, but we will never access, sell, or share your designs.

2b. Form Submissions (data collected from people who fill in your published forms)

Form submissions are encrypted at rest using strong, industry-standard encryption. When someone submits a response to your published web form, the data is transmitted securely via TLS and then encrypted with a unique per-form encryption key before being stored in our database. Only you, the form owner, can view or export your submission data.

2c. PDF Exports

PDF generation happens entirely in your browser. Your form designs are converted to PDF locally using client-side code. The PDF file is never sent to our servers. This applies to all tiers.

3. Data We Collect

3a. Free Tier Users

We collect no personal data from free tier users. No account is required. All form designs and PDF exports are generated and stored locally in your browser.

3b. Pro Tier Users

For Pro tier users who create an account, we collect:

• Email address: For account creation, login, and service communications
• Display name: Optional, for personalisation
• Password: Stored securely by Supabase using bcrypt hashing (we never see your password in plain text)
• Form design data: Project content, including field layouts, labels, styling, and any images you add to your forms
• Project metadata: Project names, creation dates, page counts, storage usage
• Payment information: Processed entirely by Stripe — we never see or store your card details
• AI usage records (Growth and Business tiers): If you use AI-powered features, we record the volume of data processed to manage your monthly credit allowance. No form content or submission data is retained by FormGenius beyond your normal cloud storage for AI purposes.

3c. Form Respondents (people who fill in published web forms)

When someone submits a response to a published web form, their submission data is encrypted server-side and stored in our database. We do not use, analyse, or share submission data for any purpose other than providing the service. The form owner is the data controller for any personal data collected via their forms and is responsible for obtaining appropriate consent from respondents.

4. Data We Do NOT Collect

We explicitly do NOT collect or have access to:

• PDF exports (generated entirely in your browser)
• Free tier form designs (stored in your browser only)
• Identifiable browsing patterns or cross-site tracking data (we use cookieless, anonymised analytics tools only — see Section 9)
• Card numbers, CVVs, or banking details (handled by Stripe)

5. How We Use Your Data

For Pro tier users, we use your data to:

• Provide and maintain your account and cloud storage
• Sync your form designs across your devices
• Store, encrypt, and deliver form submissions to form owners
• Process payments and manage subscriptions via Stripe
• Send important service updates (e.g. security notices, billing changes)
• Enforce storage and usage limits per your subscription tier
• Provide AI-powered features (FormGenius Analysis and AI Content Check) to Growth and Business tier users who activate them, by sending relevant form content or submission data to our AI sub-processor for processing

We do not use your data for advertising, profiling, or any purpose beyond providing the FormGenius service.

6. Data Storage & Security

Free Tier: All data is stored in your browser's localStorage. We have no access to it.

Pro Tier — Form Designs: Stored securely with strict access controls, encryption at rest, TLS encryption in transit, and secure authentication with hashed passwords. Only you can access your own projects.

Pro Tier — Form Submissions: Encrypted at rest using strong, industry-standard encryption. Each form has a unique encryption key accessible only to the form owner. Submissions are also protected by TLS encryption in transit. A database breach alone would not expose submission contents.

7. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Delete your account and all associated data
• Data Portability: Export your form designs and submission data
• Withdraw Consent: Opt out of optional data processing at any time
• Lodge a Complaint: Contact the Information Commissioner's Office (ICO) at ico.org.uk

To exercise these rights, contact us at data@formgenius.co.uk

8. Cookies

We use minimal, essential cookies only:

• Authentication cookies: To maintain your login session (Pro tier only). These are strictly necessary and do not require consent under UK GDPR.
• No tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party tracking or advertising technologies. We use Vercel Analytics, Vercel Speed Insights, and PostHog for performance monitoring and product analytics — all are configured in cookieless mode and do not set any cookies on your device (see Section 9).
• No advertising cookies: We do not serve ads or participate in ad networks.

