Privacy Policy

Last updated: December 6, 2025

Introduction

Formfy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered form building platform.

Please read this Privacy Policy carefully. By using our services, you consent to the practices described in this policy.

1. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

  • Create an account (name, email address, phone number, company name)
  • Fill out forms or submit documents
  • Contact us for customer support
  • Subscribe to our newsletter or marketing communications
  • Participate in surveys or promotions

Automatically Collected Information

When you access our services, we may automatically collect certain information, including:

  • Device information (IP address, browser type, operating system)
  • Usage data (pages visited, time spent, features used)
  • Cookies and similar tracking technologies

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send administrative messages and service updates
  • Respond to your comments, questions, and requests
  • Send marketing communications (with your consent)
  • Monitor and analyze usage trends and preferences
  • Detect, prevent, and address technical issues

3. SMS and Mobile Communications

If you opt in to receive SMS messages from Formfy, you agree to receive recurring automated text messages related to your account, including service notifications and promotional messages. Message frequency varies. Message and data rates may apply.

To opt out of SMS messages, reply STOP to any message. For help, reply HELP or contact us at contact@formfy.ai.

4. Information Sharing and Disclosure

We may share your information in the following circumstances:

  • Service Providers: Third-party vendors who perform services on our behalf (payment processors, email/SMS providers, hosting, analytics)
  • Connected Integrations (with your authorization): When you authorize Formfy to connect with a third-party service (such as Square), we exchange data with that service strictly to perform the integration features you enabled. See “Third-Party Integrations” below for details.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Legal Requirements: When required by law or to protect our rights
  • With Your Consent: For any other purpose with your explicit consent

4b. Third-Party Integrations

Formfy offers optional integrations with third-party services. Connecting an integration is always initiated by you and revocable at any time from your Formfy account settings or from the third-party provider's authorization page.

Square (booking, payments, automation)

When you connect Square, Formfy obtains an OAuth access token from Square that allows us to access only the specific Square data and operations you authorize. Specifically:

  • Data Formfy receives from Square: your merchant profile (business name, location IDs, timezone), the bookings made through your Square account (date, time, customer name/email/phone, service variation), the payments processed through Square (status, amount, last 4 of card), and webhook event notifications for the booking/payment events you have subscribed to.
  • Data Formfy sends to Square: bookings created in Formfy that you have chosen to sync to your Square calendar, payment authorization requests (card data is tokenized client-side by Square's Web Payments SDK — it never reaches Formfy's servers), and customer contact details associated with those bookings.
  • What Formfy stores: the encrypted Square OAuth access token and refresh token (AES-256-GCM at rest), the merchant ID, location list, and an audit log of webhook events. Card data is never stored by Formfy.
  • How long we retain it: tokens are retained until you disconnect Square or delete your Formfy account. Webhook audit events are retained for 90 days. Booking sync records are retained as long as the linked Formfy booking exists.
  • Scopes requested: read merchant profile, read/write appointments, read/write payments, read customers, read catalog items. Each scope is used only for the corresponding feature; we do not aggregate or resell Square data.
  • Your control: you can disconnect the integration at any time from /integrations/square. Disconnecting revokes the token at Square and deletes the connection from Formfy. You can also delete the authorization directly in your Square Developer dashboard.

Square's use of the data they collect about you is governed by Square's own privacy policy: https://squareup.com/legal/privacy.

Google Workspace (Sign-in, Drive, Sheets, Forms import)

When you sign in with Google or connect your Google account, Formfy obtains an OAuth token allowing access only to the specific scopes you authorize. Each scope maps to one feature:

  • Sign in with Google (openid, email, profile): we receive your Google account ID, email, and name to create or sign you into your Formfy account. No other Google data is accessed by this scope.
  • Google Drive & Sheets (drive.file): used to save signed PDFs/waivers into a folder you select, and to create a Formfy-owned spreadsheet that logs your form submissions as rows. This scope grants access only to files Formfy creates or that you explicitly pick — Formfy cannot see the rest of your Drive or any other spreadsheet. We do not request the broad “all your spreadsheets” permission.
  • Google Forms (forms.body.readonly): used only to read a Google Form you choose to import, so we can recreate it as a Formfy form. Read-only; we never modify your Google Forms.
  • Calendar (no Google data accessed): adding a booking to Google Calendar uses a standard “Add to Google Calendar” link in your confirmation email. It is not an API scope and accesses none of your Google data.
  • What Formfy stores: the encrypted Google OAuth access/refresh tokens (AES-256-GCM at rest), your Google account ID/email, granted scopes, and per-feature sync audit records (event/file/row IDs). Retained until you disconnect or delete your Formfy account.
  • Your control: disconnect at any time from /integrations/google (this revokes the token at Google), or revoke access directly at myaccount.google.com/permissions.
  • Limited Use: Formfy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not transfer it except to provide the features you enabled.

Other integrations

When you connect another supported integration (Stripe, PayPal, Twilio SMS, etc.), the same principles apply: data exchange is limited to what the integration requires, tokens are encrypted at rest, and you can disconnect at any time.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, secure data centers, and regular security assessments.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Portability: Request transfer of your data
  • Opt-out: Unsubscribe from marketing communications

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities. You can control cookie preferences through your browser settings.

9. Children's Privacy

Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Formfy
Email: contact@formfy.ai