Privacy Policy

This Privacy Policy describes how Appa Digital LLC ("Company," "we," "us," or "our"), operating as FormJet, collects, uses, and protects your personal information when you use our form builder platform at formjet.app (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Profile picture URL (if using Google sign-in)

1.2 Payment Information

Payment processing is handled by Stripe, Inc. We store your Stripe Customer ID and Subscription ID but never store your credit card number, CVV, or full payment details. See Stripe's Privacy Policy.

1.3 Form Response Data

When respondents fill out forms created by our users, we collect:

• Answers to form questions (content determined by the form creator)
• Hashed IP address (SHA-256, non-reversible — we do not store raw IP addresses)
• Browser user agent string (truncated to 500 characters)
• HTTP referrer URL (truncated to 2,000 characters)
• Submission timestamp

1.4 Usage and Analytics Data

We collect internal analytics to improve the Service:

• Form view counts
• Form start, completion, and drop-off events
• Session identifiers (randomly generated UUIDs, not tied to personal identity)

We do not use third-party analytics services (Google Analytics, etc.). All analytics data is stored internally.

1.5 AI Feature Data

When you use AI-assisted features (e.g., the AI Chat Bar to generate or modify questions), we send the following to our AI provider (Anthropic):

• Your form title
• Your existing question titles and types
• Your natural language instruction

We never send form response data, respondent personal information, or your account details to AI providers.

2. How We Use Your Information

3. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

• Supabase (Authentication) — Email address, OAuth tokens. Privacy Policy
• Stripe (Payments) — Customer ID, subscription data. Privacy Policy
• Anthropic (AI features) — Form question metadata only. Privacy Policy
• Upstash (Rate limiting) — Hashed identifiers only. Privacy Policy
• Neon (Database hosting) — All stored data. Privacy Policy
• Vercel (Hosting) — Server logs, request metadata. Privacy Policy

User-Configured Integrations

If you enable integrations, form response data may be shared with additional third-party services at your direction:

• Google Sheets — Responses appended to your spreadsheet (requires your OAuth consent)
• Slack — Response notifications posted to your channel (requires your OAuth consent)
• Email (via Resend) — Response summaries sent to your email
• Webhooks — Response data sent to URLs you configure

4. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Form responses: Retained until you delete them or close your account.
• Deleted forms: Soft-deleted (recoverable for 30 days), then permanently deleted.
• Analytics events: Retained for 12 months, then purged.
• Rate limit data: Automatically expires (60 seconds to 30 days depending on type).

5. Data Security

We implement the following security measures:

• All data transmitted over HTTPS/TLS encryption
• IP addresses hashed with SHA-256 before storage (non-reversible)
• Database hosted on Neon with encryption at rest
• Authentication via Supabase with industry-standard session management
• Payment data handled exclusively by PCI-DSS compliant Stripe
• HTML content sanitized to prevent XSS attacks
• CSV exports sanitized against formula injection
• Webhook URLs validated to prevent SSRF attacks
• Rate limiting on all public endpoints

6. Your Rights

6.1 All Users

• Access: Export your form responses at any time in CSV format.
• Deletion: Delete your account and all associated data from the Settings page.
• Portability: Download your data before deleting your account.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know: Request a copy of the personal information we have collected about you.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell your personal information to third parties.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@formjet.app.

6.3 EEA/UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have rights under the GDPR including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is contract performance (providing the Service) and legitimate interests (preventing abuse, improving the Service). Contact us at privacy@formjet.app to exercise your rights.

7. Cookies

We use the following cookies:

• Authentication cookies (Essential) — Set by Supabase to maintain your login session. These are strictly necessary and cannot be disabled.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

8. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a form creator collecting data from minors, you are responsible for complying with COPPA and obtaining verifiable parental consent.

9. International Data Transfers

Your data may be processed in the United States where our servers and service providers are located. By using the Service, you consent to the transfer of your information to the United States.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact Us

For privacy-related inquiries, contact us at:

Appa Digital LLC (d/b/a FormJet)
Email: privacy@formjet.app