Privacy Policy

Effective date: February 28, 2026

1. Overview

FormForge API ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data. By using the Service, you agree to the practices described in this policy.

2. Data We Collect

We collect the minimum data necessary to operate the Service:

• Email address — when you sign up for an API key, we store your email to associate it with your key and to send you service communications if needed.
• API key metadata — we store a hashed version of your API key (never the plain-text key), your usage counts (requests today, requests total), and the date of last use.
• Usage analytics — we log API request metadata: endpoint called, response status, approximate input size, latency, and tier. We do not log the content of your form schemas.
• Server logs — Vercel (our hosting provider) may collect standard server access logs including IP address, user agent, and request timestamp for security and debugging purposes.

3. Data We Do NOT Collect

We explicitly do not:

• Store, read, or index the form JSON schemas you submit to the API
• Store any data collected by forms you generate with the Service
• Sell, rent, or share your personal data with third parties for marketing
• Use cookies for tracking (we use no cookies on this site)
• Build advertising profiles from your usage

4. How We Use Your Data

We use the data we collect for the following purposes:

• To operate the API and enforce rate limits
• To authenticate your API key on each request
• To send you service-related communications (e.g., key creation confirmation)
• To improve the Service based on aggregate usage analytics
• To detect and prevent abuse or unauthorized access

5. Data Retention

We retain your email address and API key record for as long as your account is active. You can request deletion of your account data at any time by contacting us — see Section 9.

Usage analytics (aggregate request logs) may be retained for up to 12 months for performance analysis. Server logs are retained per Vercel's policies, typically 30–90 days.

6. Third-Party Services

We use the following third-party services to operate the API:

• Vercel — hosting and serverless function execution. Subject to Vercel's Privacy Policy.
• Supabase — API key storage and usage tracking. Subject to Supabase's Privacy Policy.
• Stripe — payment processing for paid tiers. Subject to Stripe's Privacy Policy.

We do not control these third parties' data practices. We encourage you to review their policies.

7. Security

We take reasonable steps to protect the data we collect:

• API keys are stored as SHA-256 hashes; the plain-text key is never stored after creation
• All data is transmitted over HTTPS (TLS 1.2+)
• Access to the Supabase database is restricted to service-level credentials

No system is perfectly secure. If you discover a security vulnerability, please report it via GitHub Issues.

8. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Object to or restrict certain processing activities
• Port your data to another service

To exercise any of these rights, contact us through the channel listed in Section 9. We will respond within 30 days.

9. Contact

For privacy-related questions or requests, please contact us at:

GitHub Issues

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the effective date at the top of this page. Material changes will be announced via a notice on our homepage for at least 30 days before taking effect.