Privacy Policy

---

1. The types of information we may collect

We process two broad groups of users:

• nFormr customers — people or businesses who register for and use the nFormr dashboard to create, manage and embed forms or chatbots (sometimes called "account holders" or "dashboard users").
• End users / visitors — people who interact with an embedded form or chatbot on a third-party website (for example, a website visitor who fills in a contact form or asks a chatbot a question).

Examples of the categories of personal data we may collect include:

• Identity information: name, job title, company name.
• Contact information: email address, telephone number, postal address.
• Form responses: any personal data entered into a form (this will vary by form; could include name, email, telephone, message, or other fields).
• Chat transcripts: messages sent and received via an embedded chatbot.
• Account & billing data: payment details (only where required — see below), billing address and invoicing information supplied by the customer.
• Technical data: IP address, browser user agent, timestamp and other technical metadata needed to deliver and troubleshoot the service.

Special category data: nFormr does not intentionally collect or process special category (sensitive) personal data. Customers are responsible for configuring forms and chatbots so they do not request or store special category data unless they have a lawful basis and appropriate safeguards in place.

2. How we collect personal data

We obtain personal data in a few ways:

• Directly from customers: when someone registers for a nFormr account, updates their account, purchases a subscription, or contacts us (via email or support).
• Via embedded forms & chatbots: when a visitor completes a form or interacts with a chatbot that a customer has embedded on their website. Note that some forms may be configured to not store submissions in nFormr and instead email responses directly to the form owner — in those cases we do not retain submission data centrally.
• Automatically: we log technical information required to operate and secure the service (see Technical data above).
• Third parties: in limited cases we may receive information from third-party services you choose to connect to your nFormr account (for example, a payment processor or CRM). Such sharing is controlled by you when you configure integrations.

3. How we use, control and process your personal data

We will only use personal data where the law allows. Typical purposes include:

• Providing, operating and improving the nFormr service and the embeds (forms and chatbots).
• Delivering form submissions or chat transcripts to the relevant nFormr customer or storing them in the customer's dashboard (subject to the customer's configuration).
• Managing customer accounts, billing and support requests.
• Detecting and preventing fraud or misuse of the service.
• Complying with legal obligations and responding to lawful requests from authorities.
• Sending occasional product updates, newsletters or marketing emails to registered users (you can opt out at any time).

4. Legal bases for processing

Under The Data Protection (Bailiwick of Guernsey) Law, 2017, we rely on the following lawful bases depending on the situation:

• Performance of a contract — to provide the SaaS service you have signed up to (deliver forms, store submissions where configured, host chat logs, bill for subscriptions, etc.).
• Consent — where you have expressly consented to specific processing (for example, marketing emails, where required).
• Legitimate interests — to operate, secure and improve nFormr (for example, preventing abuse, troubleshooting, product development). We balance these interests against your rights and will not rely on legitimate interests where your rights override.
• Legal obligation — where we must process data to comply with a legal duty (for example court orders or lawful requests from authorities).

5. Recipients and data sharing

We do not sell your personal data.

Who we may share data with:

• nFormr account holders: data submitted to a form or chatbot is, by design, delivered to or stored for the account holder who created that embed. Account holders are responsible for their own use of that data and for complying with applicable data protection obligations when collecting data from their users.
• Sub-processors: service providers who process data on our behalf, such as hosting (AWS), email delivery, payment processors and selected third-party integrations that you explicitly enable. These providers will act only on our instructions and are contractually required to maintain appropriate safeguards.
• Legal & regulatory bodies: where required by law or to protect rights (for example, to respond to a lawful request from a court or regulator).

Data may be transferred or processed outside Guernsey. Hosting and primary processing for stored submissions and chat logs takes place on AWS servers in Ireland (EU). Where transfers outside Guernsey occur, we ensure an adequate level of protection is in place in accordance with applicable law.

6. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, accidental disclosure or destruction. Measures include (but are not limited to):

• Encryption of data in transit using TLS.
• Access controls and authentication for the nFormr dashboard.
• Regular patching and security maintenance of our infrastructure hosted on AWS.
• Logging, monitoring and incident response procedures.

If we become aware of a personal data breach which is likely to result in a risk to the rights and freedoms of individuals, we will follow our incident response procedures and notify affected individuals and the relevant data protection authority where required by law.

7. Your rights

Under The Data Protection (Bailiwick of Guernsey) Law, 2017 you have the right to:

1. Be informed about why we collect personal data and how we use it.
2. Access the personal data we hold about you (subject to any legal exemptions).
3. Request rectification of inaccurate or incomplete data.
4. Request erasure of personal data where we have no lawful reason to continue processing it.
5. Request restriction of processing in certain circumstances.
6. Object to processing based on legitimate interests or for direct marketing.
7. Request data portability where applicable.
8. Not to be subject to solely automated decision-making where this produces legal or similarly significant effects.

To exercise any of these rights, or to ask about our processing, please contact the Data Protection Officer using this form. We may ask you to verify your identity before responding. We aim to respond to valid requests without undue delay and within any statutory timescales set by the relevant law.

8. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law:

• Chat transcripts (chatbot logs): stored for up to 1 month from the time of interaction, unless the nFormr customer requests deletion sooner or configures a different setting where available.
• Form submissions: forms offer a choice: some submissions are stored centrally in the nFormr dashboard and in those cases they may be retained indefinitely (or until deleted by the account holder). Other forms may be configured so that submissions are emailed directly to the form owner and not stored centrally by nFormr — in that case we do not retain the submission in our systems.
• Account & billing data: retained for the duration of the business relationship and subsequently for a period necessary for tax, accounting or legal purposes.
• Technical / log data: retained for a limited period required for security, troubleshooting and operational purposes.

If you are an account holder and would like assistance removing stored submissions or chat logs, contact us using this form.

9. Cookies and analytics

Embeds (forms & chatbots): nFormr embeds do not use cookies. They are intentionally designed to be cookie-free to minimise tracking on third-party websites.

nFormr website: our main marketing / account website at nformr.co uses a cookieless analytics solution and does not employ third-party tracking cookies. If we change this approach we will update this policy and, where necessary, seek consent for non-essential cookies in line with applicable law.

10. Marketing

We may send occasional product updates, service announcements or marketing emails to account holders. You may opt out from marketing communications at any time by following the unsubscribe link in any marketing email or by contacting us using this form. Service-related communications (for example, billing notices or security alerts) are not optional and will still be sent where necessary to operate the service.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Date of Last Policy Update" above will reflect the most recent revision. Where changes are material we will take reasonable steps to notify account holders (for example, via email or dashboard notice). Please check this page periodically for changes.

12. Complaints or queries

If you have any questions, concerns or would like to exercise your rights, please contact us using this form.

If you are not satisfied with our response you have the right to lodge a complaint with the data protection supervisory authority in Guernsey:

Last Update: October 17, 2025