Legal & Compliance

Privacy Policy

Last updated: May 28, 2026. We believe in absolute privacy. We write our policies in plain English so you know exactly how we collect, store, and secure your data.

1. Data Collection

TL;DR: We only collect what is needed to process your forms and check spam.

When a user submits a form on your site, we capture the POST payload fields. Along with the submission, our servers extract basic HTTP headers:

  • IP Address: Used solely to perform edge rate-limiting and check DDoS thresholds.
  • User Agent: Used by our Edge Heuristics spam engine to screen automated bot profiles.
  • submitted_at: Operational timestamp.

We do not track visitors across other domains, construct user tracking graphs, or scrape payload variables for sales lists.

2. Server Encryption

TL;DR: Payloads are encrypted prior to database insertion.

To protect the custody of customer submissions, all form JSON payloads are automatically encrypted server-side on our application nodes using AES-256 before writing to our database tables.

This means our database administrators and Supabase infrastructure managers cannot inspect your raw customer payloads. The ciphertext can only be decrypted when you fetch submissions securely via your authenticated developer dashboard or private JSON API token.

3. Strictly No Trackers

TL;DR: Exactly zero marketing cookies or tracking pixels.

FastForm operates a zero-tracking policy. We do not integrate Facebook Pixels, Google Analytics, or invasive advertiser scripts. Because we carry zero tracking scripts, you do not even need to display annoying cookie banner blockages to your dashboard visitors.

We use exactly two operational cookies:

  1. CSRF Validation Token: Used to block cross-site request forgery attacks.
  2. Supabase Session JWT: Used to maintain your logged-in session securely.

4. Data Deletion

TL;DR: Delete means delete. Period.

You hold complete data sovereignty. When you click delete on a submission or delete an active endpoint from your dashboard, the record is immediately purged from our PostgreSQL database tables permanently.

We keep no separate recovery archives or cold backups of your deleted forms. Once you delete a data block, it is gone forever.

GDPR & CCPA AlignmentFastForm acts as a Data Processor regarding the payloads submitted to your custom forms. You are the Data Controller. Since all database insertions are isolated and application-encrypted, we satisfy data processor compliance mandates seamlessly. If you receive a data deletion request from your customers, simply delete the entry in your dashboard, and it is instantly removed globally.