GDPR Compliance
Last updated: May 26, 2026
What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy law in the European Union (EU) that grants EU citizens and residents the right to access and control their personal data. It sets strict requirements for how organizations collect, store, and process personal information.
Is Polyform GDPR compliant?
Yes. Polyform is committed to full compliance with the GDPR framework. Here's what we've implemented:
- Our Privacy Policy explains what data we collect, how long we retain it, how it may be transferred, and your data protection rights.
- All data in Polyform is encrypted both in transit (TLS/HTTPS) and at rest. For transfers of Personal Data from the EEA, Switzerland, or the United Kingdom to the United States, we rely on the European Commission's Standard Contractual Clauses (Module Two of Commission Implementing Decision (EU) 2021/914) as the appropriate transfer mechanism, supplemented by the UK International Data Transfer Addendum and Swiss FADP-specific modifications where applicable.
- You have full control over the data you collect, store, and manage through Polyform.
- We do not store IP addresses of form respondents.
- We offer a Data Processing Agreement (DPA) that applies automatically when you create an account.
How does Polyform handle form data?
Polyform provides the form-building service but does not own the responses collected through forms. The form creator is responsible for the data they collect and acts as the Data Controller for respondent information. Polyform acts as the Data Processor, storing and processing data on behalf of form creators.
- As long as your account remains active, you retain full control over the data you collect and how long you choose to store it.
- You can delete or export form responses from your account at any time.
- When you delete form data, it is removed from our production systems immediately. Residual copies may persist in encrypted backups and archival copies until they are purged according to our infrastructure provider's data retention schedule.
How does Polyform use my personal data?
Polyform acts as a Data Controller for the personal information you provide to us in order to use our service (such as registration details).
- We do not sell personal data to third parties.
- We do not use your data for advertising purposes.
- We only share your information with trusted service providers (Subprocessors) who assist us in operating Polyform, and these providers are required to comply with applicable data protection laws.
Data Processing Agreement
By creating a Polyform account and accepting our Terms of Service, you also agree to the terms of our Data Processing Agreement (DPA). No separate signature is required.
Subprocessors
The following third-party services process data on our behalf:
| Subprocessor | Purpose | Location |
|---|---|---|
| Convex | Database hosting, file storage, and backend infrastructure | Ireland (AWS eu-west-1) |
| Vercel | Website and application hosting | European Union |
| Clerk | Authentication and payment processing | United States |
| Authentication provider | United States | |
| GitHub | Authentication provider | United States |
| OpenAI | AI form and theme generation | United States |
| Resend | Transactional email delivery | Ireland |
| Sentry | Error tracking and application monitoring | European Union |
| PostHog | Product analytics | European Union |
Optional Subprocessors
The following Subprocessors only receive data when you choose to activate the corresponding feature or integration:
| Subprocessor | Purpose | Location |
|---|---|---|
| Slack | Form response delivery (only active when you connect Slack to a form) | United States |
| Zapier | Form response delivery (only active when you connect Zapier to a form) | United States |
| Unsplash | Stock image search (only active when you search for images in the form builder) | United States |
We will notify customers of any additions to this list. You have the right to object to a new Subprocessor on reasonable grounds within ten (10) days of notification — please contact us at hello@polyform.to if you wish to do so.
Our infrastructure provider may use aggregated and de-identified information derived from the Services for their own lawful business purposes (for example, service improvement and capacity planning). Such information cannot reasonably be used to identify you or any data subject.
Sub-Subprocessors
Our Subprocessors may engage their own subprocessors to provide their services. For example, Convex (our database and backend provider) relies on Amazon Web Services for infrastructure and PlanetScale for database services. You can find the complete list of Convex's subprocessors at convex.dev/legal/subprocessors.
Your rights under GDPR
As a data subject, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data.
- Right to restriction — request that we restrict processing of your data.
- Right to data portability — request a copy of your data in a structured, machine-readable format.
- Right to object — object to processing of your personal data.
- Right to lodge a complaint — you have the right to lodge a complaint with your local supervisory authority. For cross-border issues, the Irish Data Protection Commission (DPC) acts as the default competent supervisory authority for our EU Standard Contractual Clauses.
To exercise any of these rights, please contact us at hello@polyform.to. We aim to respond to all requests within 30 days, as required by GDPR Article 12(3).
Security incidents
In the event of a personal data breach affecting your data, we will notify you without undue delay and within the timeframes required by applicable Data Protection Laws, providing all available details necessary for you to meet your own notification obligations to supervisory authorities or affected individuals.
Contact
If you have any questions about how we collect, use, or protect your personal data, please contact us at hello@polyform.to.