Legal
Privacy Policy
Last updated: July 4, 2026
This Privacy Policy explains how ShipMyForm (“we”, “us”) collects, uses, and shares personal data when you use ShipMyForm and its websites, dashboard, and APIs (together, the “Service”). It also explains our role when we process the form submissions you collect from your own visitors. It should be read together with our Terms of Service.
1. Our two roles: controller and processor
For data about you, our customer (your account, billing, and how you use the dashboard) we act as a data controller and this Policy governs that processing.
For the form submissions you collect through the Service (“Submission Data”), you are the controller and we act as a data processoracting on your instructions. We process Submission Data only to provide the Service and do not use it for our own purposes. If you are an end user who submitted a form on someone else's website, please contact that website's owner to exercise your rights over your submission.
2. Information we collect
- Account data: your email address, optional name, workspace and team membership, and the authentication credentials you use to sign in (magic-link tokens and, if you enable them, passkey/WebAuthn public keys). We never see or store passwords.
- Submission Data: the fields your visitors submit through forms pointed at the Service, plus limited technical metadata we attach for security and delivery (submission time, a hashed IP address, user-agent, and spam-scoring signals).
- Configuration: your forms, connectors, and the credentials or tokens you authorize for third-party connectors (encrypted at rest).
- Billing data: if you subscribe to a paid plan, our payment processor collects your payment details. We receive only limited billing metadata (such as plan, status, and the last four digits of a card), never full card numbers.
- Usage and diagnostics: basic logs needed to operate the Service reliably and securely.
3. How we use information
- provide, maintain, and secure the Service;
- receive, store, spam-filter, and route submissions to the connectors you configure;
- send transactional email (magic links, notifications, and important service notices);
- process payments and manage subscriptions;
- detect, prevent, and investigate abuse, fraud, and security incidents (including rate limiting);
- provide support and respond to your requests; and
- comply with legal obligations.
4. How we protect submissions
We minimize the personal data we attach to submissions. Visitor IP addresses are hashed with a daily-rotating salt rather than stored in the clear, so they support spam and abuse prevention without retaining a durable identifier. Connector credentials and tokens are encrypted at rest using authenticated encryption (AES-256-GCM). We ask that you not collect special-category or highly sensitive data (for example government IDs, health information, or full payment card numbers) through the Service.
5. Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service you signed up for); legitimate interests (to secure the Service, prevent abuse, and communicate with you), balanced against your rights; consent where required; and legal obligation where we must retain or disclose data by law. For Submission Data we process on your behalf, you are responsible for establishing the lawful basis and providing any notices your visitors are entitled to.
6. Cookies and similar technologies
We use a small number of strictly necessary cookies to keep you signed in and to secure the dashboard. We do not use third-party advertising or cross-site tracking cookies. Because these cookies are essential to provide the Service, they are not used to build advertising profiles.
7. Sharing and sub-processors
We do not sell personal data. We share it only with service providers (“sub-processors”) that help us run the Service, under contracts that require appropriate protection. These currently include:
- Cloud hosting and database: to run the application and store your data;
- Cloudflare: to send transactional email;
- Upstash: for rate limiting and the asynchronous delivery queue;
- Our payment processor (such as Lemon Squeezy or Creem) to process subscriptions.
We may also disclose data if required by law, to enforce our Terms, or to protect the rights, safety, and security of our users and the Service. If we are involved in a merger or acquisition, data may be transferred as part of that transaction, subject to this Policy.
8. Third-party connectors you choose
When you configure a connector (such as Slack, Google Sheets, Notion, Zapier, Discord, Airtable, or your own webhook), you direct us to send submissions to that destination. Once data reaches a third-party tool, its own privacy policy governs. We are not responsible for how those third parties handle data you route to them.
9. International data transfers
We may process and store data in countries other than yours. Where we transfer personal data across borders, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) where required by law.
10. Data retention
We retain account data for as long as your account is active and as needed to provide the Service. Submissions are retained according to your plan and settings, and you can delete them from the dashboard at any time. Hashed IP salts rotate daily. When you delete your account, we delete or anonymize your data within a reasonable period, except where we must retain it to comply with legal obligations, resolve disputes, or enforce our agreements.
11. Security
We protect data in transit with TLS and at rest with encryption, hash sensitive identifiers, encrypt connector secrets, and apply access controls and rate limiting. No method of transmission or storage is perfectly secure, but we work to protect your data and to respond promptly to any incident.
12. Your rights
Depending on where you live, you may have rights to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. You may also have the right to lodge a complaint with your local data-protection authority. To exercise these rights over your account data, email us at [email protected]. For rights over Submission Dataheld on behalf of a website you submitted a form to, contact that website's owner; we will assist them as their processor. We do not sell or “share” your personal data as those terms are defined under U.S. state privacy laws.
13. Children's privacy
The Service is not directed to children. You must be at least 16 years old, or the age of digital consent in your jurisdiction, to use it. We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or an in-product notice) and update the “Last updated” date above. Your continued use of the Service after changes take effect constitutes acceptance.
15. Contact
Questions about this Policy or a data-processing agreement (DPA)? Email us at [email protected].