Privacy Policy
Effective 2026-06-29 · Version 2026-06-29
This Privacy Policy explains how Form Plume ("we", "us") handles personal data in connection with Form Plume (the "Service"). It is aligned with the EU General Data Protection Regulation (GDPR) and the Brazilian Lei Geral de Proteção de Dados (LGPD). It does not constitute legal advice.
1. Two distinct roles
We handle personal data in two roles. For data about you as our customer (your account and billing details), we are the data controller. For the form submissions you receive through the Service, which may contain personal data about your end users, you are the controller and we act as your processor, handling that data on your instructions.
2. Personal data we collect
As controller of account data, we collect:
- account data: name, email address, password hash or federated sign-in identifier, and locale;
- usage and diagnostic data: log data, request and trace identifiers, IP address, and device or browser information;
- billing data: plan, subscription status, and limited transaction metadata (card data is handled by our payment provider, not by us).
As processor, we store the submissions your forms receive. The fields and any personal data they contain are determined by you and your end users, along with technical metadata such as IP address, user agent, referrer, and timestamp captured for spam protection and delivery.
3. How and why we use data (legal bases)
For account data we rely on the following legal bases under GDPR Article 6 and LGPD Article 7:
- performance of a contract, to provide and operate the Service and process submissions on your behalf;
- legitimate interests, to secure the Service, prevent abuse and spam, and improve reliability;
- legal obligation, to meet tax, accounting, and other legal requirements;
- consent, where we ask for it, such as optional communications, which you can withdraw at any time.
As processor we use submission data only to provide the Service: to store, search, notify, route, and forward submissions per your configuration, and to apply the spam and abuse controls you enable.
4. Retention
We retain account data for as long as your account is active and as needed to meet legal obligations. Submission retention follows your plan and settings; by default, free-plan submissions are retained for 30 days and paid-plan submissions for one year, after which payloads are expired and removed. You can delete submissions earlier from your dashboard.
5. Sub-processors and sharing
We use a small set of service providers (sub-processors) to run the Service. They process data only on our instructions and under contract. Current categories include:
- cloud hosting and database infrastructure;
- object storage for file uploads;
- transactional and bulk email delivery providers;
- our payment provider, acting as merchant of record for billing;
- error tracking and logging, with personal data and secrets scrubbed.
We do not sell personal data. We share data only with these providers, when you direct us to (for example, your configured webhooks and notification recipients), or when required by law.
6. International transfers
Personal data may be processed in countries other than your own. Where data leaves the EEA, UK, or Brazil, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision, as applicable.
7. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, and object to the processing of your personal data, and the right to data portability and to withdraw consent. Under LGPD you also have the right to information about sharing and to review automated decisions.
To exercise these rights as our customer, contact danilo@formplume.com. If you are an end user who submitted a form, your request usually goes to the site or business that operates the form (our customer, the controller); we will help that customer respond. You also have the right to lodge a complaint with your supervisory authority (in the EU) or the ANPD (in Brazil).
8. Data Processing Addendum
If you process personal data of your end users through the Service, a Data Processing Addendum governing that processing is available on request at danilo@formplume.com.
9. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit, scoped access controls, tenant isolation, signed webhooks, and secret management. No method of transmission or storage is perfectly secure, but we work to protect your data and to notify you of incidents as required by law.
10. Children
The Service is not directed to children and we do not knowingly collect their personal data as controller. As a customer, you are responsible for any age-related notices and consents for the forms you operate.
11. Changes and contact
We may update this Policy. Material changes update the version date above and, where required, we will seek your renewed consent. Questions and privacy requests can be sent to danilo@formplume.com.
Related policies