Create Form

Privacy Policy

Last updated: May 13, 2026

Information We Collect

We collect information you provide directly, such as your name, email address, account credentials, billing details, support messages, forms you create, files you upload, and responses submitted through your forms. We also collect technical information such as IP address, browser and device details, page visits, and usage events needed to operate, maintain, and secure the service.

How We Use Your Information

We use personal data to provide the service, authenticate accounts, process subscriptions and payments, maintain backups, respond to support requests, improve the product, prevent abuse, investigate security incidents, comply with legal obligations, and send service-related messages. Where required by law, we rely on consent, contractual necessity, legitimate interests, or another lawful basis that applies to the processing. We do not send marketing or promotional communications. Service-related messages — form-event notifications, account messages, password resets, and security alerts — are sent only based on your account configuration or the subscriptions you have explicitly enabled.

Data Storage

Your data is stored on servers and infrastructure providers we use to operate Oformo. Personal data is processed within the European Union; some sub-processors listed in the Data Sharing section operate from other jurisdictions under appropriate transfer safeguards. We keep account information, forms, and submissions while your account is active. Audit logs covering notification delivery and security events are retained for 12 months. Uploaded files that are no longer referenced by an active form are removed after 30 days. Server backups are kept on a rolling 7-day window. When you request account deletion, we apply a 72-hour grace period before permanent removal so the request can be cancelled if made in error. Billing and tax records are retained for the period required by applicable tax law in the relevant jurisdiction.

Data Sharing

We do not sell personal data. We work with the following sub-processors that help us run Oformo: Hetzner Online GmbH (Germany) for application hosting and backup storage; Amazon Web Services EMEA SARL (Ireland) for outbound transactional email; Cloudflare, Inc. (United States) for domain registration, DNS, CDN, reverse proxy, and TLS termination; Google Cloud EMEA Limited (Ireland) for inbound support email; and LemonSqueezy (United States) for payment processing and as Merchant of Record for paid subscriptions. Transfers to the United States rely on the EU-US Data Privacy Framework, or on Standard Contractual Clauses where the framework is unavailable. We may also disclose information when required by law, to enforce our terms, to protect the rights or safety of Oformo, our users, or others, or in connection with a merger, acquisition, financing, or asset sale.

Form Owners and Respondent Data

When personal data is collected from respondents through forms hosted on Oformo, the form owner who configured the form is the controller for that data, and Oformo acts as a processor on the form owner's instructions. Form owners are responsible for providing respondents with the required notices, identifying the lawful basis for the collection, and obtaining any consent required by applicable law before collecting data through Oformo. Transactional notifications that Oformo sends to respondents — such as submission confirmations or status updates — are triggered by the form owner's configuration and are sent on the form owner's instructions as part of operating the form. Form owners must not use Oformo to send marketing or promotional communications to respondents without a lawful basis and, where required, the respondent's consent; the form owner remains responsible for compliance with applicable electronic-marketing rules (such as ePrivacy Article 13 for EU recipients) when those rules apply to their communications.

Cookies

We use cookies and similar browser-storage entries only for what is strictly necessary to provide the service you have requested. In line with Article 5(3) of the ePrivacy Directive, we do not store or access any information on your terminal equipment beyond that necessity, and we do not seek your consent for any additional purpose because we set none. The first-party cookies we set are: PHPSESSID, which keeps you signed in for up to 30 days; oformo_form_lang, which remembers the language you selected for form rendering for up to 365 days; oformo_tk_<formUuid>, which is set only when you open a share link and stores the access token needed to honour that link, for up to 30 days; and oformo_<formUuid>, a per-form submission counter that prevents abuse on public forms by enforcing a one-per-person rate limit, kept for up to 365 days. Our reverse-proxy provider, Cloudflare, sets two third-party cookies for security and anti-abuse: __cf_bm, used for bot management (about 30 minutes), and cf_clearance, set after you successfully pass a Cloudflare security challenge so that you do not have to repeat it (about 30 days). On oformo.com, the form builder uses browser localStorage entries to remember user-interface state and in-progress drafts while you are using the builder (tb_view, tb_collapsed, and oformo_draft_<formId>). It also writes oformo_guest, which holds the sign-in credentials (a username and access token) for an anonymous guest account created when someone builds a form without registering, so that the same browser can sign back into that guest account on later visits. When an Oformo form widget is embedded on a third-party site, the widget writes a single localStorage entry named oformo, holding access tokens and draft identifiers that are strictly necessary for the widget to operate. We do not use any third-party analytics, advertising, or tracking cookies. You can manage cookies through your browser settings, but disabling them may prevent parts of the service from working correctly.

Your Rights

Depending on your location, you may have rights to access, correct, export, delete, restrict, or object to our processing of your personal data, and to withdraw consent where processing is based on consent. You can update some account information through your settings, and you can request additional help or a copy of your data by contacting us. We may need to verify your identity before fulfilling a privacy request.

Children

Oformo is not directed to children under 16, and we do not knowingly collect personal data from children under 16 for our own purposes. Users who create forms are responsible for making sure any collection of children's data through those forms complies with applicable law and includes any required parent or guardian consent.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the service. When we do, we will update the "Last updated" date on this page, and if changes are material we may also provide notice through the site, within the product, or by email.

Contact

If you have questions about this Privacy Policy or want to exercise a privacy right, contact us at privacy@oformo.com.