Privacy Policy

Last updated: April 1, 2026 · Effective immediately

1. Who We Are

W3Forms (“W3Forms”, “we”, “us”) provides a form backend service for static websites at https://w3forms.com. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have over it under GDPR, CCPA, and other applicable data protection laws.

For form submissions sent to our API by visitors to your site, you are the data controller and W3Forms is the data processor acting on your instructions. For your W3Forms account, we are the controller of the account data you provide us.

2. What We Collect

We collect data in two contexts: account data you provide when you register, and form submission data sent to us by visitors to your forms.

2.1 Account data

  • Email address (required for sign-in and notifications).
  • A bcrypt hash of your password (we never store the raw password).
  • Workspace name, billing address, and tax ID if you upgrade to Pro.
  • Stripe customer and subscription identifiers. Card data itself is stored by Stripe and never touches our servers.
  • Optional profile fields you fill in (display name, avatar URL).

2.2 Form submission data

  • Every field your form visitor submits (e.g., name, email, message, attachments). The exact contents depend on the fields you define.
  • Submission metadata: timestamp, source URL, originating IP address, user agent, and a spam-classification flag.
  • File attachments uploaded through multipart submissions on Pro plans.

2.3 Operational telemetry

  • API request logs: timestamp, route, response status, latency.
  • Per-IP rate-limit counters (kept for 1 hour).
  • Webhook delivery attempts: target URL, status code, response time.
  • Email delivery receipts from Amazon SES.

3. How We Use Your Data

We use collected data only to:

  • Deliver form submissions to your inbox and dashboard.
  • Send email notifications and webhook payloads you configure.
  • Enforce plan limits, rate limiting, and spam protection.
  • Provide support and respond to your questions.
  • Bill you accurately and process refunds when applicable.
  • Detect, investigate, and prevent abuse, fraud, or security incidents.
  • Comply with legal obligations (tax, audit, lawful requests).

We do not sell, rent, or share your data — or your visitors' submission data — with third parties for advertising or marketing purposes. We do not build advertising profiles. We do not train AI models on your submission contents.

4. Lawful Bases for Processing (GDPR Art. 6)

  • Contract — processing your account data and submissions is necessary to provide the service you signed up for.
  • Legitimate interest — operational logging, abuse prevention, and aggregate usage analytics. We have weighed this interest against your privacy rights and provide an opt-out where feasible.
  • Legal obligation — retaining billing and tax records as required by applicable financial law.
  • Consent — for non-essential communications such as product update emails. You can withdraw consent at any time from your account settings.

5. Sub-processors

W3Forms uses the following sub-processors to operate the service. All sub-processors are bound by data-processing agreements that require them to handle your data only on our documented instructions.

Sub-processorPurposeRegion
Amazon Web Services (SES)Transactional email deliveryUnited States
CloudflareCDN, DDoS protection, DNS, edge cachingGlobal edge
RailwayAPI and worker compute hostingUnited States
Neon (PostgreSQL)Encrypted submission and account databaseUnited States / EU
Upstash (Redis)Queues, rate limiters, cachesGlobal
StripeSubscription billing and payment processingUnited States / EU
Cloudflare R2File attachment storage (Pro plan)Global edge

We will notify customers via email at least 30 days before adding or changing a sub-processor that materially affects how data is handled.

6. Data Storage and Security

All data is stored in encrypted PostgreSQL databases with disk-level encryption at rest. Access keys are hashed with SHA-256 before storage — we never store your raw access key after initial creation. Webhook secrets are used to sign payloads with HMAC-SHA256 so you can verify authenticity using constant-time comparison.

All connections to our API and dashboard use HTTPS with TLS 1.2 or higher. We enforce HSTS with a long max-age. Internal service-to-service traffic runs over private networking. Database backups are encrypted and retained for 30 days.

Access to production systems is restricted to a small set of authorized personnel, requires hardware-key two-factor authentication, and is audit-logged.

7. Data Retention

  • Form submissions are retained for as long as your account is active. You can delete individual submissions or your entire account at any time from the dashboard.
  • Account deletion: when you delete your account, all associated data (submissions, forms, access keys, file attachments) is permanently removed within 30 days.
  • Operational logs are retained for 90 days for security and abuse-prevention purposes, then deleted.
  • Billing records are retained for 7 years to comply with tax and accounting law.
  • Backups roll off automatically within 30 days of the source data being deleted.

8. International Data Transfers

Some sub-processors are located in the United States. Where we transfer personal data of EU/UK data subjects outside the EU/UK, we rely on Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, plus supplementary measures such as encryption in transit and at rest.

9. Your Rights (GDPR / CCPA / CPRA)

You have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete personal data.
  • Deletion (“right to be forgotten”): request deletion of your account and all associated data.
  • Portability: export your form submissions in a common, machine-readable format (CSV, JSON).
  • Objection: object to processing based on legitimate interest.
  • Restriction: request that we limit how we process your data while a complaint or correction is investigated.
  • Opt out of sale or sharing: we never sell or share personal data — this right is satisfied by default.
  • Withdraw consent: where we rely on consent (e.g., marketing emails), you can withdraw it at any time without affecting the lawfulness of processing performed before withdrawal.
  • Lodge a complaint with your local supervisory authority (in the EU/UK) at any time.

To exercise any of these rights, contact us at privacy@w3forms.com. We respond within 30 days.

10. Cookies

The W3Forms dashboard uses a single first-party HttpOnly session cookie for authentication. The marketing site (this page included) does not set any cookies and contains no third-party tracking, analytics cookies, or advertising cookies.

11. Children's Privacy

W3Forms is intended for developers and businesses. The service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@w3forms.com and we will delete it.

12. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected account owners and the relevant supervisory authorities without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in line with GDPR Article 33.

13. Data Processing Addendum (DPA)

Pro customers can request a signed Data Processing Addendum that includes Standard Contractual Clauses. Email privacy@w3forms.com with your account details and we will send the DPA for counter-signature.

14. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of any material changes at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance.

15. Contact

For privacy-related questions, complaints, or to exercise your rights, contact us at privacy@w3forms.com.

For security disclosures, see our security.txt or email security@w3forms.com.

← Back to home