GDPR Compliance
Last updated: March 5, 2026
What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy law in the European Union (EU) that grants EU citizens and residents the right to access and control their personal data. It sets strict requirements for how organizations collect, store, and process personal information.
Is Polyform GDPR compliant?
Yes. Polyform's primary data infrastructure is hosted in the European Union, and we are committed to full compliance with the GDPR framework. Here's what we've implemented:
- Our Privacy Policy explains what data we collect, how long we retain it, how it may be transferred, and your data protection rights.
- All data in Polyform is encrypted both in transit (TLS/HTTPS) and at rest, and securely stored within the European Union.
- You have full control over the data you collect, store, and manage through Polyform.
- We do not store IP addresses of form respondents.
- We offer a Data Processing Agreement (DPA) that applies automatically when you create an account.
How does Polyform handle form data?
Polyform provides the form-building service but does not own the responses collected through forms. The form creator is responsible for the data they collect and acts as the Data Controller for respondent information. Polyform acts as the Data Processor, storing and processing data on behalf of form creators.
- As long as your account remains active, you retain full control over the data you collect and how long you choose to store it.
- You can delete or export form responses from your account at any time.
- Any form data you delete is permanently removed from our backups within 30 days.
How does Polyform use my personal data?
Polyform acts as a Data Controller for the personal information you provide to us in order to use our service (such as registration details).
- We do not sell personal data to third parties.
- We do not use your data for advertising purposes.
- We only share your information with trusted service providers (Subprocessors) who assist us in operating Polyform, and these providers are required to comply with applicable data protection laws.
Data Processing Agreement
By creating a Polyform account and accepting our Terms of Service, you also agree to the terms of our Data Processing Agreement (DPA). No separate signature is required.
Subprocessors
The following third-party services process data on our behalf:
| Subprocessor | Purpose | Location |
|---|---|---|
| Convex | Database hosting and backend infrastructure | European Union |
| Vercel | Website and application hosting | United States |
| Polar | Payment processing | European Union |
| Authentication provider | United States | |
| GitHub | Authentication provider | United States |
| OpenAI | AI form and theme generation | United States |
| Anthropic | AI form and theme generation | United States |
| Resend | Transactional email delivery | United States |
We will update this list when Subprocessors change and notify customers of any additions.
Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data.
- Right to restriction — request that we restrict processing of your data.
- Right to data portability — request a copy of your data in a structured, machine-readable format.
- Right to object — object to processing of your personal data.
- Right to lodge a complaint — you have the right to lodge a complaint with a supervisory authority.
To exercise any of these rights, please contact us at hello@polyform.to. We aim to respond to all requests within 30 days.
Contact
If you have any questions about how we collect, use, or protect your personal data, please contact us at hello@polyform.to.