Privacy Policy

Last updated: April 1, 2026

1. What We Collect

W3Forms collects data in two contexts: account data you provide when you register (email address, password hash), and form submission data sent by visitors to your forms via our API.

  • Account data: email address, hashed password, workspace name, and billing information if you upgrade to a paid plan.
  • Form submissions: any fields your form visitors submit (name, email, message, files, etc.). We store these on your behalf so you can view them in your dashboard and receive email notifications.
  • Usage data: submission counts, API request metadata (IP address, timestamp, user agent) for rate limiting and abuse prevention.

2. How We Use Your Data

We use collected data to:

  • Deliver form submissions to your inbox and dashboard.
  • Send email notifications and webhook payloads you configure.
  • Enforce plan limits, rate limiting, and spam protection.
  • Improve service reliability and prevent abuse.

We do not sell, rent, or share your data or your visitors' submission data with third parties for advertising or marketing purposes.

3. Data Storage and Security

All data is stored in encrypted PostgreSQL databases. Access keys are hashed with SHA-256 before storage — we never store your raw access key after initial creation. Webhook secrets are used to sign payloads with HMAC-SHA256 so you can verify authenticity.

All connections to our API and dashboard use HTTPS/TLS encryption in transit.

4. Data Retention

Form submissions are retained for as long as your account is active. You can delete individual submissions or your entire account at any time from the dashboard. When you delete your account, all associated data (submissions, forms, access keys) is permanently removed within 30 days.

5. Your Rights (GDPR / CCPA)

You have the right to:

  • Access: request a copy of the data we hold about you.
  • Rectification: correct inaccurate personal data.
  • Deletion: request deletion of your account and all associated data.
  • Portability: export your form submissions in a standard format.
  • Objection: object to processing of your data for specific purposes.

To exercise any of these rights, contact us at privacy@w3forms.com.

6. Cookies

The W3Forms dashboard uses a session cookie for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies on our website.

7. Third-Party Services

We use the following third-party services:

  • Amazon SES: for sending email notifications on your behalf.
  • Cloudflare: for CDN, DDoS protection, and DNS.
  • Railway: for hosting our API and background workers.

8. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of any material changes. Continued use of the service after changes constitutes acceptance.

9. Contact

For privacy-related questions, contact us at privacy@w3forms.com.

← Back to home