Privacy Policy

1. Information We Collect

We collect several types of information depending on how you interact with our Service. This includes information you provide directly to us, information we collect automatically, and information collected through the forms you create and distribute.

1.1 Account Information

When you create an account on NodumForms, we collect information such as:

• Your name
• Email address
• Authentication credentials (managed by our authentication provider, Clerk)
• Profile photograph (if you choose to upload one)
• Organisation or company name (if applicable)

1.2 Billing Information

When you subscribe to a paid plan (Pro or Enterprise), we collect billing details through our payment processor, Stripe. This may include:

• Payment card details (processed and stored exclusively by Stripe; NodumForms does not store full card numbers)
• Billing name and address
• Transaction history and invoice records

1.3 Form Response Data

When end users (respondents) fill in forms created using our platform, the responses are stored in our systems on behalf of the form creator (the "Customer"). Form response data may include any information the form creator chooses to collect, such as:

• Names, email addresses, and other contact details
• Free-text answers and selections
• Uploaded files (documents, images, or other files submitted through a form)
• Metadata about the submission (timestamp, browser type, IP address)

1.4 Usage Data

We automatically collect certain information when you access or use the Service, including:

• IP address
• Browser type and version
• Operating system
• Pages visited, time spent on pages, and navigation paths within the Service
• Referring URL
• Device identifiers
• Date and time of access

1.5 Cookies and Similar Technologies

We use cookies and similar tracking technologies (such as local storage) to collect and store information about your interactions with the Service. For more detail, see Section 11 ("Cookies and Tracking") below.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and maintaining the Service: To operate the platform, process form submissions, deliver file uploads, and provide customer support.
• Account management: To create and manage your account, authenticate your identity, and communicate with you about your account.
• Billing and payments: To process subscriptions, charge fees, issue invoices, and manage your plan (Free, Pro, or Enterprise).
• Improving the Service: To understand how users interact with the platform, identify trends, diagnose technical issues, and develop new features.
• Security and fraud prevention: To detect, prevent, and address technical issues, abuse, fraud, and violations of our Terms of Service.
• Communications: To send you transactional emails (e.g., account confirmations, billing receipts, security alerts), and, where you have opted in, product updates and marketing communications.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell your personal information or the personal information of your form respondents to third parties. We do not use form response data for advertising purposes.

3. Data Processor Role

NodumForms operates in two distinct capacities with respect to personal data:

• Data Controller: For the personal data of our Customers (account holders), NodumForms acts as the data controller. We determine the purposes and means of processing your account information, billing details, and usage data.
• Data Processor: For the personal data contained in form responses submitted by end users (respondents), NodumForms acts as a data processor on behalf of our Customers. The Customer who created the form is the data controller for that response data and is responsible for ensuring they have a lawful basis for collecting it.

As a data processor, we process form response data strictly in accordance with our Customer's instructions and applicable data protection agreements. We do not access, use, or share form response data for our own purposes except as necessary to provide, maintain, and secure the Service, or as required by law.

If you are an end user who has submitted a response through a form hosted on NodumForms, your primary point of contact regarding the use of your data is the organisation or individual who created that form. We recommend reviewing the form creator's own privacy policy for information about how your responses are used.

Enterprise Customers may enter into a Data Processing Agreement (DPA) with NodumForms that further defines the terms under which we process form response data. To request a DPA, please contact us at support@nodumforms.com.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b) GDPR): We process your account and billing information as necessary to perform our contract with you (i.e., to provide the Service under our Terms of Service).
• Legitimate interests (Art. 6(1)(f) GDPR): We process usage data and certain account data based on our legitimate interests in operating, improving, and securing the Service, provided these interests are not overridden by your data protection rights.
• Consent (Art. 6(1)(a) GDPR): Where required, we rely on your consent for certain processing activities, such as sending marketing emails. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR): We may process your data where necessary to comply with a legal obligation to which NodumForms is subject, such as tax reporting or responding to lawful requests from public authorities.

For form response data processed in our capacity as a data processor, the legal basis for processing is determined by the Customer (form creator) who acts as the data controller.

5. Data Sharing and Third Parties

We share personal data only in the following circumstances and with the following categories of recipients:

5.1 Service Providers (Sub-processors)

We engage trusted third-party service providers who process data on our behalf to help us operate and improve the Service. These providers are contractually obligated to handle your data securely and only for the purposes we specify. Key sub-processors include:

• Clerk — Authentication and user management. Clerk processes your login credentials, email address, and profile information to authenticate you and manage your sessions.
• Stripe — Payment processing. Stripe processes your billing information, payment card details, and transaction data to handle subscriptions and payments. Stripe's handling of your data is governed by the Stripe Privacy Policy.
• Cloud infrastructure providers — We use cloud hosting and database services (including PostgreSQL database hosting) to store and process your data securely.
• File storage providers — Uploaded files submitted through forms are stored with cloud storage infrastructure.
• Email delivery services — Transactional and notification emails may be sent through third-party email providers.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation or lawful government request
• Protect and defend the rights or property of NodumForms
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

