Back to home

Legal

Privacy Policy

Last updated: 19 May 2026

1. Who we are

Formbreezy ("we", "us", "our") is a form submission processing service that allows website owners to collect and route form submissions to one or more configured destinations - without writing backend code. Formbreezy is a trading name of Sonny Taylor, United Kingdom.

For the purposes of data protection law, we act in two distinct roles depending on whose data is being processed:

  • Data Controller - for personal data relating to our own registered users (the people who sign up for a Formbreezy account).
  • Data Processor - for personal data contained within form submissions that our customers receive through their forms. In this case, our customer (the form owner) is the Data Controller and we process that data on their behalf.

2. Data we collect about you (account holders)

When you create and use a Formbreezy account, we collect:

  • Account information - your email address, provided at registration.
  • Authentication data - your password, stored as a one-way hash. We never store or transmit your password in plain text.
  • API and request logs - IP addresses, request timestamps, endpoints accessed, HTTP status codes, and user agent strings. Retained for security monitoring, rate limiting, and abuse prevention.

3. Form submission data (data we process on your behalf)

When an end-user submits a form on your website, that submission is routed through our service. This submission may contain personal data (such as names, email addresses, or free-text messages).

As the form owner, you are the Data Controller for that data. Formbreezy acts as a Data Processor - we forward the submission to your configured destinations and, where you have enabled it, store it in your dashboard.

By default, submission content is not stored in Formbreezy's database. Where storage does occur, submission content is encrypted at rest using industry-standard encryption. Storage is only retained in two cases:

  • Formbreezy Storage is enabled - you have opted in to storing submissions in your dashboard via the Formbreezy Storage integration.
  • A delivery integration fails - if we are unable to forward a submission to one of your configured destinations (e.g. email, Discord, webhook), the submission is temporarily retained so we can retry sending. If retries continue to fail, the submission remains stored until you manually delete it from your dashboard or our data retention period expires.

As a form owner, you are responsible for:

  • Informing your end-users, via your own privacy policy, that their submission data is processed by Formbreezy.
  • Ensuring you have a lawful basis for collecting the data your form requests.
  • Handling any access, erasure, or portability requests from your end-users. End-users of your forms should contact you directly - Formbreezy is not the primary controller for their data and cannot fulfil their rights requests on your behalf.

Customers who require a formal Data Processing Agreement (DPA) may request one by contacting us at the address below.

4. How we use your data

  • To create and manage your account.
  • To receive form submissions and forward them to your configured destinations.
  • To display your submission history in your dashboard.
  • To enforce rate limits and prevent abuse of the service.
  • To contact you about service-affecting changes or security issues.

We do not sell your data, share it with advertisers, or use it for any purpose not listed here.

5. Legal basis for processing

  • Contract performance - processing necessary to provide the service you signed up for (account management, form submission routing).
  • Legitimate interests - server and API logging for security, fraud prevention, rate limiting, and service stability.

6. How long we keep your data

  • Account data - retained for as long as your account is active. On deletion, account data is removed within 30 days.
  • Form submissions (Formbreezy Storage enabled) - retained for 90 days, after which they are permanently deleted. You may delete individual submissions at any time from your dashboard.
  • Form submissions (temporary retry buffer) - if a delivery integration fails, submission data is held temporarily while we attempt to resend. Data retained solely for retry purposes is deleted automatically once delivery succeeds, or after 90 days if it does not. You may also delete it manually from your dashboard at any time.
  • API and request logs - retained for 30 days then automatically purged, except where retention is required for ongoing security investigations or fraud prevention.

Please note that encrypted backups of our database are retained for a short additional window beyond these periods for disaster recovery purposes. Deleted data will not be restored from backups except to recover from a system failure.

7. Security

We apply the following measures to protect your data:

  • Encryption in transit - all traffic between your browser and Formbreezy is encrypted using TLS.
  • Encryption at rest - form submission content and OAuth credentials are encrypted using industry-standard encryption before being written to our database. Plaintext values are never persisted.
  • Password hashing - passwords are hashed before storage. Plain-text passwords are never persisted.
  • Short-lived access tokens - authentication access tokens expire after 15 minutes; longer-lived refresh tokens are stored server-side and can be revoked.
  • HttpOnly cookies - session cookies are marked HttpOnly and SameSite=Strict, preventing client-side script access.
  • Access controls - internal systems are accessible only to authorised personnel.

