What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that went into effect on May 25, 2018. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. These data protection laws require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data at any time), and ensure appropriate security protections are put in place to protect the personal data they process.
Who does the GDPR apply to?
The GDPR applies to all businesses and individuals based in the EU and to those outside the EU that process the personal data of EU individuals. Personal data, as definied by the GDPR, is any information relating to an identified or identifiable natural person. This includes data that is obviously personal (such as a name or email address) as well as data that can be used to identify an individual indirectly (such as an IP address).
Data Processors and Controllers
Article 4 of the GDPR defines data controllers and data processors as:
Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor - a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
We as Data Controller
Why we collect your personal information
- We need your email address to create your account, and provide the services you request.
- We use your email address to identify you in our system.
- We will use your email address to send you system notifications and communicate with you about product updates. You can change your email and unsubscribe from those messages at any time.
NOTE: We do NOT store any credit card information. For that we use an external service: Paddle.
You as a Data Controller
You determine which data is collect from your end users. It is your responsibility as a form2chat.io account owner to limit the collection of Personally Identifiable Information and adhere to ourTerms of Service, which follow GDPR requirements. As a form2chat.io account owner, we provide you with a toolkit to make adherence to GDPR requirements simple and straightforward.
- On your settings page, you are provided with all the tools needed to manage your own personal data, in addition to the ability to request to form2chat.io to change or delete all or some of your own personal data.
- Within your individual form settings, you are provided with all the tools needed to manage the personal data of those who submit to your form, including permanently deleting it from our service.
- Individuals who submit to your forms are sent a submission receipt that contains a link to our GDPR request page which allows them to request a change in how their personal data is used or to permanently delete it from our service.
We as a Data Processor
All data stored in form2chat.io service is defined by our users. It is the responsibility of our users as data contollers to ensure that the personal information they collect through form2chat.io powered forms is GDPR compliant.
NOTE: form2chat.io is NOT to be used for:
Lawful basis for data processing
All data collected by form2chat.io is in the legitimate interesest of our users, both the account owners and the submissions which they receive. For account owners, we require the minimal amount of Personally Identifiable Information to perform billing, ensure legitimate users, and prevent abuse. When an end user submits data to an account owner's form, that is all we collect. When a user’s submission is sent to form2chat.io, it functions as expected. The account owner is notified of the submission and the data is passed along.
Right of access and Right to be forgotten
form2chat.io does not ask for more personal data from our users than we need to provide our service. We provide you the ability to access and delete both the data you have given us and the data your form submitters have given to you at any time.
Closing your form2chat.io account automatically deletes any and all associated data, including submission data for your forms. When you delete individual submissions from your forms, they are permanantly removed from our storage systems and cannot be restored.
As part of our limited data retention policy, submissions are automatically deleted after 1460 days. Spam and trashed submissions are deleted every 72 hours.
Notice of security breaches
form2chat.io takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information at all times. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.
Our VendorsWe use the following services that have already confirmed their commitment to GDPR compliance:
- Digital Ocean - Hosting infrastructure for form2chat.io's service and website (Frankfurt)
- Namecheap - DNS management (US)
- Paddle - Payment processing
- Amazon Web Services - SES for emails processing (Ireland)
- Chatra - Feedback and Support management (US)
- Simple Analytics - Privacy first analytics service that does NOT collect personal data (NL)
Data Removal Request
To exercise your rights and make a request to change or permanently delete your data from our serive, please submit a request to us.