FORMLOVA
Get started free

Privacy Policy

Last updated: March 16, 2026

This is an English translation provided for reference. The Japanese version is the authoritative text.

1. Basic Policy

The operator of FORMLOVA (hereinafter "we" or "the Operator") recognizes the importance of personal information and strives to protect it. FORMLOVA (hereinafter "the Service") complies with the Act on the Protection of Personal Information (APPI) of Japan and other applicable laws and guidelines, and handles personal information appropriately in accordance with this Privacy Policy.

2. Age Restriction

The Service is intended for individuals aged 16 and older. We do not knowingly collect personal information from individuals under the age of 16. If we become aware that personal information has been provided by an individual under the age of 16, we will promptly delete such data.

Form creators are responsible for verifying the age of form respondents. When collecting personal information from individuals under the age of 16, form creators must take appropriate measures, such as obtaining parental consent, in compliance with applicable laws (Article 8 of the GDPR, COPPA, etc.).

3. Personal Information We Collect

The Service collects the following personal information.

Account Information

  • Email address
  • Password (stored in hashed form; never stored in plaintext)
  • Name
  • Organization name (optional)

Form Response Data

We collect all data entered by respondents into forms created by users. This may include text, selections, file uploads, email addresses, phone numbers, and more.

Respondent Identification Information

When a form is submitted, we generate and store an email address or a hash of the IP address and browser information (User-Agent) for the purpose of preventing duplicate responses and identifying respondents. Hash values are generated through an irreversible transformation, so the original information cannot be recovered.

Usage Information

  • IP address
  • Browser information (User-Agent)
  • Access date and time
  • Page view history
  • Time spent on pages
  • Device information

Email Delivery Information

We record email open times (detected via tracking pixel), link click times, and the target links.

Payment Information

We use Stripe for paid plan payments. Payment information such as credit card numbers is processed directly by Stripe, and we do not store card information on our servers. We only retain the customer ID issued by Stripe and payment history.

Cookies

We use cookies for session management and maintaining authentication state. See "14. Use of Cookies" for details.

4. Purpose of Use

We use the collected personal information for the following purposes.

  • Provision, operation, and improvement of the Service
  • Account authentication and management
  • Sending emails (response notifications, auto-reply emails, reminder emails, bulk emails to mailing lists)
  • Measuring email delivery effectiveness (tracking opens and clicks)
  • Generating and managing identification information for preventing duplicate form responses
  • Service provision via AI clients through the MCP protocol
  • A/B testing and funnel analysis for form improvement
  • Linking response data to external CRM services based on user instructions
  • Analysis and statistics on usage (aggregated in a non-personally-identifiable manner)
  • Responding to inquiries
  • Investigating and responding to Terms of Service violations
  • Legal compliance

5. Third-Party Provision (Outsourcing)

We outsource the handling of personal information to the following providers to the extent necessary for providing the Service (Article 27, Paragraph 5, Item 1 of the APPI). We confirm that outsourcing partners meet our standards for safe management of personal information and exercise necessary and appropriate supervision over their handling of personal information.

ServicePurposeData Type
SupabaseDatabase, AuthenticationAccount information, Form response data
VercelHosting, Domain ManagementAccess logs, Custom domain configuration (used for registration, verification, and SSL certificate issuance of custom domains configured through the Custom Domain option)
ResendEmail deliveryEmail addresses, Email content
StripePayment processingPayment-related information
Cloudflare, Inc.Bot protection (Cloudflare Turnstile)Behavioral pattern data (no personally identifiable information)

We will not provide personal information to any third party other than the above without the user's consent, except in the following cases:

  • When required by law
  • When necessary to protect the life, body, or property of a person
  • When especially necessary for the improvement of public health or the sound development of children
  • When it is necessary to cooperate with a national or local government body in executing affairs prescribed by law

External Service Integration via MCP Clients

At the explicit instruction of users, form response data may be sent to other services (HubSpot, Salesforce, Notion, etc.) through MCP clients. Such third-party provision of personal information is based on the user's own judgment and instructions, and the handling of data by the receiving service is governed by that service's privacy policy.

