Privacy Policy

Overview

FormlyIQ ("we," "us," or "our"), operated by The Penny Constellation Team, is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices you have — both as a FormlyIQ customer and as a visitor to our marketing website at formlyiq.io.

This policy applies to information collected through our platform, website, API, dashboard, and associated services. It does not apply to information you collect from your own form submitters — you are responsible for your own privacy obligations as a data controller for that data.

Information We Collect

Account information

When you register for a FormlyIQ account, we collect your name, email address, password (hashed using PBKDF2 — never stored in plaintext), and optionally your company name. If you sign in via WorkOS SSO, we receive the profile information provided by your identity provider.

Usage and platform data

We collect data about how you use the platform — forms created, submissions received, integrations configured, API calls made, and feature usage. This helps us improve the product and detect abuse.

Form submission data

When end users submit your forms, their data passes through and is stored on our platform on your behalf. You are the data controller for this submission data; we process it as a data processor under your instructions.

Technical and log data

We collect standard server log data including IP addresses, browser type, operating system, referring URLs, and timestamps. Logs are retained for a limited period and periodically purged to minimize data exposure.

Payment data

Payment card details are handled entirely by Stripe — we never see or store your full card number. We store Stripe customer IDs and subscription metadata to manage your billing relationship.

Communications

If you contact us by email, through our support portal, or via our Report Abuse form, we retain the content of that communication and your contact details to respond to you and improve our support.

How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the FormlyIQ platform and associated services.
• Process and route your form submissions to your configured destinations.
• Authenticate your identity and manage your account and subscriptions.
• Send transactional emails: account verification, password reset, billing receipts, and submission notifications.
• Detect, investigate, and prevent fraud, abuse, spam, and security threats.
• Analyze aggregate usage patterns to improve platform performance and feature development.
• Comply with legal obligations, including lawful requests from regulators and law enforcement.
• Communicate product updates, new features, and important service announcements.

We do not sell your personal data. We do not use submission data collected through your forms to train machine learning models or for any purpose beyond operating the service.

Data Storage & Security

FormlyIQ stores data on Cloudflare's global infrastructure, including Cloudflare D1 (database) and Cloudflare R2 (object storage for file uploads). All data is encrypted at rest and in transit using industry-standard TLS/SSL protocols.

Key security measures include:

• PBKDF2 password hashing — 100,000 iterations, SHA-256, unique salt per user (OWASP compliant)
• SHA-256 hashed session tokens and API keys — never stored in plaintext
• TLS encryption in transit — all platform communication is encrypted end-to-end
• Per-user isolated R2 storage folders — file uploads are namespaced by randomized user folder IDs
• Rate limiting and account lockout — brute force protection on authentication endpoints
• Workspace-level database isolation — every query is scoped to the authenticated workspace

Despite these measures, no platform can guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law.

Cloudflare

FormlyIQ is built on and powered by Cloudflare's platform. Cloudflare provides our CDN (content delivery network), edge compute (Cloudflare Workers), database storage (Cloudflare D1), file storage (Cloudflare R2), and spam protection (Cloudflare Turnstile).

As part of delivering our service, Cloudflare processes certain technical data on our behalf, including:

• IP addresses — used for routing, DDoS protection, and geolocation data in submission analytics
• HTTP request metadata — headers, URLs, user agents, timestamps
• Turnstile signals — browser behavior signals used to distinguish human users from bots (when Turnstile is enabled on your forms)

Cloudflare may also apply its own privacy and security policies to data that flows through its network. FormlyIQ customers using Turnstile on their forms should note that Cloudflare may process form submitters' IP addresses and browser data for spam detection. Review Cloudflare's privacy policy at cloudflare.com/privacypolicy.

Cloudflare is certified under the EU–US Data Privacy Framework. Data stored in Cloudflare D1 and R2 may be replicated globally for redundancy and performance in accordance with Cloudflare's data locality practices.

Google Analytics

Our marketing website (formlyiq.io) uses Google Analytics 4 (GA4) to understand how visitors discover, navigate, and engage with our content. Google Analytics is not installed inside the FormlyIQ application dashboard or on your forms.

Google Analytics collects:

• Pages visited and time spent on each page
• Referral source, search terms, and campaign parameters (UTM)
• Browser type, operating system, screen resolution, and language
• Approximate geographic location (country and city level)
• User interactions such as button clicks, scroll depth, and link clicks

Google Analytics uses cookies and similar tracking technologies to collect this data. The data is transmitted to Google's servers and processed under Google's Privacy Policy at policies.google.com/privacy.

Your choices: You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your cookie preferences via our consent banner. We have enabled IP anonymization in our Google Analytics configuration.

Google AdSense

Our marketing website may display advertisements served by Google AdSense. Google AdSense is a third-party advertising network operated by Google LLC. FormlyIQ does not display ads inside the application dashboard or on your forms.

Google AdSense uses cookies, web beacons, and similar technologies to serve ads that are relevant to your interests. These technologies allow Google and its partners to:

• Recognize your browser when you visit our site
• Serve personalized ads based on your browsing history and interests
• Measure the effectiveness of advertising campaigns
• Track conversions and attribution across the web

Google is an authorized third-party vendor under the IAB Transparency and Consent Framework. The data collected by AdSense is governed by Google's Privacy Policy at policies.google.com/privacy and Google's Advertising Policies at support.google.com/adsense.

