Privacy Policy — SimplyForms
Version 1.0 · Effective: May 23, 2026
The Czech version is the controlling version. This English translation is for convenience.
1. Controller
Adam Todt, self-employed person, IČO: 19197438, DIČ: CZ8909294592 (identified person under §6g Czech VAT Act; NOT a VAT payer), Drahy 1625, 696 42 Vracov, Czech Republic, listed in the Register of Persons (ROS).
Privacy contact: privacy@simplyforms.app.
Operator has not appointed a Data Protection Officer under Art. 37 GDPR, as the core activities do not involve large-scale regular monitoring or large-scale processing of special categories.
2. Two roles
2.1 Operator as Controller (Art. 4(7) GDPR)
For Customer Account data: email, password hash, form_id, API key (SHA-256 hash), billing data, Stripe customer ID, security logs, legal consent audit trail.
2.2 Operator as Processor (Art. 4(8), Art. 28 GDPR)
For Submitter personal data, Customer is the Controller. Customer is responsible for: lawful basis (Art. 6, and 9 where applicable), Art. 13 notice, and handling Submitter rights regarding form content.
This Privacy Policy does not apply to the content of form submissions sent by end-users of Customer websites. The Customer's own privacy policy governs that processing.
A Data Processing Agreement (DPA) is automatically accepted at registration; text at simplyforms.app/legal/dpa.
3. Stateless email relay
Form submissions are never persistently stored. After email delivery the payload is discarded from memory.
Not stored by default: form content, Submitter IP, user-agent, referrer, uploaded files.
SMTP relay is operated by Adam Todt on own infrastructure in the EU (Hetzner Nürnberg). No third-party email service provider (SendGrid, Mailgun, Postmark, Resend, Amazon SES) is in the data path.
Customer opt-in exceptions (EXTEND+, dashboard-controlled):
- Webhook with metadata — IP, UA, referrer sent only to Customer's webhook URL; no copy retained.
- Autoresponder — confirmation email to Submitter.
- Server-side validation (ENTERPRISE) — no persistence.
4. Data we process and lawful basis
4.1 Customer Account data (as Controller)
| Category | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Account email + password hash | Account operation | Art. 6(1)(b) contract | Account lifetime + 30 days |
form_id, API key SHA-256 hash |
API authentication | Art. 6(1)(b) | Account lifetime |
| Billing data, Stripe customer ID | Contract, accounting | Art. 6(1)(b) + (c) | 10 years (§31 Czech Accounting Act) |
| Security logs (login, refresh tokens, login IP) | Security | Art. 6(1)(f) legitimate interest | 30 days |
| Support email | Handling inquiries | Art. 6(1)(b) + (f) | 24 months |
| Legal consent record (ToS / DPA / etc.) | Evidence of contract & consent | Art. 6(1)(b) + (f) | Account lifetime + 4 years |
| HTTP access logs (Caddy reverse proxy) | Security, debug | Art. 6(1)(f) | 14 days |
4.2 Anonymous submission metrics
form_id, timestamp, country code (geolocated from IP — IP itself is NOT stored), referrer domain, success flag. Purpose: customer-facing statistics, abuse prevention. Basis: Art. 6(1)(f). Retention: 90 days, then automatic deletion. Does not enable Submitter identification; not personal data under Art. 4(1) GDPR.
4.3 Webhook opt-in metadata
If Customer actively enables opt-in metadata:
| Category | Purpose | Lawful basis | Retention by Operator |
|---|---|---|---|
| Submitter IP, UA, referrer | Pass-through to Customer | Art. 6(1)(b) toward Customer; Customer is Controller toward Submitter | 0 days — pass-through only, no copy |
4.4 Submitter form content (as Processor)
Not stored. Pass-through email relay only.
5. Recipients (sub-processors)
| Sub-processor | Purpose | Location | Outside EU | Safeguards |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting (Cloud Nürnberg) | Germany (EU) | No | DPA, ISO 27001 |
| Stripe Payments Europe Ltd. | Payments | Ireland (EU) → USA | Yes | SCCs + EU-US Data Privacy Framework |
| GitLab Inc. | CI/CD (no production data access) | EU servers | Limited (admin support) | DPA |
SMTP relay is operated by Operator on own infrastructure — no third-party SMTP provider.
