FORMLOVA
Get started free

Privacy Policy

Last updated: March 4, 2026

This is an English translation provided for reference. The Japanese version is the authoritative text.

1. Basic Policy

The operator of FORMLOVA (hereinafter "we" or "the Operator") recognizes the importance of personal information and strives to protect it. FORMLOVA (hereinafter "the Service") complies with the Act on the Protection of Personal Information (APPI) of Japan and other applicable laws and guidelines, and handles personal information appropriately in accordance with this Privacy Policy.

2. Age Restriction

The Service is intended for individuals aged 16 and older. We do not knowingly collect personal information from individuals under the age of 16. If we become aware that personal information has been provided by an individual under the age of 16, we will promptly delete such data.

Form creators are responsible for verifying the age of form respondents. When collecting personal information from individuals under the age of 16, form creators must take appropriate measures, such as obtaining parental consent, in compliance with applicable laws (Article 8 of the GDPR, COPPA, etc.).

3. Personal Information We Collect

The Service collects the following personal information.

Account Information

  • Email address
  • Password (stored in hashed form; never stored in plaintext)
  • Name
  • Organization name (optional)

Form Response Data

We collect all data entered by respondents into forms created by users. This may include text, selections, file uploads, email addresses, phone numbers, and more.

Respondent Identification Information

When a form is submitted, we generate and store an email address or a hash of the IP address and browser information (User-Agent) for the purpose of preventing duplicate responses and identifying respondents. Hash values are generated through an irreversible transformation, so the original information cannot be recovered.

Usage Information

  • IP address
  • Browser information (User-Agent)
  • Access date and time
  • Page view history
  • Time spent on pages
  • Device information

Email Delivery Information

We record email open times (detected via tracking pixel), link click times, and the target links.

Payment Information

We use Stripe for paid plan payments. Payment information such as credit card numbers is processed directly by Stripe, and we do not store card information on our servers. We only retain the customer ID issued by Stripe and payment history.

Cookies

We use cookies for session management, maintaining authentication state, and web analytics. See "14. Use of Cookies" for details.

4. Purpose of Use

We use the collected personal information for the following purposes.

  • Provision, operation, and improvement of the Service
  • Account authentication and management
  • Sending emails (response notifications, auto-reply emails, reminder emails, bulk emails to mailing lists)
  • Measuring email delivery effectiveness (tracking opens and clicks)
  • Generating and managing identification information for preventing duplicate form responses
  • Service provision via AI clients through the MCP protocol
  • A/B testing and funnel analysis for form improvement
  • Linking response data to external CRM services based on user instructions
  • Website usage analysis via Google Analytics
  • Analysis and statistics on usage (aggregated in a non-personally-identifiable manner)
  • Responding to inquiries
  • Investigating and responding to Terms of Service violations
  • Legal compliance

5. Third-Party Provision (Outsourcing)

We outsource the handling of personal information to the following providers to the extent necessary for providing the Service (Article 27, Paragraph 5, Item 1 of the APPI). We confirm that outsourcing partners meet our standards for safe management of personal information and exercise necessary and appropriate supervision over their handling of personal information.

ServicePurposeData Type
SupabaseDatabase, AuthenticationAccount information, Form response data
VercelHostingAccess logs
ResendEmail deliveryEmail addresses, Email content
StripePayment processingPayment-related information
Google LLCWeb analytics (Google Analytics)IP address (anonymized), Page view history, Device information, Time spent on pages

We will not provide personal information to any third party other than the above without the user's consent, except in the following cases:

  • When required by law
  • When necessary to protect the life, body, or property of a person
  • When especially necessary for the improvement of public health or the sound development of children
  • When it is necessary to cooperate with a national or local government body in executing affairs prescribed by law

External Service Integration via MCP Clients

At the explicit instruction of users, form response data may be sent to other services (HubSpot, Salesforce, Notion, etc.) through MCP clients. Such third-party provision of personal information is based on the user's own judgment and instructions, and the handling of data by the receiving service is governed by that service's privacy policy.

Data Sharing via Team Features

When users use the team feature and invite other members, those members can access form response data according to their permissions (viewer, editor, admin). Invitations and permission settings are the user's responsibility.

6. Transfer of Personal Data to Third Parties in Foreign Countries (Cross-Border Transfer)

In the operation of this Service, we outsource the handling of personal data to the following providers located in foreign countries.

ProviderServer LocationData Protection Framework
SupabaseUnited States (AWS)Enforcement under the FTC Act. State laws (CCPA, etc.) may apply
VercelUnited States and Global CDNSame as above
ResendUnited States (AWS)Same as above
StripeUnited StatesSame as above. PCI DSS Level 1 certified
Google LLCUnited StatesSame as above. Analytics data (IP address, browsing history, device information)

Each provider implements security measures including encryption (at rest and in transit), access controls, and audit logs. We periodically verify that providers take necessary measures to appropriately manage personal data in accordance with Article 28 of the APPI.

7. Security Measures

We implement the following security measures to prevent the leakage, loss, or damage of personal information.

  • AES-256 database encryption (Encryption at Rest)
  • HTTPS / TLS encryption for all communications (Encryption in Transit)
  • Database-level access control via Row Level Security (RLS)
  • Hashed password storage (never stored in plaintext)
  • OAuth 2.1 authentication for MCP clients (per-user token issuance)
  • Minimization of access permissions to personal information
  • Recording and regular review of all operations via audit logs
  • Regular review and improvement of security measures

8. Data Retention Period

The retention periods for personal information are as follows. Data that exceeds its retention period is promptly deleted.

Data TypeRetention Period
Account informationDuring account existence and 30 days after account deletion
Form response dataRetained permanently until deleted by the user (accumulated as the user's asset)
Access logs90 days from collection
Payment historyPeriod required by law (7 years)
Email tracking data (open/click records)12 months
Audit logs12 months
Suppression list (unsubscribe records)Permanent (cannot be deleted due to legal compliance requirements)
OAuth tokensDuration of session (deleted upon logout or expiration)

When an account is deleted, all related data (forms, response data, email delivery history, team member information, etc.) is cascade-deleted.

9. User Rights

Users have the following rights regarding the handling of their personal information.

Rights under Japan's APPI

  • Right to request disclosure of personal information
  • Right to request correction, addition, or deletion of personal information
  • Right to request suspension or erasure of use of personal information
  • Right to request suspension of third-party provision

Rights under the GDPR (for EU/EEA residents)

Users residing in the EU/EEA have the following rights under the GDPR (EU General Data Protection Regulation).

  • Right of access (Article 15) -- the right to obtain a copy of your personal data
  • Right to rectification (Article 16) -- the right to request correction of inaccurate personal data
  • Right to erasure ("right to be forgotten" / Article 17) -- the right to request deletion of personal data
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20) -- the right to receive data in a structured format
  • Right to object to processing (Article 21)
  • Right to withdraw consent (Article 7(3)) -- the right to withdraw consent for consent-based processing at any time

EU/EEA residents have the right to lodge a complaint with their local data protection supervisory authority (Article 77 of the GDPR).

Rights under the UK GDPR (for UK residents)

Users residing in the United Kingdom have the same rights as EU/EEA residents under the UK GDPR (including the Data Protection Act 2018). UK residents have the right to lodge a complaint with the UK ICO (Information Commissioner's Office). For more information, visit https://ico.org.uk.

Rights under the CCPA (for California residents)

Users residing in California have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

  • Right to Know -- the right to request disclosure of the categories and specific pieces of personal information collected over the past 12 months, the sources, purposes of collection, and third parties with whom the information was shared
  • Right to Delete -- the right to request deletion of collected personal information, subject to certain legal exceptions
  • Right to Opt-Out -- the right to opt out of the "sale" or "sharing" of personal information. We do not sell users' personal information. Our use of Google Analytics is limited to analytical purposes and does not constitute a sale of personal information
  • Right to Non-Discrimination -- the right not to be discriminated against in terms of service quality or availability for exercising the above rights

California residents may also exercise the above rights through an authorized agent. To submit a request, please contact support@formlova.com. Upon receiving a request, we will verify your identity by matching it against your account registration information.

Data Portability

The Service provides CSV / Excel export functionality for form response data on all plans (including the free plan). Users can retrieve their data at any time and migrate to another service.

Procedure for Exercising Rights

  1. Email support@formlova.com with your request
  2. We will verify your identity by confirming the email was sent from your registered email address
  3. We will respond within 30 days of confirming your request
  4. Disclosure requests will be fulfilled by providing electronic records (CSV / Excel files, etc.)
  5. We may decline a request if identity cannot be verified or if the request does not meet legal requirements, with notification of the reason
  6. Fee: Free

10. Relationship Between Data Controller and Data Processor

Account Information of Form Creators

We act as the data controller and manage this information in accordance with this Policy.

Form Response Data

The form creator is the data controller, and we act as a data processor, processing data based on the form creator's instructions. Requests for disclosure, correction, or deletion of respondent data should be directed to the form creator.

Form creators are responsible for complying with applicable privacy laws and providing appropriate notice to form respondents.

Data Processing Agreement (DPA)

We can provide a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR. If you require a DPA, please contact support@formlova.com.

11. Data Processing via AI Clients (MCP)

The Service is designed to be operated through AI clients (Claude, ChatGPT, Gemini, etc.) via MCP. When users view or manipulate form response data through an AI client, the data is temporarily loaded into the AI client's (large language model's) context.

This processing is performed based on the user's own instructions. The handling of data within AI clients (whether used for training, data retention period, etc.) is governed by the privacy policy and terms of service of each AI client provider. We are not responsible for the handling of data within AI clients.

Users should understand the risks of handling response data containing personal information through AI clients and use the Service at their own responsibility.

12. Email Tracking

Emails sent from the Service may use the following tracking technologies to measure delivery effectiveness.

  • Open tracking: A transparent pixel image (tracking pixel) is embedded in the email body, and the date/time the email was opened is recorded
  • Click tracking: Links in the email body are converted to redirect URLs, and the date/time and target link of each click are recorded

This tracking is performed to help form creators understand delivery effectiveness. Form creators can enable or disable tracking when sending emails. Email recipients can prevent open tracking by disabling image display in their email client.

13. Email Unsubscribe

Emails sent from the Service include an unsubscribe link. By clicking the unsubscribe link, you can stop email delivery from that form. After unsubscribing, you are added to a suppression list and no further emails will be sent.

Important service-related notifications (account communications, security notices, etc.) may still be sent after unsubscribing.

14. Use of Cookies

The Service uses cookies for service provision and web analytics. The cookies we use are classified into the following three categories.

Essential Cookies

These cookies are essential for the basic functionality of the Service. Disabling them may cause some features (such as login) to not function properly.

Cookie NamePurposeRetention Period
sb-*-auth-tokenMaintaining authentication stateSession duration

Analytics Cookies

The Service uses Google Analytics (Measurement ID: G-2PHVCDGZTC) to understand and improve website usage. Google Analytics uses cookies to collect the following information.

  • IP address (automatically anonymized by Google Analytics)
  • Page view history
  • Time spent on pages
  • Device information (browser type, OS, screen resolution, etc.)
Cookie NamePurposeRetention Period
_gaUser identification (Google Analytics)2 years
_ga_*Session state maintenance (Google Analytics)2 years

Collected data is transmitted to and stored on Google's servers. For Google's privacy policy, see https://policies.google.com/privacy.

To opt out of data collection by Google Analytics, install the Google Analytics opt-out browser add-on available at https://tools.google.com/dlpage/gaoptout.

Functional Cookies

These cookies remember user preferences and enhance usability.

Cookie NamePurposeRetention Period
localeLanguage preference1 year

Do Not Track Signal

At this time, there is no universally accepted technology standard for responding to Do Not Track (DNT) signals. Accordingly, the Service does not automatically respond to DNT signals sent by browsers. To disable tracking by Google Analytics, please use the opt-out add-on described above.

15. Handling of Personally Relevant Information

The Service collects and uses the following personally relevant information.

  • Hash values of IP addresses and browser information (for identifying form respondents and preventing duplicate responses)
  • Email open dates/times and link click dates/times (for measuring email delivery effectiveness)

When providing this information to third parties where it may be linked to personal data at the recipient, we will obtain the individual's prior consent.