Data Sharing via Team Features

When users use the team feature and invite other members, those members can access form response data according to their permissions (viewer, editor, admin). Invitations and permission settings are the user's responsibility.

6. Transfer of Personal Data to Third Parties in Foreign Countries (Cross-Border Transfer)

In the operation of this Service, we outsource the handling of personal data to the following providers located in foreign countries.

ProviderServer LocationData Protection Framework
SupabaseUnited States (AWS)Enforcement under the FTC Act. State laws (CCPA, etc.) may apply
VercelUnited States and Global CDNSame as above
ResendUnited States (AWS)Same as above
StripeUnited StatesSame as above. PCI DSS Level 1 certified
Cloudflare, Inc.United States and Global CDNSame as above

Each provider implements security measures including encryption (at rest and in transit), access controls, and audit logs. We periodically verify that providers take necessary measures to appropriately manage personal data in accordance with Article 28 of the APPI.

7. Security Measures

We implement the following security measures to prevent the leakage, loss, or damage of personal information.

  • AES-256 database encryption (Encryption at Rest)
  • HTTPS / TLS encryption for all communications (Encryption in Transit)
  • Database-level access control via Row Level Security (RLS)
  • Hashed password storage (never stored in plaintext)
  • OAuth 2.1 authentication for MCP clients (per-user token issuance)
  • Minimization of access permissions to personal information
  • Recording and regular review of all operations via audit logs
  • Regular review and improvement of security measures

8. Data Retention Period

The retention periods for personal information are as follows. Data that exceeds its retention period is promptly deleted.

Data TypeRetention Period
Account informationDuring account existence and 30 days after account deletion
Form response dataRetained permanently until deleted by the user (accumulated as the user's asset)
Access logs90 days from collection
Payment historyPeriod required by law (7 years)
Email tracking data (open/click records)12 months
Audit logs12 months
Suppression list (unsubscribe records)Permanent (cannot be deleted due to legal compliance requirements)
OAuth tokensDuration of session (deleted upon logout or expiration)

When an account is deleted, all related data (forms, response data, email delivery history, team member information, etc.) is cascade-deleted.

9. User Rights

Users have the following rights regarding the handling of their personal information.

Rights under Japan's APPI

  • Right to request disclosure of personal information
  • Right to request correction, addition, or deletion of personal information
  • Right to request suspension or erasure of use of personal information
  • Right to request suspension of third-party provision

Rights under the GDPR (for EU/EEA residents)

Users residing in the EU/EEA have the following rights under the GDPR (EU General Data Protection Regulation).

  • Right of access (Article 15) -- the right to obtain a copy of your personal data
  • Right to rectification (Article 16) -- the right to request correction of inaccurate personal data
  • Right to erasure ("right to be forgotten" / Article 17) -- the right to request deletion of personal data
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20) -- the right to receive data in a structured format
  • Right to object to processing (Article 21)
  • Right to withdraw consent (Article 7(3)) -- the right to withdraw consent for consent-based processing at any time

EU/EEA residents have the right to lodge a complaint with their local data protection supervisory authority (Article 77 of the GDPR).

Rights under the UK GDPR (for UK residents)

Users residing in the United Kingdom have the same rights as EU/EEA residents under the UK GDPR (including the Data Protection Act 2018). UK residents have the right to lodge a complaint with the UK ICO (Information Commissioner's Office). For more information, visit https://ico.org.uk.

Rights under the CCPA (for California residents)

Users residing in California have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

  • Right to Know -- the right to request disclosure of the categories and specific pieces of personal information collected over the past 12 months, the sources, purposes of collection, and third parties with whom the information was shared
  • Right to Delete -- the right to request deletion of collected personal information, subject to certain legal exceptions
  • Right to Opt-Out -- the right to opt out of the "sale" or "sharing" of personal information. We do not sell users' personal information
  • Right to Non-Discrimination -- the right not to be discriminated against in terms of service quality or availability for exercising the above rights

California residents may also exercise the above rights through an authorized agent. To submit a request, please contact support@formlova.com. Upon receiving a request, we will verify your identity by matching it against your account registration information.

