This page explains how FormsToDB complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), UK, and Switzerland.

1. Data Controller and Processor Roles

FormsToDB as Controller

FormsToDB acts as a data controller for the personal data of our registered users (account holders). We determine the purposes and means of processing your account data, billing information, and usage analytics.

FormsToDB as Processor

FormsToDB acts as a data processor for lead data collected through your forms. Your website visitors submit data to forms you control. You, as the website owner, are the data controller for this lead data. FormsToDB processes it on your behalf according to your instructions.

2. Legal Basis for Processing

We process personal data under the following legal bases:

3. Your Rights Under GDPR

As a data subject, you have the following rights:

To exercise any of these rights, email privacy@formstodb.com. We will respond within 30 days.

4. Data Transfers Outside the EEA

We take appropriate measures to ensure your data is handled securely. Some third-party services (Stripe, ip-api.com) may process data outside the EEA. Where this occurs, transfers are protected by Standard Contractual Clauses (SCCs) or adequacy decisions.

5. Data Retention

6. Your Obligations as a Data Controller (Lead Data)

When you use FormsToDB to collect data from your website visitors, you are the data controller. You are responsible for:

FormsToDB is a data processing tool. Compliance with data protection law for your leads' data is your responsibility as the data controller.

7. Data Processing Agreement (DPA)

As required by GDPR Art. 28, we offer a Data Processing Agreement for Enterprise customers. If you need a signed DPA for your compliance requirements, contact legal@formstodb.com.

8. Security Measures

We implement appropriate technical and organizational measures (TOMs) including:

9. Data Breach Notification

In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by GDPR Art. 33-34.

10. Supervisory Authority

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

11. Contact

For GDPR-related inquiries:
Email: privacy@formstodb.com
Subject: GDPR Request — [Your Name]