1. Data Controller and Processor Roles
FormsToDB as Controller
FormsToDB acts as a data controller for the personal data of our registered users (account holders). We determine the purposes and means of processing your account data, billing information, and usage analytics.
FormsToDB as Processor
FormsToDB acts as a data processor for lead data collected through your forms. Your website visitors submit data to forms you control. You, as the website owner, are the data controller for this lead data. FormsToDB processes it on your behalf according to your instructions.
2. Legal Basis for Processing
We process personal data under the following legal bases:
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the Service you subscribed to, including lead storage, notifications, and billing
- Legitimate interests (Art. 6(1)(f)): security, fraud prevention, service improvement, and internal analytics
- Legal obligation (Art. 6(1)(c)): compliance with tax and financial regulations
- Consent (Art. 6(1)(a)): optional analytics integrations (GA4, GTM, Facebook Pixel) which you enable voluntarily
3. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right to access (Art. 15): obtain confirmation of whether we process your data and receive a copy
- Right to rectification (Art. 16): correct inaccurate or incomplete personal data
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your personal data when it is no longer necessary for its original purpose
- Right to restrict processing (Art. 18): request we limit processing of your data in certain circumstances
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format (we support CSV export)
- Right to object (Art. 21): object to processing based on legitimate interests
- Right to withdraw consent: withdraw consent for optional processing at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email privacy@formstodb.com. We will respond within 30 days.
4. Data Transfers Outside the EEA
We take appropriate measures to ensure your data is handled securely. Some third-party services (Stripe, ip-api.com) may process data outside the EEA. Where this occurs, transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions.
5. Data Retention
- Account data: retained while your account is active + 30 days after closure
- Lead data: retained until you delete it or close your account
- Billing records: retained for 7 years to comply with tax regulations
- Server logs: retained for 90 days for security purposes
6. Your Obligations as a Data Controller (Lead Data)
When you use FormsToDB to collect data from your website visitors, you are the data controller. You are responsible for:
- Providing a compliant privacy notice to your form visitors before they submit data
- Obtaining necessary consent where required (e.g., email marketing)
- Responding to data subject requests from your leads
- Ensuring your use of collected data complies with GDPR and other applicable laws
- Not collecting sensitive personal data (health, religion, political views, biometric data) through FormsToDB without explicit consent mechanisms
7. Data Processing Agreement (DPA)
As required by GDPR Art. 28, we offer a Data Processing Agreement for Enterprise customers. If you need a signed DPA for your compliance requirements, contact legal@formstodb.com.
8. Security Measures
We implement appropriate technical and organizational measures (TOMs) including:
- Encryption in transit (HTTPS/TLS 1.3)
- Encrypted database connections
- Bcrypt password hashing
- HTTP-only session cookies
- Access controls and role-based permissions
- Regular security reviews
9. Data Breach Notification
In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by GDPR Art. 33-34.
10. Supervisory Authority
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
11. Contact
For GDPR-related inquiries:
Email: privacy@formstodb.com
Subject: GDPR Request — [Your Name]