9. Third-Party Services

We use the following third-party services to provide FormGenius:

• Vercel: Application hosting, serverless functions, and site analytics. Vercel processes requests to serve the application but does not have access to your stored data. We also use Vercel Analytics and Vercel Speed Insights to monitor site traffic and performance. These tools are cookieless — they do not set cookies or store any data on your device. They collect anonymised, aggregated data such as page URLs, referrer, country, device type, and Core Web Vitals metrics. No personal identifiers are retained. This processing is carried out under our legitimate interest in understanding how the service is used and maintaining its performance. See Vercel's Privacy Policy.
• Supabase: Database, authentication, and cloud storage (Pro tier). Our Supabase instance is hosted in the UK (AWS EU-West-2, London), ensuring all data remains within the UK. Supabase stores data at rest with infrastructure-level encryption. Form submission data has an additional application-level encryption layer (AES-256-GCM).
• Stripe: Payment processing. Stripe handles all payment data directly — we never see or store your card details. See Stripe's Privacy Policy.
• Resend: Transactional email delivery. Used to send submission digest notifications to form owners who opt in to email alerts (Growth and Business tiers). Resend processes the recipient email address and message content. See Resend's Privacy Policy. Only active if you have enabled submission notifications for a form.
• PostHog: Product analytics. We use PostHog (EU cloud, hosted in the European Union) to understand which features are used and how the product is performing. PostHog is configured in cookieless mode — it does not set cookies or store any data on your device. For logged-in Pro tier users, we send your pseudonymous user ID and subscription tier so we can understand feature usage by tier. No email address, form content, or submission data is ever sent to PostHog. Anonymous (logged-out) visitors generate no identifiable records. This processing is carried out under our legitimate interest in improving the service. See PostHog's Privacy Policy.
• Anthropic: AI processing for Growth and Business tier AI-powered features. When you activate an AI feature, relevant data (form content or submission data) is sent to Anthropic's Claude API for processing. Anthropic is based in the United States; the transfer is covered by a Data Processing Agreement incorporating Standard Contractual Clauses, supported by a completed Transfer Impact Assessment. Data is processed transiently and not retained by Anthropic beyond the API request. AI features are entirely opt-in. See Anthropic's Privacy Policy (opens in new tab). Only active if you are on a Growth or Business tier and use an AI-powered feature.

We do not use any advertising networks, data brokers, or cookie-based analytics tracking services.

We have Data Processing Agreements (DPAs) in place with all sub-processors listed above. Copies are available on request by contacting data@formgenius.co.uk.

10. Data Retention

• Free Tier: Data is stored in your browser until you clear it. We retain nothing.
• Pro Tier (Active): Data is retained for as long as your account is active.
• Pro Tier (Cancelled): Your data remains accessible until the end of your current billing period. After your billing period expires, cloud data is permanently deleted. We recommend exporting your data before your billing period ends.
• Deleted Accounts: If you choose to delete your account, all associated data is permanently deleted immediately. This action cannot be undone.
• Form Submissions: Submission data is retained according to the form owner's settings. Business tier form owners may configure auto-deletion periods (e.g. 1, 3, 6, 12, or 24 months) for compliance with their own data retention obligations.

11. Form Owners as Data Controllers

If you publish a web form that collects personal data from respondents, you are the data controller for that data under UK GDPR. FormGenius acts as a data processor on your behalf. As a data controller, you are responsible for:

• Having a lawful basis for collecting personal data
• Providing a privacy notice to your respondents
• Responding to data subject access requests
• Ensuring you do not collect more data than necessary

We provide tools to help you meet these obligations, including configurable auto-deletion of submissions, CSV data export, and the ability to view and delete individual submissions.

12. Children's Privacy

FormGenius accounts are not intended for users under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us immediately and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Pro tier users via email of any material changes. The “Last Updated” date at the top of this page will always reflect the most recent revision. Continued use of FormGenius after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact: