Privacy Policy

Last updated: April 25, 2026

This Privacy Policy explains how SimpleForm ("we", "our", "us") collects, uses, and protects information when you use simpleform.dev (the "Service").

What information do we collect?

We collect three categories of data:

  • Account data: Your name, email, and password hash when you sign up.
  • Form submission data: The content of forms submitted to your endpoints, plus IP, user-agent, and referrer of each submission.
  • Billing data: Handled by Stripe. We never see or store your card number — only Stripe customer/subscription IDs and last-four digits Stripe shares with us.

How long do we keep submission data?

  • Free plan: 7 days
  • Pro plan: 90 days
  • Agency plan: 1 year

You can delete individual submissions or your entire account at any time.

How do we use your data?

  • To deliver the Service (storing, emailing, and displaying your form submissions).
  • To bill you for paid plans via Stripe.
  • To send transactional emails (account verification, password reset, plan changes, dunning notices).
  • To detect abuse, enforce rate limits, and protect the Service.

We do not sell your data, share it with advertisers, or use form submissions for any purpose beyond delivering them to you.

Cookies

We use a single first-party session cookie to keep you logged in. We use localStorage to remember your cookie-banner choice. We do not use third-party tracking cookies on the marketing site.

Your rights (GDPR / CCPA)

You can request access, correction, export, or deletion of your data by emailing hello@simpleform.dev. We respond within 30 days. EU users have the right to lodge a complaint with their data protection authority.

Subprocessors

We use a small number of subprocessors: Stripe (payments), our hosting provider for infrastructure, and an SMTP provider for transactional email. We choose subprocessors that meet GDPR adequacy standards.

Data retention on account deletion

When you delete your account, all associated form data and submissions are deleted within 7 days. Billing records may be retained up to 7 years to comply with tax law.

Security

We use bcrypt for password hashing, parameterized queries to prevent SQL injection, HTTPS everywhere, CSRF protection on all state-changing forms, and rate limiting on authentication endpoints.

Changes to this policy

We may update this policy. Material changes are announced by email to active users at least 30 days before taking effect.

Contact

Questions about this policy? Email hello@simpleform.dev.