Privacy Policy

Last updated: February 20, 2026

1. Introduction

Polyform ("we," "us," or "our") operates the website located at polyform.to and the Polyform form builder application (together, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Definitions

  • Personal Data means data about a living individual who can be identified from that data (or from that data combined with other information in our possession).
  • Usage Data means data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (such as page visit duration and device information).
  • Cookies are small files stored on your device that help us improve your experience and analyze Service usage.
  • Data Controller means the entity that determines the purposes and means of processing personal data. For your account data, Polyform is the Data Controller.
  • Data Processor means an entity that processes data on behalf of the Data Controller. For form response data you collect, Polyform acts as a Data Processor.
  • Form Responses means data submitted by respondents through forms you create using our Service.

3. Information We Collect

Personal Data

When you use our Service, we may ask you to provide certain personally identifiable information, including:

  • Name and email address
  • Profile information (avatar, timezone, locale preferences)
  • Team information (team name, logo, branding colors)
  • Payment information (processed securely by Polar; we only store subscription status, not payment card details)
  • Communications with us (support requests, feedback)

Usage Data

We automatically collect certain information, including:

  • Device information (browser type, operating system, screen resolution)
  • Approximate location derived from your connection
  • Pages visited and features used
  • Time and date of your visits
  • Browser language and platform

Form Content

We store the forms you create, including questions, settings, themes, and configurations.

Form Responses

When respondents submit data through your forms, that data is stored on our servers. You are the Data Controller for this information, and we process it on your behalf. In addition to the responses themselves, we collect:

  • A hashed browser fingerprint, generated per form and used solely for duplicate submission detection. This fingerprint is not used for cross-form or cross-site tracking and is deleted when the associated response is deleted. We collect this based on the form creator's legitimate interest in preventing duplicate submissions.
  • Session identifier
  • Time spent on each question

Anonymous Analytics

To provide aggregate dashboard analytics (such as world map visualizations and device/browser breakdowns), we collect limited metadata when a form is opened. This data is:

  • Not linked to individual responses — it is stored separately and cannot be traced back to a specific respondent or their answers.
  • Used only for aggregate statistics visible to form creators in their dashboard.
  • Limited to device type, browser, approximate location (country, region, city derived from request headers), and screen resolution.

We do not store IP addresses.

4. How We Collect Information

We collect information in the following ways:

  • Directly from you: When you register, create forms, contact support, or otherwise interact with the Service.
  • Automatically: Through cookies, log files, and similar technologies when you use the Service.
  • From third parties: When you sign in using third-party authentication (Google or GitHub), or through our payment processor (Polar).

5. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process transactions and manage your subscription
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends, usage, and activities to improve the Service
  • Detect, investigate, and prevent fraudulent transactions and abuse
  • Personalize and improve your experience
  • Power AI features such as form generation and theme generation
  • Send you marketing communications (with your consent, where required)

6. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your Personal Data based on the following legal grounds:

  • Consent: Where you have given us consent to process your data for specific purposes, such as marketing communications.
  • Contractual Necessity: Where processing is necessary to provide you with our Service under our Terms of Service.
  • Legal Obligation: Where we need to process your data to comply with applicable laws.
  • Legitimate Interests: Where processing is necessary for our legitimate interests (such as improving our Service, preventing fraud, and ensuring security), provided these interests are not overridden by your rights.

7. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

  • Service Providers: We share information with third-party vendors who assist us in operating our Service. Our current subprocessors include:
    • Convex — Database hosting and backend infrastructure (United States)
    • Vercel — Website and application hosting (United States)
    • Polar — Payment processing (European Union)
    • Google — Authentication provider (United States)
    • GitHub — Authentication provider (United States)
    • Anthropic — AI form and theme generation (United States)
    We may update this list from time to time. We will notify customers of any new subprocessors before they begin processing data.
  • Legal Requirements: We may disclose information if required by law, regulation, or legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: If Polyform is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
  • With Your Consent: We may share information with your consent or at your direction.

8. Form Respondent Data

When you collect responses through forms created with our Service, you are the Data Controller for that information. This means:

  • You are responsible for obtaining appropriate consent from respondents.
  • You must provide privacy notices to respondents as required by applicable law.
  • You are responsible for handling respondent data in compliance with applicable data protection laws.
  • You must respond to data subject requests (access, deletion, etc.) from your respondents.

Polyform acts as a Data Processor for form response data, meaning we process this data on your behalf according to your instructions. A Data Processing Agreement (DPA) is available upon request for customers who require one. Please contact us at hello@polyform.to to request a copy.

We recommend that form creators include a link to their own privacy policy within their forms, or otherwise inform respondents about how their data will be collected and used.

9. Data Storage and Security

Your data is stored on secure servers. We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Access controls and authentication requirements
  • Regular security assessments

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. Data Retention

We retain your Personal Data for as long as your account is active or as needed to provide you with our Service. Specific retention periods are as follows:

  • Account data: Retained for the lifetime of your account.
  • Form responses: Retained until you delete them or delete your account, after which they are permanently removed within 30 days.
  • Browser fingerprints: Deleted when the associated form response is deleted.
  • Usage logs and analytics: Retained for up to 90 days.
  • Backups: Retained for up to 30 days after deletion of the source data.

We will also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

When you delete your account, we will delete or anonymize your Personal Data within 30 days, except where we are required to retain it for legal purposes.

11. Your Rights

Depending on your location, you may have the following rights regarding your Personal Data:

  • Access: Request a copy of the Personal Data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your Personal Data in certain circumstances.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Data Portability: Request a copy of your data in a structured, machine-readable format.
  • Object: Object to processing of your Personal Data in certain circumstances.
  • Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.
  • Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at hello@polyform.to.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service:

  • Authentication Cookies: Used to maintain your session when signed in.
  • Preference Cookies: Remember your preferred sign-in method for convenience.
  • Analytics Cookies: Used by our analytics providers (PostHog and Vercel Analytics) to understand how users interact with our Service and to improve it.

For authenticated users, analytics events are associated with your account to help us understand usage patterns. We collect this data based on our legitimate interests in providing and improving our Service.

13. Third-Party Services

Our Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you use.

14. Children's Privacy

Our Service is not directed to anyone under the age of 18. We do not knowingly collect Personal Data from children under 13. If we become aware that we have collected Personal Data from a child under 13 without parental consent, we will take steps to delete that information.

15. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of Personal Data we have collected about you, the categories of sources, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of your Personal Data, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your Personal Data and have not done so in the preceding 12 months.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, please contact us at hello@polyform.to. We will respond to verifiable requests within 45 days.

16. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

When we transfer Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as applicable. You may request a copy of the relevant transfer safeguards by contacting us at hello@polyform.to.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We may also notify you via email for significant changes.

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

18. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: hello@polyform.to