FormPapiFORMPAPI

Privacy Policy

Last updated: April 4, 2026

1. Introduction

This Privacy Policy describes how The Pipsail Corporation (“Company,” “we,” “us,” or “our”), operating as FormPapi, collects, uses, stores, and protects your personal information when you use our AI-powered form builder platform accessible at formpapi.com (the “Service”).

We are committed to protecting your privacy and handling your data transparently and responsibly. This Privacy Policy applies to all users of the Service, including form creators (account holders) and form respondents (individuals who submit responses to forms created on our platform).

By using the Service, you agree to the collection and use of information in accordance with this policy. This Privacy Policy should be read in conjunction with our Terms of Service.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored in hashed form). If you sign up via Google OAuth, we receive your name, email address, and profile picture from Google.

2.2 Form Data

We store the forms you create, including form titles, descriptions, questions, field configurations, logic rules, design settings, and all versioned snapshots of your form schemas.

2.3 Submission Data

We collect and store responses submitted to forms created on our platform. The nature of this data depends on what the form creator chooses to collect and may include personal information provided by respondents. Each submission is linked to the specific form version under which it was collected.

2.4 Usage and Analytics Data

We collect information about how you interact with the Service, including pages visited, features used, form completion rates, drop-off analytics, button clicks, and session duration. This data helps us improve the product experience.

2.5 Device and Technical Information

We automatically collect technical information such as your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and time zone. This information is used for security, analytics, and to optimize the Service for different environments.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To operate, maintain, and deliver the core functionality of FormPapi, including form creation, response collection, analytics, and integrations.
  • Product improvement: To analyze usage patterns, identify bugs, and develop new features that enhance the user experience.
  • Analytics and insights: To provide form creators with analytics dashboards, including response rates, completion rates, drop-off analysis, and other statistical insights.
  • AI features: To power AI-assisted form generation, content suggestions, and smart field recommendations. Your form content may be processed by third-party AI providers (OpenAI or Anthropic) for this purpose, but submission data is never shared with AI providers.
  • Customer support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
  • Email communications: To send transactional emails (account verification, password resets, submission notifications), and, with your consent, product updates and announcements. You can opt out of non-essential emails at any time.
  • Security: To detect, prevent, and address fraud, abuse, security vulnerabilities, and technical issues.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures to protect it:

  • Database: All data is stored in PostgreSQL databases hosted on Supabase infrastructure with automated backups and point-in-time recovery.
  • Encryption at rest: All stored data is encrypted using AES-256 encryption.
  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
  • Password security: User passwords are hashed using bcrypt with appropriate salt rounds and are never stored in plaintext.
  • Access controls: We implement strict access controls and the principle of least privilege for all personnel who may access production data.
  • Infrastructure: Our application infrastructure is hosted on reputable cloud providers with SOC 2 compliance and regular security audits.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

5. Form Respondent Data

FormPapi plays a dual role regarding data collected through forms:

  • Form creators are data controllers: If you create forms that collect personal information from respondents, you are the data controller for that information. You are responsible for providing respondents with appropriate privacy notices, obtaining necessary consents, and ensuring your data collection practices comply with applicable laws.
  • FormPapi is a data processor: We process respondent data on behalf of form creators solely to provide the Service. We do not sell respondent data, use it for our own marketing purposes, or share it with third parties except as necessary to provide the Service or as required by law.

Form respondents who wish to access, correct, or delete their submission data should contact the form creator directly. Form creators can manage, export, and delete respondent data through their FormPapi dashboard.

6. Cookies and Tracking

We use cookies and similar tracking technologies to operate and improve the Service:

  • Essential cookies: Required for authentication, session management, and core functionality. These cannot be disabled without impairing the Service.
  • Analytics cookies: We use PostHog for privacy-friendly product analytics. PostHog helps us understand how users interact with the Service, identify issues, and improve the user experience. PostHog is configured to respect user privacy and does not track users across other websites.
  • No third-party advertising cookies: We do not use third-party advertising trackers, and we do not sell your data to advertisers. There are no Facebook pixels, Google Ads trackers, or similar advertising technologies on our platform.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

7. Third-Party Services

We share data with the following categories of third-party service providers, solely to the extent necessary to operate and deliver the Service:

  • Stripe — Payment processing. When you subscribe to a paid plan, your payment information (card details, billing address) is collected and processed directly by Stripe. We do not store your full payment card details on our servers.
  • Resend — Transactional email delivery. Your email address and name are shared with Resend to deliver account notifications, password resets, and submission alerts.
  • Google OAuth — Authentication. If you choose to sign in with Google, we receive your basic profile information (name, email, profile picture) from Google.
  • Supabase — Database hosting and infrastructure. All form data and submission data is stored on Supabase-managed PostgreSQL instances.
  • OpenAI / Anthropic — AI processing. Form content (not submission data) may be processed by AI providers to power AI-assisted features such as form generation and field suggestions.
  • PostHog — Product analytics. Anonymized usage data is collected to improve the Service.

Each third-party provider is contractually obligated to handle your data in accordance with their own privacy policies and applicable data protection regulations.

8. Data Retention

We retain your data according to the following policies:

  • Account data: Retained for as long as your account is active. Upon account deletion, personal account data is removed within 30 days, though anonymized analytical data may be retained.
  • Form data: Retained for as long as your account is active. Deleted forms are soft-deleted and can be recovered within 30 days, after which they are permanently removed.
  • Submission data: Retained according to the form creator's settings and preferences. Form creators can export and delete submission data at any time. Upon account deletion, all associated submissions are scheduled for permanent deletion within 90 days.
  • Usage and analytics data: Aggregated and anonymized analytics data may be retained indefinitely for product improvement purposes.
  • Backups: Backup copies of data may persist for up to 90 days after deletion as part of our standard backup retention cycle.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to correction: You may request that we correct inaccurate or incomplete personal data.
  • Right to deletion: You may request that we delete your personal data, subject to certain legal exceptions.
  • Right to data portability: You may request an export of your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to restrict processing: You may request that we limit the processing of your personal data in certain circumstances.
  • Right to object: You may object to the processing of your personal data for certain purposes, such as direct marketing.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at hello@formpapi.com. We will respond to your request within 30 days.

10. GDPR Compliance

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional provisions apply:

  • Legal basis for processing: We process your personal data based on (a) your consent, (b) the necessity to perform our contract with you (the Terms of Service), (c) our legitimate interests (improving and securing the Service), or (d) compliance with legal obligations.
  • Data Processing Agreement: A Data Processing Agreement (DPA) is available upon request for form creators who collect personal data from EU/EEA data subjects. Contact us at hello@formpapi.com to request a DPA.
  • EU data subject rights: EU/EEA residents have all rights listed in Section 9 above. You also have the right to lodge a complaint with your local data protection supervisory authority.
  • Data Protection Officer: For GDPR-related inquiries, contact our data protection team at hello@formpapi.com.

11. Children's Privacy

FormPapi is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@formpapi.com. We will take prompt steps to delete such information from our systems. Form creators are responsible for ensuring their forms do not knowingly collect information from minors without appropriate parental consent.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data outside of the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the recipient's participation in recognized data protection frameworks. By using the Service, you consent to the transfer of your data to the United States and other countries where our service providers operate.

13. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify you via email or a prominent notice within the Service at least 30 days before the changes take effect
  • Where required by law, obtain your consent before applying material changes

We encourage you to periodically review this page for the latest information on our privacy practices.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

The Pipsail Corporation
Operating as FormPapi

Email: hello@formpapi.com
Website: formpapi.com

For GDPR or data protection inquiries, please include “Privacy” in the subject line of your email.