16. Automated Decision-Making and Profiling

The Service statistically analyzes respondent behavioral data (dropout rate, completion rate, etc.) in its A/B testing and form optimization features. However, these analyses are aggregate-level statistical processing and do not constitute automated decision-making that produces legal effects or similarly significant effects on individuals (Article 22(1) of the GDPR).

17. Legal Basis for Processing under the GDPR

Processing of personal data of EU/EEA resident users is based on the following legal grounds.

  • Performance of a contract (Article 6(1)(b) GDPR): Processing necessary for service provision, including account creation, form creation/management, response data storage, and email delivery
  • Consent (Article 6(1)(a) GDPR): Marketing emails, email tracking
  • Legitimate interests (Article 6(1)(f) GDPR): Service improvement, fraud prevention, security, web analytics via Google Analytics
  • Legal obligation (Article 6(1)(c) GDPR): Tax and accounting record retention obligations

For processing based on consent, users may withdraw consent at any time. Withdrawal is effective only for future processing.

International Data Transfers from the EU/EEA

Japan has received an adequacy decision from the European Commission. For onward transfers from Japan to the United States and other third countries, we confirm that each provider has implemented Standard Contractual Clauses (SCCs) or other appropriate safeguards.

UK GDPR Compliance

We also provide the Service in compliance with the UK GDPR (including the Data Protection Act 2018). The same legal grounds as those applied to EU/EEA residents are applied to the processing of personal data of UK residents.

Data Protection Officer (DPO)

We are not subject to the DPO appointment obligation under Article 37 of the GDPR and have not appointed a DPO. Inquiries from EU/EEA/UK residents regarding the handling of personal data are accepted at support@formlova.com.

18. Data Breach Notification

In the event of a personal data breach, we will provide notification in accordance with applicable laws as follows.

Notification under the GDPR

  • We will report to the competent data protection supervisory authority within 72 hours of becoming aware of the breach
  • If the breach poses a high risk to the rights and freedoms of data subjects, we will notify affected data subjects without undue delay

Notification under Japan's APPI (as amended in 2022)

  • We will report to the Personal Information Protection Commission with a preliminary report (within 3-5 days) and a detailed report (within 30 days, or 60 days in cases of unauthorized access)
  • We will notify affected individuals of the summary of the incident, the types of personal data involved, the cause, and the measures we have taken

Notification Content

  • Summary and timeline of the breach
  • Types and approximate number of affected data records
  • Measures taken and steps to mitigate damage
  • Contact information

Notification Method

Affected users will be notified via email to their registered email address and through a notice published on our website.

19. For Form Respondents

Personal data of those who have responded to forms on FORMLOVA is stored on the Service's servers based on the instructions of the form creator.

The form creator is responsible for managing respondent data. Respondents should direct requests for data disclosure, correction, or deletion to the form creator.

If you cannot reach the form creator, please contact support@formlova.com. We will coordinate with the form creator and respond within a reasonable scope.

20. Disclaimer

While we strive to appropriately manage personal information in accordance with this Policy, we cannot be held responsible for the following.

  • Cases where form creators inappropriately collect or use the personal information of third parties
  • Cases where users send personal data to third-party services through AI clients
  • Leakage of personal information resulting from users failing to properly manage their account information
  • Leakage of personal information due to natural disasters, cyberattacks, or other force majeure events

21. Amendment Procedure

We may amend this Privacy Policy as necessary due to changes in laws or service content.

  • In the case of material changes, we will provide advance notice via email to the registered email address or through an announcement within the Service
  • The amended Privacy Policy takes effect upon publication on this page
  • Continued use of the Service after amendment constitutes agreement to the amended Policy

22. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of Japan. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance. However, mandatory provisions under the GDPR and other applicable EU legislation shall take precedence for EU/EEA residents, mandatory provisions under the UK GDPR and the Data Protection Act 2018 shall take precedence for UK residents, and mandatory provisions under the CCPA/CPRA shall take precedence for California residents.

23. Contact

For inquiries regarding the handling of personal information or disclosure requests, please contact us using the information below.

Operator: FORMLOVA

Service name: FORMLOVA

Email: support@formlova.com

Effective date: February 26, 2026