Privacy Policy
Last updated: 2026-05-08
1. Two kinds of data
2. Account data
What we store and why:
- Email address — identifies your account, used for verification, password reset, and quota notifications.
- Password — stored as an Argon2id hash, never in plaintext.
- Tier — determines your form and submission limits.
- Push subscription endpoints — only if you opt into web push notifications. These come from your browser's push service (Google FCM, Mozilla, Apple) and let us send notifications when a form receives a submission.
You can delete your account at any time. Doing so removes your account record, your forms, and all submission data.
3. Submission data
When a visitor submits one of your forms, we store:
- the JSON payload they submitted (whatever fields you asked for);
- the IP address of the request;
- the User-Agent header;
- the Origin header;
- a timestamp.
Submission data is visible only to you, the account holder. We do not look at it, sell it, profile it, or share it with third parties beyond the processors listed below. You decide retention by deleting submissions in your dashboard. If you delete the form, all its submissions are removed with it.
Form owners: you are responsible for telling visitors what you collect and why. A link to your own privacy notice on the page hosting the form is the usual approach.
4. Cookies
Formhook sets a single cookie: next-auth.session-token. It is HTTP-only, secure, SameSite=Lax, and lives for 30 days. It exists for the sole purpose of keeping you signed in to the dashboard. Under EU/UK ePrivacy law this is a strictly-necessary cookie and does not require a consent banner.
We run first-party, cookieless visit analytics on our public marketing pages: we record the page path, the referring host, country (from the Cloudflare CF-IPCountry header), the browser and OS family, and a daily-rotating anonymous identifier derived from your IP and User-Agent. We do not store your IP address, we do not set any tracking cookie, and we do not share this data with third parties. We do not run third-party tracking pixels or advertising scripts.
5. Push notifications
Web push is opt-in. When you enable it, your browser generates a subscription token; we store the endpoint and the encryption keys needed to deliver notifications to it. By default, notification bodies are opaque (“New submission for [form name]”) — no submission content travels through the push service. You can opt into including a short preview in the notification body from the dashboard.
Logging out, resetting your password, or disabling notifications removes your push subscriptions from our database.
6. Processors
| Processor | Role | Location | Data shared |
|---|---|---|---|
| Hetzner Online GmbH | Hosting, database, backups | Germany (EU) | All account and submission data at rest |
| Cloudflare, Inc. | DNS, TLS, CDN, Turnstile | Global edge (in transit only) | IPs, request headers; Turnstile tokens for forms that opt in |
| Resend (Resend, Inc.) | Transactional email | EU sending region | Email address + email body for verification, password reset, quota alerts |
| Google FCM / Mozilla autopush / Apple APNs | Web push delivery | Varies by browser vendor | Endpoint token + encrypted notification payload (when push is enabled) |
7. Data retention
- Account email, password hash, tier — kept while your account is active; removed when you delete the account.
- Submissions — kept until you delete the submission, the form, or your entire account. There is no automatic pruning today.
- Email-verification tokens — 24-hour TTL, deleted on use or expiry. Password-reset tokens — 10-minute TTL, deleted on use or expiry.
- Push subscriptions — deleted on logout, password change, or when the push service reports the endpoint is gone (HTTP 404 / 410).
- Backups — encrypted nightly Postgres dump, retained 14 days on the host. Backups roll off automatically. Deleting your account removes data from the live database immediately; it ages out of historical backup snapshots within the 14-day window.