# Privacy Policy - Formta

Last Updated: January 2025

Effective Date: January 2025

## 1. Introduction


Formta ("we", "our", or "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our creative project management application.

By using Formta, you agree to the collection and use of information in accordance with this policy.

## 2. Data Controller Information

Company: Formta

Contact: info@formta.com

## 3. Information We Collect

### 3.1 Information You Provide

- Account Information: Email address, password, name, pronouns, job title

- Profile Data: Team information, timezone preferences, personalized address preferences

- Project Data: Projects, workspaces, elements, files, and creative content

- Communication Data: Messages, comments, meeting information, team posts, support communications

- Payment Information: Billing address, subscription details (processed by Paddle)

### 3.2 Information Automatically Collected

- Usage Data: Features used, workspace interactions, element analytics

- Session Data: Login times, duration, IP addresses (hashed for privacy)

- Device Information: Browser type, operating system, device identifiers

- Location Data: Country/region determined from IP address for service optimization

### 3.3 Cookies and Tracking

- Essential Cookies: For authentication and security

- Analytics Cookies: Only with your consent for service improvement

- No Third-Party Marketing Cookies: We don't sell your data

## 4. How We Use Your Information

### 4.1 Service Provision

- Provide and maintain the Formta platform

- Enable collaboration features and real-time updates

- Process payments and manage subscriptions

- Send transactional emails (meeting invites, project updates)

### 4.2 Service Improvement

- Analyze usage patterns (with consent)

- Develop new features based on user needs

- Optimize performance and user experience

### 4.3 Legal and Security

- Comply with legal obligations

- Detect and prevent fraud or abuse

- Enforce our terms of service

- Maintain audit logs for security

## 5. Legal Basis for Processing (GDPR)

We process your data based on:

- Contract Performance: To provide our services

- Legitimate Interests: Security, fraud prevention, service improvements

- Consent: Marketing communications, analytics, AI training

- Legal Obligations: Tax records, financial compliance

## 6. Data Sharing and Third-Party Processors

We share your data only with essential service providers:

### 6.1 Infrastructure & Database

Supabase (US company, EU data center)

- Hosts our database in Europe

- Processes: All application data

- GDPR Compliance: DPA with Standard Contractual Clauses

### 6.2 Email Services

Mailchimp (US company, US servers)

- Sends transactional and marketing emails

- Processes: Email addresses, names, email content

- GDPR Compliance: EU-US Data Privacy Framework + SCCs

### 6.3 Payment Processing

Paddle (UK company, global processing)

- Acts as Merchant of Record for payments

- Processes: Payment data, billing information, tax compliance

- GDPR Compliance: DPA with data processing outside EU

### 6.4 Maps Services

Google Maps API (US company, global processing)

- Provides location-based features for projects

- Processes: Location searches, map interactions

- GDPR Compliance: EU-US Data Privacy Framework + SCCs

### 6.5 Support Services

Gmail API (US company, global processing)

- Manages internal support ticket system

- Processes: Support communications, ticket management

- GDPR Compliance: EU-US Data Privacy Framework + SCCs

## 7. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA):

- Supabase: Database in EU, but US company may access for support

- Mailchimp: All data processed in US data centers

- Paddle: Processes payments globally

- Google: Global data processing network

All transfers are protected by:

- EU-US Data Privacy Framework certifications

- Standard Contractual Clauses (SCCs)

- Appropriate technical and organizational measures

## 8. Data Retention

We retain your data according to these policies:

### 8.1 Active Account Data

- Profile & Projects: Until account deletion

- Deleted Projects: 30-day recovery window, then permanent deletion

- AI Training Data: 2 years after deletion (only with consent)

### 8.2 Analytics & Tracking

- Session Data: 90 days

- Activity Logs: 90 days

- Analytics Data: Anonymized after 1 year, deleted after 2 years

- Email Logs: 1 year

- Support Communications: 1 year

### 8.3 Financial Records

- Transaction History: 7 years with quarterly cleanup (legal requirement)

- Invoices: 7 years for tax compliance

### 8.4 Audit & Security

- Security Logs: 12 months

- Audit Trail: 12 months with monthly rotation

## 9. Your Data Rights (GDPR)

You have the right to:

### 9.1 Access Your Data

- Request a copy of your personal data

- Export your data in PDF format via Account settings

### 9.2 Rectification

- Correct inaccurate personal data

- Complete incomplete data

### 9.3 Erasure ("Right to be Forgotten")

- Delete your account and personal data

- Exceptions: Legal obligations, financial records

### 9.4 Data Portability

- Download a PDF containing all your personal data and account information

- Export includes profile data, settings, and project metadata (not full project files)

### 9.5 Object to Processing

- Object to processing based on legitimate interests

- Opt-out of marketing communications

### 9.6 Restrict Processing

- Limit how we use your data in certain circumstances

### 9.7 Withdraw Consent

- Withdraw consent for marketing, analytics, or AI training at any time

- Manage preferences in Account Settings

To exercise these rights: Use self-service options in Account Settings

## 10. Data Security

We implement appropriate technical and organizational measures:

- Encryption at rest and in transit (TLS/SSL)

- Row Level Security (RLS) in database

- Regular security audits and penetration testing

- Access controls and authentication

- Incident response procedures

- Employee training on data protection

## 11. Children's Privacy

Formta is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

## 12. Consent Management

You control your data through explicit consent for:

- Marketing Emails: Manage in Account > Notification Preferences

- Analytics Tracking: Control in Account > Privacy Settings

- AI Training: Use your data for training AI models (we will never use your creative work for training our AI models)

- Subscription Sharing: Allow team admins to see your plan status for payment assistance as a freelancer

## 13. Data Breach Notification

In case of a data breach that poses risk to your rights:

- We will notify affected users within 72 hours

- We will inform relevant supervisory authorities

- We will provide information about the breach and mitigation steps

## 14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

- Email notification to your registered address

- Prominent notice in the application

- Update to the "Last Updated" date

## 15. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

## 16. Contact Information

For privacy-related questions or to exercise your rights:

Email: info@formta.com

## 17. California Privacy Rights

California residents have additional rights under CCPA:

- Right to know what personal information is collected

- Right to know if personal information is sold or disclosed

- Right to opt-out of sale (Note: We do not sell personal data)

- Right to non-discrimination for exercising privacy rights

## 18. Cookie Policy

### Essential Cookies

- Authentication tokens

- Session management

- Security features

### Optional Cookies (Consent Required)

- Analytics cookies for usage patterns

- Performance monitoring

- Feature usage tracking

You can manage cookie preferences in Account Settings.

## 19. Legal Compliance

We may disclose your information where required by law:

- Court orders or legal proceedings

- Government requests

- Protection of rights and safety

- Law enforcement requirements

## 20. Service-Specific Privacy Information

### Workspace Elements

- All workspace data is encrypted and access-controlled

- Real-time collaboration uses secure connections

- File uploads are scanned for security

### Team Features

- Team admins can see member activity

- Subscription information sharing is optional

- Team data remains isolated from other teams

### Client Features

- Client revision links are temporary and secure

- Client data is minimized to essential information

- No marketing to client emails without consent

Acceptance: By using Formta, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

Contact information:

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may send an email to info@formta.com

Designed for creative professionals by creative producers

Our project management software helps you and your team collaborate and organize creative projects

Formta

Try for free when we launch!

© 2026. All rights reserved.

Terms and conditions

Privacy policy

For Creatives

Subscribe to our newsletter - Enjoy tips, guides and exclusive deals available only to our subscribers.