No system is completely secure. We cannot guarantee absolute security, but we will notify affected users without undue delay in the event of a breach that is likely to result in a risk to your rights and freedoms.

8. Sub-processors

We use the following third-party sub-processors. Each is bound by appropriate data processing terms and processes data only as necessary to deliver the relevant part of the service.

Infrastructure (always active)

ProviderPurposeData heldLocation
DigitalOcean
Privacy policyCloud infrastructure hosting - servers, database, and storage that underpin the entire service.All data stored by Formbreezy (account data, submissions, logs).EU

Delivery integrations (only when you enable them)

The following sub-processors are only engaged when you actively configure the relevant integration in your dashboard. If you do not enable an integration, no data is sent to that provider.

ProviderPurposeData transferredLocation
Amazon Web Services (SES)
Privacy policyEmail delivery - forwarding submission notifications to your inbox.Your email address, submission content.EU / US
Discord
Privacy policyPosting submission notifications to a Discord channel via a webhook URL you provide.Submission content.US
Slack
Privacy policyPosting submission notifications to a Slack channel via a webhook URL you provide.Submission content.US
Telegram
Privacy policySending submission notifications to a Telegram chat via a bot you configure.Submission content.UAE / Singapore
Google LLC (Sheets)
Privacy policyAppending each submission as a new row in a Google Sheet connected to your Google account.Your Google account email address; OAuth access and refresh tokens (stored encrypted, used solely to write to your spreadsheet); submission content appended as rows.EU / US
Notion
Privacy policyCreating a new entry in a Notion database you connect via an integration token.Submission content.US

Custom webhooks: if you configure a custom webhook URL, submission data is sent as an HTTP POST to the endpoint you specify. That destination is under your control - you are responsible for ensuring it handles the data appropriately. Formbreezy has no visibility into or control over third-party endpoints you configure yourself.

ntfy (push notifications): if you enable the ntfy integration, submission notifications are delivered via a self-hosted ntfy instance operated by Formbreezy. No submission data is passed to any third party — only a "new submission received" alert is sent. No third-party sub-processor is engaged.

Google account access: when you connect Google Sheets, Formbreezy requests the following permissions from your Google Account:

  • See your profile info — we read your Google account email address to display which account is connected in your dashboard.
  • See, edit, create, and delete only the specific Google Drive files you use with this app (drive.file scope) — this is Google's standard permission for app-managed files. In practice, Formbreezy only creates one spreadsheet and appends rows to it. We do not read, modify, or delete any other files in your Drive.

OAuth credentials are encrypted at rest using industry-standard encryption before being stored in our database, and are used solely to write submission data to your spreadsheet. You can revoke Formbreezy's access at any time from your Google Account permissions page. Removing the integration from your dashboard also revokes the stored credentials immediately.

We will update this section whenever we add, change, or remove a sub-processor.

9. International data transfers

Some of our sub-processors are based outside the UK and EEA, including in the United States. Where personal data is transferred to countries not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK ICO to ensure an equivalent level of protection.

By using Formbreezy and enabling integrations with US-based providers (such as AWS, Discord, Slack, Google, or Notion), you acknowledge that submission data you route through those integrations will be transferred to and processed in the United States under those providers' own terms and data processing agreements.

10. Children's data

Formbreezy accounts are intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If you become aware that a minor has created an account, please contact us and we will delete it promptly.

If you operate a form that may be submitted to by children, you are responsible as the Data Controller for obtaining any necessary parental consent and for complying with applicable children's data protection law.

11. Your rights

Under GDPR and equivalent legislation, you have the right to:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - ask us to correct inaccurate data.
  • Erasure - request deletion of your account and associated data.
  • Portability - receive your data in a structured, machine-readable format.
  • Objection - object to processing based on legitimate interests.
  • Restriction - ask us to restrict processing in certain circumstances.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (for example, the ICO in the UK).

12. Cookies

We only use cookies that are strictly necessary for the service to function. See our Cookie Policy for details.

13. Changes to this policy

If we make material changes to this policy, we will notify registered users by email at least 14 days before the changes take effect. The "last updated" date at the top of this page will always reflect the current version.

14. Contact

For any privacy-related queries or to exercise your rights, email [email protected].