Current list: simplyforms.app/legal/sub-processors. Changes notified by email at least 30 days in advance; Customer may object per the DPA and terminate the Agreement free of charge.
Customer-enabled integrations (Google reCAPTCHA, Cloudflare Turnstile, custom webhooks) are not Operator sub-processors — Customer is responsible for informing its Submitters about resulting data flows (incl. transfers to the US for Google services).
6. International transfers
All Operator infrastructure runs in the EU. Standard operations involve no transfers to third countries. Exceptions:
- Stripe may transfer limited billing data to the US under EU-US DPF (Commission Decision (EU) 2023/1795) and SCCs (Commission Decision (EU) 2021/914).
- Customer-enabled reCAPTCHA / Turnstile load directly in the visitor's browser; Operator is not in that data path.
7. Cookies and localStorage
Marketing site (simplyforms.app): No cookies, no third-party trackers, no analytics. No cookie banner shown.
Dashboard (dash.simplyforms.app): Strictly necessary items only — authentication JWT in localStorage, session/CSRF cookie, locale/theme preference, cookie-consent record. These do not require consent under ePrivacy Directive 2002/58/EC Art. 5(3).
If analytics are ever introduced, a separate Cookie Policy and consent banner will be deployed first.
Full cookie policy: simplyforms.app/legal/cookies.
8. Security (Art. 32 GDPR)
TLS 1.3 (Caddy + Let's Encrypt, HSTS preload); API keys SHA-256-hashed; passwords bcrypt (cost ≥ 12); short-lived JWT + refresh-token rotation; container isolation (no-new-privileges, read-only FS); no Submission payload storage = no payload-leak attack surface; Redis-backed rate limiting and IP blocking; regular code review; ISO 27001 hosting; encrypted database backups (AES-256).
9. Your rights (Art. 15–22 GDPR)
| Right | Article | How to exercise |
|---|---|---|
| Access | 15 | Email privacy@simplyforms.app or GET /user/{form_id}/export |
| Rectification | 16 | Directly in dashboard (Account section) |
| Erasure | 17 | DELETE /user/{form_id}/account or email |
| Restriction | 18 | Email privacy@simplyforms.app |
| Portability | 20 | GET /user/{form_id}/export (machine-readable JSON) |
| Objection (legitimate-interest processing) | 21 | |
| Consent withdrawal | 7(3) | Dashboard or email |
| Automated decision-making | 22 | Operator uses rate-limiting / IP-block; these are NOT decisions with legal effects under Art. 22(1) |
Response time: within 30 days (extendable by 60 days under Art. 12(3)).
If you are a visitor who submitted a form on a Customer's website, please contact that website operator first — they are the Controller.
10. Right to lodge a complaint
Czech Data Protection Authority (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz, or your local EU supervisory authority.
11. Customer warranties and prohibited use
Customer represents and warrants that it: (1) has a valid Art. 6 lawful basis for every form field; (2) will not collect Art. 9 / Art. 10 GDPR data without explicit Submitter consent and a DPIA; (3) provides Art. 13 notice to its Submitters disclosing Operator as processor; (4) discloses opt-in features (webhook, autoresponder, third-party CAPTCHAs); (5) acknowledges the Service is not intended for children under 16.
Breach entitles Operator to immediately suspend or terminate the Account without refund (Terms §11 and §14).
12. Breach notification
We notify ÚOOÚ within 72 hours of becoming aware (Art. 33) and affected Customers without undue delay (Art. 33(2) / Art. 34). Anonymised incident reports may be posted at simplyforms.app/legal/incidents.
13. Changes
Material changes notified by email at least 30 days in advance + dashboard banner. Continued use after the effective date constitutes acceptance. Archive at /legal/privacy/archive.
14. Contact
Data protection: privacy@simplyforms.app Postal: Adam Todt, Drahy 1625, 696 42 Vracov, Czech Republic
Version 1.0 · Effective: May 23, 2026
Document hash (SHA-256): e58308101aeb33133c0f1157ad2068d67678d436a1e5039088a70ed935bb4f7a