Data Portability

The Service provides CSV / Excel export functionality for form response data on all plans (including the free plan). Users can retrieve their data at any time and migrate to another service.

Procedure for Exercising Rights

  1. Email support@formlova.com with your request
  2. We will verify your identity by confirming the email was sent from your registered email address
  3. We will respond within 30 days of confirming your request
  4. Disclosure requests will be fulfilled by providing electronic records (CSV / Excel files, etc.)
  5. We may decline a request if identity cannot be verified or if the request does not meet legal requirements, with notification of the reason
  6. Fee: Free

10. Relationship Between Data Controller and Data Processor

Account Information of Form Creators

We act as the data controller and manage this information in accordance with this Policy.

Form Response Data

The form creator is the data controller, and we act as a data processor, processing data based on the form creator's instructions. Requests for disclosure, correction, or deletion of respondent data should be directed to the form creator.

Form creators are responsible for complying with applicable privacy laws and providing appropriate notice to form respondents.

Data Processing Agreement (DPA)

We can provide a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR. If you require a DPA, please contact support@formlova.com.

11. Data Processing via AI Clients (MCP)

The Service is designed to be operated through AI clients (Claude, ChatGPT, Gemini, etc.) via MCP. When users view or manipulate form response data through an AI client, the data is temporarily loaded into the AI client's (large language model's) context.

This processing is performed based on the user's own instructions. The handling of data within AI clients (whether used for training, data retention period, etc.) is governed by the privacy policy and terms of service of each AI client provider. We are not responsible for the handling of data within AI clients.

Users should understand the risks of handling response data containing personal information through AI clients and use the Service at their own responsibility.

Display of Personal Information in Third-Party AI Clients

The Service's MCP server returns form response data (which may contain personal information) to AI clients based on user instructions. The returned data may be displayed on the AI client's conversation screen. While the server partially masks personal information (e.g., partially hiding email addresses) before returning it, it is not possible to mask all content within responses.

How AI client providers (Anthropic, OpenAI, Google, etc.) retain and use conversation data is governed by each provider's privacy policy. When handling data containing respondents' personal information through AI clients, users are responsible for appropriately notifying respondents of this practice.

12. Email Tracking

Emails sent from the Service may use the following tracking technologies to measure delivery effectiveness.

  • Open tracking: A transparent pixel image (tracking pixel) is embedded in the email body, and the date/time the email was opened is recorded
  • Click tracking: Links in the email body are converted to redirect URLs, and the date/time and target link of each click are recorded

This tracking is performed to help form creators understand delivery effectiveness. Form creators can enable or disable tracking when sending emails. Email recipients can prevent open tracking by disabling image display in their email client.

13. Email Unsubscribe

Emails sent from the Service include an unsubscribe link. By clicking the unsubscribe link, you can stop email delivery from that form. After unsubscribing, you are added to a suppression list and no further emails will be sent.

Important service-related notifications (account communications, security notices, etc.) may still be sent after unsubscribing.

14. Use of Cookies

The Service uses cookies for service provision. The cookies we use are classified into the following two categories.

Essential Cookies

These cookies are essential for the basic functionality of the Service. Disabling them may cause some features (such as login) to not function properly.

Cookie NamePurposeRetention Period
sb-*-auth-tokenMaintaining authentication stateSession duration

Functional Cookies

These cookies remember user preferences and enhance usability.

Cookie NamePurposeRetention Period
localeLanguage preference1 year

Bot Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile for bot protection during form submission. Turnstile analyzes user behavior patterns but does not collect personally identifiable information.

Do Not Track Signal

At this time, there is no universally accepted technology standard for responding to Do Not Track (DNT) signals. Accordingly, the Service does not automatically respond to DNT signals sent by browsers.

15. Handling of Personally Relevant Information

The Service collects and uses the following personally relevant information.

  • Hash values of IP addresses and browser information (for identifying form respondents and preventing duplicate responses)
  • Email open dates/times and link click dates/times (for measuring email delivery effectiveness)

When providing this information to third parties where it may be linked to personal data at the recipient, we will obtain the individual's prior consent.

