Privacy Policy
Last updated: May 10, 2026
This policy explains what FormFeed (operated by Internection LLC, 54 Farrand Drive, Parsippany, NJ 07054) collects, why, and how we handle it. We try to collect as little as possible to run the service.
1. Account information
When you sign up we store your email address and a one-way hash of your password (bcrypt, cost 12). If you enable two-factor authentication we store a TOTP secret and hashed backup codes. We do not store your password in a readable form.
2. Billing information
Payment details are handled by Stripe. We never see or store your full card number. We store your Stripe customer ID, the plan you're on, and the status of your subscription so we can enforce plan limits and show you what you're paying for.
3. Form submissions
When one of your site's visitors submits a form to us, we store:
- The fields they submitted (the form data itself)
- The IP address the submission came from
- Their browser's user-agent string
- The page URL the form was submitted from (the
Refererheader) - A timestamp
- Whether the submission tripped our honeypot (i.e. was flagged as spam)
We use this data only to deliver the submission to you and to protect against spam and abuse (rate limiting, blocking scrapers). We do not sell submission data, use it to build profiles, or share it with advertisers.
Note for form operators: because you control the form, you decide what your visitors submit. It's your responsibility to tell your visitors — through your own site's privacy notice — that you use FormFeed to process submissions.
4. How we use data
- Deliver form submissions to the notification email you configured
- Authenticate you and keep you logged in
- Bill you for the service and handle subscription changes
- Send transactional emails (verification, password reset, usage warnings, billing events)
- Enforce plan limits and detect abuse
We do not use your data for advertising, behavioral profiling, or marketing email beyond transactional and account communications.
5. Legal basis for processing (GDPR)
For users in the European Economic Area, our legal basis for collecting and processing personal data depends on the data and the context:
- Performance of a contract — to provide the service you signed up for
- Legitimate interests — to secure the service, prevent abuse, and operate billing
- Consent — where you have explicitly opted in
- Legal obligation — to comply with applicable law
If you don't provide certain personal data, we may be unable to provide some services to you.
6. Third-party services and sub-processors
We share limited data with a small number of service providers, each acting as a processor on our behalf:
| Sub-processor | Activity | Country |
|---|---|---|
| Stripe | Payment processing and billing | USA |
| Amazon Web Services (SES) | Transactional email delivery | USA |
| DigitalOcean | Server and database hosting | USA |
| Plausible Insights | Privacy-respecting marketing-page analytics (cookieless, no personal data) | Estonia |
| Cloudflare | Bot-challenge (CAPTCHA) service on the signup page (Turnstile) | USA |
We don't sell your data or share it with advertisers. We may update this list by posting changes to this policy.
7. Data retention
- Active accounts: we retain your data while your account is active.
- Canceled subscriptions: your dashboard remains accessible for 90 days so you can export your submissions. After that, stored submissions are purged. Your account row itself remains until you explicitly delete it.
- Deleted accounts: when you request deletion we mark your account and block new logins immediately. After 30 days your account and all associated data — forms, submissions, sessions, verification tokens — are permanently deleted.
We retain only what is necessary for the purposes set out in this policy or to comply with our legal obligations, resolve disputes, and enforce our policies.
8. Your rights
You can:
- Access and export your submissions as CSV from each form's page.
- Delete your account from the Account page.
- Correct or change your email by contacting us (self-service coming later).
- Ask what we have by emailing privacy@formfeed.io — we'll respond within 30 days.
If you live in the EEA, UK, or California, you have additional rights under GDPR or CCPA, including:
- The right to be informed about how your data is processed
- The right to access, correct, or delete the data we hold
- The right to restrict or object to processing
- The right to data portability
- The right to withdraw consent
- The right to lodge a complaint with your local data protection authority (list of EEA authorities)
Email privacy@formfeed.io to exercise any of these rights.
9. Cookies
We use a single session cookie (ff_session) to keep you logged in. It's
HTTP-only, signed, marked SameSite=Lax and Secure, and expires
30 days after issuance or when you log out — whichever comes first. We do not use analytics,
advertising, tracking, or remarketing cookies of any kind.
For analytics on our marketing pages we use Plausible (cookieless and personal-data-free — see plausible.io/privacy and plausible.io/data-policy).
10. Security
All traffic is encrypted in transit with TLS. Passwords are bcrypt-hashed. Backup codes and session identifiers are hashed or cryptographically signed. No system is completely secure; if we become aware of a breach that affects your data, we'll notify you.
11. Children
FormFeed isn't intended for children under 13 and we don't knowingly collect data from them. If you believe we have, contact us and we'll delete it.
12. International transfers
We operate in the United States, and your data is processed and stored in the US. By using the service you consent to this transfer. Our third-party processors may move data between regions as part of their normal operations.
For transfers of personal data out of the EEA, we rely on appropriate safeguards including Standard Contractual Clauses where required, or transfer to recipients in countries with an adequacy decision from the European Commission.
13. Business transactions
If FormFeed or Internection LLC is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your information may be transferred to the acquirer as part of that transaction. We will notify you of any such change in ownership or control of your personal data.
14. Disclosure to authorities
We may disclose information when required by valid legal process (court order, subpoena, lawful government request) or where we believe disclosure is reasonably necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or violations of these terms.
15. Changes
We may update this policy. When we make material changes we'll email active subscribers and update the "Last updated" date above.
16. Contact
Privacy questions or requests: privacy@formfeed.io.
Internection LLC54 Farrand Drive
Parsippany, NJ 07054