5.3 Business Transfers

If NodumForms is involved in a merger, acquisition, asset sale, or similar business transaction, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your personal information for other purposes with your explicit consent.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and as described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account data: We retain your account information for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, accounting, or audit purposes.
• Form response data: Form responses are retained for as long as the form creator's account is active and the form exists. When a Customer deletes a form or their account, associated response data is permanently deleted within 30 days.
• Uploaded files: Files submitted through forms are retained under the same terms as form response data. When the associated form or account is deleted, uploaded files are permanently removed within 30 days.
• Billing records: We retain billing and transaction records for a minimum period required by applicable tax and accounting laws (typically 7 years).
• Usage logs: Aggregated usage data and server logs are retained for up to 12 months for analytics and security purposes, after which they are deleted or anonymised.

7. Data Security

We take the security of your data seriously and implement industry-standard technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS (Transport Layer Security)
• Encryption of data at rest in our databases and storage systems
• Regular security assessments and vulnerability testing of our infrastructure
• Access controls and authentication requirements for all personnel accessing production systems
• Isolated database environments to prevent cross-customer data access
• Automated backups with encrypted storage to ensure data availability and disaster recovery

While we strive to use commercially acceptable means to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents and notifying affected parties in accordance with applicable law.

8. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from the laws of your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards to ensure that your data is protected, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement or Addendum, where applicable
• Data processing agreements with our sub-processors that include appropriate data protection commitments

Our sub-processors, including Clerk and Stripe, maintain their own data transfer mechanisms and certifications. You may request a copy of the safeguards we use by contacting us at support@nodumforms.com.

9. Your Rights

Depending on your location, you may have certain rights regarding your personal data. We are committed to helping you exercise those rights.

9.1 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data.
• Right to erasure: You have the right to request that we delete your personal data, subject to certain legal exceptions.
• Right to restrict processing: You have the right to request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under the CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell (if applicable).
• Right to delete: You have the right to request deletion of the personal information we have collected about you.
• Right to opt out of sale: We do not sell your personal information. However, you have the right to opt out of the sale of your personal information if we ever do so in the future.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to limit use of sensitive personal information: You have the right to limit our use of sensitive personal information to purposes necessary to provide the Service.

9.3 Exercising Your Rights

To exercise any of the rights described above, please contact us at support@nodumforms.com. We will respond to your request within 30 days (or within the time period required by applicable law). We may need to verify your identity before processing your request.

If your request concerns form response data (i.e., you are an end user who submitted a response through a form created by one of our Customers), please direct your request to the form creator in the first instance, as they are the data controller for that data. If the form creator is unable to assist you, you may contact us and we will work with the form creator to address your request.

10. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). NodumForms does not knowingly collect personal information from children under 16. If you are a parent or guardian and you believe your child has provided personal information to us through the Service, please contact us at support@nodumforms.com. If we become aware that we have collected personal information from a child under the applicable age without verified parental consent, we will take steps to delete that information promptly.

Customers are responsible for ensuring that the forms they create comply with applicable laws regarding the collection of personal information from minors, including the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent regulations in other jurisdictions.

11. Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyse usage patterns, and support the functionality of the Service.

11.1 Types of Cookies We Use

• Essential cookies: These cookies are strictly necessary for the Service to function. They include session cookies used for authentication (managed by Clerk), security tokens, and preferences required for the platform to operate correctly. These cookies cannot be disabled.
• Functional cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences, language settings, and recently accessed forms.
• Analytics cookies: These cookies help us understand how visitors interact with the Service by collecting information about pages visited, time spent on the site, and error messages encountered. This data is aggregated and anonymised where possible.

11.2 Third-Party Cookies

Some cookies may be set by third-party services we use, including Clerk (for authentication) and Stripe (for payment processing). These third parties may use cookies in accordance with their own privacy policies.

11.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies or to alert you when a cookie is being set. Please note that disabling essential cookies may prevent you from using certain features of the Service, including logging in to your account.

We do not use cookies or tracking technologies on public form pages (i.e., the pages where respondents fill in forms) for advertising or cross-site tracking purposes. Any cookies set on form pages are limited to those strictly necessary for form functionality and submission.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes to this Privacy Policy, we will:

• Update the "Effective date" at the top of this page
• Provide a prominent notice on our website or within the Service (such as a banner or in-app notification)
• Send an email notification to registered users for significant changes that affect how we handle personal data

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of those changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@nodumforms.com
• Company: NodumForms
• Website: nodumforms.com

For data protection inquiries specific to the GDPR, you may also contact us at the email address above with the subject line "GDPR Inquiry." We will endeavour to respond to all legitimate requests within 30 days.