zForms - Privacy-First Form Analytics

1. Introduction

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations processing personal data of EU residents, regardless of the organization's location.

This page outlines how zForms complies with GDPR requirements and what measures we have in place to protect your data and the data of your users.

2. Privacy by Design

GDPR requires "privacy by design and by default." zForms was built from the ground up with privacy as a core principle:

What We DO NOT Collect

Form field values or user input data
Passwords or authentication credentials
Personally Identifiable Information (PII)
Credit card numbers or payment information
Email addresses or phone numbers from forms
Names or addresses from forms

What We Collect (Metadata Only)

Form interaction events (focus, blur, submit)
Time spent on fields (without field values)
Anonymized session IDs
Form structure and field labels
Browser user agent
Anonymized IP addresses (last octet removed)

3. Legal Basis for Processing

Under GDPR Article 6, we process personal data on the following legal bases:

3.1 Contract Performance (Art. 6(1)(b))

Processing is necessary to provide our analytics service to you as outlined in our Terms of Service.

3.2 Legitimate Interest (Art. 6(1)(f))

We process certain data based on our legitimate interest to:

Improve and optimize our service
Detect and prevent fraud
Ensure security and prevent abuse
Provide customer support

3.3 Consent (Art. 6(1)(a))

For optional features like marketing communications, we obtain explicit consent before processing.

4. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

Right to Access (Art. 15)

You have the right to request a copy of all personal data we hold about you.

How to exercise: Email privacy@zforms.xyz with subject "GDPR Data Access Request"

Response time: Within 30 days

Right to Rectification (Art. 16)

You have the right to correct inaccurate or incomplete personal data.

How to exercise: Update your information in your dashboard or contact support

Right to Erasure / "Right to be Forgotten" (Art. 17)

You have the right to request deletion of your personal data.

How to exercise: Delete your account in dashboard settings or email privacy@zforms.xyz

Note: Some data may be retained for legal compliance (up to 7 years for financial records)

Right to Data Portability (Art. 20)

You have the right to receive your data in a structured, machine-readable format.

How to exercise: Export your data from the dashboard or request via email

Format: JSON or CSV

Right to Restriction of Processing (Art. 18)

You have the right to limit how we process your data in certain circumstances.

How to exercise: Email privacy@zforms.xyz

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests.

How to exercise: Contact our Data Protection Officer at dpo@zforms.xyz

Right to Withdraw Consent (Art. 7)

You have the right to withdraw consent for processing based on consent.

How to exercise: Manage preferences in your dashboard or email us

5. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance:

Contact Our DPO

For all GDPR-related inquiries, data subject requests, or privacy concerns:

Email: dpo@zforms.xyz

Response time: Within 72 hours for acknowledgment, 30 days for complete response

6. International Data Transfers

Your data may be transferred to and stored in countries outside the European Economic Area (EEA). We ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
Data Processing Agreements: With all third-party service providers
Adequacy Decisions: Only transfer data to countries recognized by the EU Commission
Additional Safeguards: Encryption, pseudonymization, and access controls

7. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in our Privacy Policy:

Analytics Data Retention

Free Plan: 7 days
Starter Plan: 30 days
Pro Plan: 90 days
Business Plan: 1 year
Enterprise Plan: Up to 2 years (customizable)

Account Data Retention

Account information: Until account deletion
Billing records: 7 years (legal requirement)
Support tickets: 3 years
Logs and security data: 90 days

8. Security Measures (Art. 32)

We implement appropriate technical and organizational measures to ensure data security:

End-to-end encryption (TLS 1.3)
Encryption at rest (AES-256)
Regular security audits and penetration testing
Access controls and authentication
Employee security training
Incident response procedures

For more details, see our Security page.

9. Data Breach Notification (Art. 33-34)

In the event of a personal data breach:

We will notify the relevant supervisory authority within 72 hours of becoming aware
We will notify affected individuals without undue delay if the breach poses a high risk
We will document all breaches and our response measures
We will take immediate steps to mitigate the breach

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority.

You can find your local data protection authority at: https://edpb.europa.eu/about-edpb/board/members_en

However, we encourage you to contact us first so we can address your concerns directly.

11. GDPR Documentation

We maintain comprehensive GDPR compliance documentation:

Data Processing Agreement

Standard DPA for enterprise customers

Subprocessors List

List of third-party service providers

12. Contact Information

For GDPR-related inquiries:

Data Protection Officer: dpo@zforms.xyz
Privacy Team: privacy@zforms.xyz
Legal Team: legal@zforms.xyz

GDPR Compliance

GDPR Compliant