GDPR Compliance

1. Who We Are (Data Controller)

CraftForm (craftform.co) acts as the Data Controller for account data (name, email, billing info) and as a Data Processor for form response data collected on behalf of our users. Users who create forms are themselves Data Controllers for the responses they collect.

2. What Data We Collect

• Account data: email address, name, OAuth tokens (Google, GitHub)
• Form response data: answers submitted by your respondents
• Usage data: page views, feature interactions (via anonymized analytics)
• Payment data: handled entirely by Stripe — CraftForm never stores card numbers

3. Legal Basis for Processing

• Contract performance: processing your account data to provide the service
• Legitimate interest: anonymized analytics to improve the product
• Consent: marketing emails (opt-in only, unsubscribe any time)

4. Data Retention

• Account data: retained while your account is active + 30 days after deletion
• Form responses: retained until you delete them or close your account
• Backups: purged within 90 days of account deletion
• Logs: retained for 30 days for security purposes

5. Your Rights Under GDPR

• Right of access: request a full export of your data at any time from Settings → Export
• Right to rectification: update your account data in Settings → Profile
• Right to erasure: delete your account and all associated data from Settings → Delete Account
• Right to portability: export all form responses as CSV or JSON
• Right to object: opt out of analytics via our cookie settings
• Right to restrict processing: contact support@craftform.co

6. Data Processors (Sub-processors)

• Railway.app — hosting infrastructure (EU region available)
• Stripe — payment processing (PCI-DSS compliant)
• Resend — transactional emails
• Vercel / Cloudflare — CDN and DDoS protection

7. International Transfers

CraftForm is hosted on Railway infrastructure. Data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transfers from the EU/EEA to third countries.

8. Consent Blocks in Forms

CraftForm provides a native GDPR Consent block you can add to any form. When enabled, respondents must explicitly accept your data processing terms before submitting. Responses without consent are not stored.

9. Data Breach Notification

In the event of a personal data breach, CraftForm will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by Article 33 GDPR.

10. Contact & DPO

For GDPR-related requests or questions, contact: privacy@craftform.co. We respond within 30 days. For urgent erasure requests, use Settings → Delete Account for immediate effect.