Your choices: You can opt out of personalized Google advertising by visiting adssettings.google.com or through the Digital Advertising Alliance opt-out page. You may also disable advertising cookies via our cookie preference center.

FormlyIQ does not have access to or control over cookies placed by Google AdSense or its advertising partners. We do not allow any advertiser to pay to have FormlyIQ promote their products through editorial content or AI-generated responses.

Meta Pixel

Our marketing website uses the Meta Pixel (formerly Facebook Pixel), a tracking tool provided by Meta Platforms, Inc. The Meta Pixel is not active inside the FormlyIQ application or on your forms.

The Meta Pixel allows us to:

• Measure the effectiveness of advertising campaigns run on Facebook, Instagram, and Meta's ad network
• Build audiences for retargeting campaigns (e.g., showing ads to visitors who viewed our pricing page)
• Track conversions — such as signups or plan upgrades — that result from Meta ads
• Optimize our ad delivery to reach people more likely to be interested in FormlyIQ

The Meta Pixel collects data including your IP address, browser type, pages visited on our site, and whether you have a Facebook or Instagram account. This data is transmitted to Meta and processed under Meta's Data Policy at facebook.com/privacy/policy.

We have implemented Meta's Advanced Matching features, which may transmit hashed (SHA-256) versions of information you provide on our site (such as email address) to improve ad matching accuracy. This data is hashed before transmission and cannot be reverse-engineered.

Your choices: You can control how Meta uses your data for advertising via your Facebook Ad Preferences or the Your Online Choices page. You may also use our cookie consent banner to decline Meta Pixel tracking.

Third-Party Services

FormlyIQ integrates with and relies on the following third-party services. By using FormlyIQ, you acknowledge that your data may be processed by these providers:

Cookies & Tracking Technologies

FormlyIQ uses cookies and similar technologies (local storage, session storage) on our website and platform. Here is how we categorize them:

Essential cookies

Required for the platform to function. These include session authentication tokens and CSRF protection tokens. You cannot opt out of these while using the platform.

Analytics cookies

Set by Google Analytics on our marketing website. Used to collect anonymized data about how visitors use our site. You can opt out via our consent banner or the Google Analytics opt-out tool.

Advertising cookies

Set by Google AdSense and Meta Pixel on our marketing website. Used to serve relevant advertising and measure ad performance. You can opt out via our consent banner or third-party opt-out tools listed in the relevant sections above.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to block all cookies, delete existing cookies, or set preferences for specific websites. Note that disabling essential cookies will prevent you from using the FormlyIQ platform.

Data Retention

We retain your data for the following periods:

• Account data — retained while your account is active and for 90 days after deletion
• Form submission data — retained while your account is active; purged 90 days after account termination
• File uploads — stored in R2; deleted when you delete the submission or close your account
• Server logs — automatically purged on a rolling basis (typically 30–90 days)
• Payment records — retained as required by Stripe and applicable financial regulations (typically 7 years)
• Support communications — retained for up to 3 years to support ongoing help requests and compliance

You can export or delete your data at any time from your dashboard. After account deletion, data may persist in backups for up to 90 days before being permanently purged.

Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

• Service providers — Cloudflare, Amazon SES, Stripe, and other providers listed above who process data on our behalf under data processing agreements.
• Integrations you enable — When you connect Notion, Slack, HuggingFace, or Zapier, submission data is shared with those services per your configuration.
• Legal requirements — We may disclose data to comply with a court order, subpoena, regulatory request, or to protect the rights, property, or safety of FormlyIQ, our users, or the public.
• Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such transfer.

GDPR — Rights for EU/EEA Residents

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Our legal bases for processing personal data include: contract performance (to provide the service), legitimate interests (security, fraud prevention, product improvement), and consent (where explicitly obtained, including for marketing and analytics cookies).

To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

CCPA — Rights for California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to:

• Know — Request disclosure of the categories and specific pieces of personal information we have collected, sold, or disclosed.
• Delete — Request deletion of your personal information, subject to certain exceptions.
• Opt out of sale — We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Non-discrimination — We will not discriminate against you for exercising your CCPA rights.
• Limit use of sensitive personal information — We collect minimal sensitive personal information and use it only to provide our services.

To exercise your rights, contact us at [email protected]. We will respond within 45 days. We may need to verify your identity before processing your request.

Children's Privacy

FormlyIQ is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will take steps to promptly delete that information.

If you are between 13 and 18 years of age, you may only use FormlyIQ with the involvement and consent of a parent or legal guardian.

Changes to This Policy

We may update this Privacy Policy as our services evolve or as legal requirements change. We will notify you of material changes via email to your registered address or through a notice on the platform. The updated policy will be posted on this page with a revised date.

Continued use of FormlyIQ after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

Contact Us

For questions, concerns, or data rights requests related to this Privacy Policy:

• Email: [email protected]
• Support: [email protected]
• Website: formlyiq.io

We take privacy seriously and will make every effort to respond to your inquiry within the timeframes required by applicable law.