Heapform ("we", "us", "our") provides a form-building platform. This policy describes how we collect, use, and protect your data when you use our services. By using our services, you agree to the collection and use of information in accordance with this policy.
1. Scope and Our Roles
This policy covers two distinct contexts. When you use our website, create an account, or manage billing, we act as the data controller: we determine the purposes and means of processing your personal data. When you use Heapform to collect form submissions from your own visitors, we act as a data processor: we process that data on your behalf according to your instructions. Our Data Processing Addendum applies to that processor relationship.
2. Information We Collect
2.1 Data You Provide
- Account and profile: Name, email address, and profile picture when you create an account or sign in via our authentication provider.
- Workspace and form configuration: Workspace name, form settings, notification emails, webhook URLs, and other configuration you choose.
- Billing: Payment and billing details are handled by our payment provider. We store billing-related identifiers (e.g., customer IDs) and subscription status.
- Contact and support: Email and message content when you contact us via our contact form or support channels.
2.2 Form Submission Data (Processed on Your Behalf)
When your visitors submit forms through Heapform, we collect and store the data you configure your forms to capture. We also automatically collect technical metadata associated with each submission:
- IP address
- Browser type and user agent
- Referrer URL
- Country code (derived from IP)
This metadata is stored with submissions, shown in your dashboard, included in exports, and may be sent to webhook endpoints or notification recipients you configure.
2.3 Automatically Collected Data
We use session and authentication technologies (cookies and similar mechanisms) to operate our service and keep you signed in. We use website analytics to understand how our site is used; this analytics data is anonymized and not used to identify you individually.
3. How We Use Your Data
We use your data to:
- Provide, maintain, and improve our services
- Authenticate you and manage your account and workspace
- Process payments and manage subscriptions
- Send transactional emails (e.g., submission notifications, payment reminders, quota alerts)
- Deliver form submissions to webhook URLs and notification email addresses you configure
- Detect and prevent spam, abuse, and security issues
- Respond to support requests and comply with legal obligations
4. Sharing and Disclosure
We share data with third-party service providers (subprocessors) that help us operate our services. A list is available at /legal/subprocessors. When you configure webhooks or notification emails, submission data (including technical metadata) is sent to the endpoints and addresses you specify.
We may disclose your data when required by law, to protect our rights, or in connection with a merger or acquisition. We do not sell your personal data.
5. Data Retention
We retain account and billing data for as long as your account is active or as needed to provide our services. Form submissions are retained according to the archive setting you configure for each form (e.g., 30, 60, 90, 180, or 365 days, or indefinitely). After the configured period, submissions and associated file attachments are deleted automatically. We may retain some data longer where required by law or to resolve disputes.
6. International Transfers
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in accordance with applicable data protection laws.
7. Security
We implement appropriate technical and organizational measures to protect your data. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
8. Your Rights
8.1 European Economic Area (GDPR)
If you are in the European Economic Area, you have the right to access, rectify, erase, restrict processing, data portability, and to object. You may also lodge a complaint with your supervisory authority. Contact us at privacy@heapform.com to exercise these rights.
8.2 California (CCPA / CPRA)
If you are a California resident, you may have the right to know what personal information we collect, request deletion of your data, and opt out of the sale of your personal information. We do not sell personal information. To exercise your rights, contact us at privacy@heapform.com.
8.3 Other Rights and Choices
You may request access to, correction of, or deletion of your personal data at any time by contacting us. For data we process on your behalf as a processor (e.g., form submissions), you are responsible for responding to requests from your own data subjects; we will assist you as described in our Data Processing Addendum.
9. Subprocessors
We use third-party subprocessors to operate our services. A list is available at /legal/subprocessors.
10. Children
Our services are not intended for users under 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.
12. Contact
For privacy-related questions or requests, contact us at privacy@heapform.com.