16. Automated Decision-Making and Profiling

The Service statistically analyzes respondent behavioral data (dropout rate, completion rate, etc.) in its A/B testing and form optimization features. However, these analyses are aggregate-level statistical processing and do not constitute automated decision-making that produces legal effects or similarly significant effects on individuals (Article 22(1) of the GDPR).

17. Legal Basis for Processing under the GDPR

Processing of personal data of EU/EEA resident users is based on the following legal grounds.

  • Performance of a contract (Article 6(1)(b) GDPR): Processing necessary for service provision, including account creation, form creation/management, response data storage, and email delivery
  • Consent (Article 6(1)(a) GDPR): Marketing emails, email tracking
  • Legitimate interests (Article 6(1)(f) GDPR): Service improvement, fraud prevention, security
  • Legal obligation (Article 6(1)(c) GDPR): Tax and accounting record retention obligations

For processing based on consent, users may withdraw consent at any time. Withdrawal is effective only for future processing.

International Data Transfers from the EU/EEA

Japan has received an adequacy decision from the European Commission. For onward transfers from Japan to the United States and other third countries, we confirm that each provider has implemented Standard Contractual Clauses (SCCs) or other appropriate safeguards.

UK GDPR Compliance

We also provide the Service in compliance with the UK GDPR (including the Data Protection Act 2018). The same legal grounds as those applied to EU/EEA residents are applied to the processing of personal data of UK residents.

Data Protection Officer (DPO)

We are not subject to the DPO appointment obligation under Article 37 of the GDPR and have not appointed a DPO. Inquiries from EU/EEA/UK residents regarding the handling of personal data are accepted at support@formlova.com.

18. Data Breach Notification

In the event of a personal data breach, we will provide notification in accordance with applicable laws as follows.

Notification under the GDPR

  • We will report to the competent data protection supervisory authority within 72 hours of becoming aware of the breach
  • If the breach poses a high risk to the rights and freedoms of data subjects, we will notify affected data subjects without undue delay

Notification under Japan's APPI (as amended in 2022)

  • We will report to the Personal Information Protection Commission with a preliminary report (within 3-5 days) and a detailed report (within 30 days, or 60 days in cases of unauthorized access)
  • We will notify affected individuals of the summary of the incident, the types of personal data involved, the cause, and the measures we have taken

Notification Content

  • Summary and timeline of the breach
  • Types and approximate number of affected data records
  • Measures taken and steps to mitigate damage
  • Contact information

Notification Method

Affected users will be notified via email to their registered email address and through a notice published on our website.

19. For Form Respondents

Personal data of those who have responded to forms on FORMLOVA is stored on the Service's servers based on the instructions of the form creator.

The form creator is responsible for managing respondent data. Respondents should direct requests for data disclosure, correction, or deletion to the form creator.

If you cannot reach the form creator, please contact support@formlova.com. We will coordinate with the form creator and respond within a reasonable scope.

20. Disclaimer

While we strive to appropriately manage personal information in accordance with this Policy, we cannot be held responsible for the following.

  • Cases where form creators inappropriately collect or use the personal information of third parties
  • Cases where users send personal data to third-party services through AI clients
  • Leakage of personal information resulting from users failing to properly manage their account information
  • Leakage of personal information due to natural disasters, cyberattacks, or other force majeure events

21. Amendment Procedure

We may amend this Privacy Policy as necessary due to changes in laws or service content.

  • In the case of material changes, we will provide advance notice via email to the registered email address or through an announcement within the Service
  • The amended Privacy Policy takes effect upon publication on this page
  • Continued use of the Service after amendment constitutes agreement to the amended Policy

22. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of Japan. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance. However, mandatory provisions under the GDPR and other applicable EU legislation shall take precedence for EU/EEA residents, mandatory provisions under the UK GDPR and the Data Protection Act 2018 shall take precedence for UK residents, and mandatory provisions under the CCPA/CPRA shall take precedence for California residents.

23. Contact

For inquiries regarding the handling of personal information or disclosure requests, please contact us using the information below.

Operator: FORMLOVA

Service name: FORMLOVA

Email: support@formlova.com

Effective date: February 26, 2026