Privacy Policy - FormFlow

Last updated: October 17, 2025

Introduction

FormFlow (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our form builder application for monday.com.

Information We Collect

Information You Provide

Account Information: Your monday.com account details and workspace information
Form Data: Content you create in forms, including field configurations and settings
User Submissions: Data submitted through forms created with FormFlow
Contact Information: Email addresses and contact details for support purposes

Information We Collect Automatically

Usage Data: How you interact with FormFlow features
Performance Data: Application performance and error logs
Device Information: Browser type, operating system, and device identifiers
Location Data: Country information derived from IP address (via ipinfo service) for analytics purposes
Metadata: We only store your userID and accountId as metadata. We do not store any other personal information. This minimal metadata is kept to restore your information if you reinstall the app. This metadata can be permanently deleted upon your request at any time.

Information from monday.com

Board Data: Access to boards and items as permitted by your monday.com permissions
User Permissions: Your role and access levels within monday.com workspaces
Integration Data: Data necessary for FormFlow to function within your monday.com environment

How We Use Your Information

Service Provision

Form Creation: Enable you to create and manage forms within monday.com
Data Processing: Process form submissions and update monday.com boards
Integration: Maintain connection between FormFlow and monday.com

Service Improvement

Analytics: Analyze usage patterns to improve our service
Feature Development: Develop new features based on user needs
Performance Optimization: Monitor and improve application performance

Communication

Support: Provide customer support and respond to inquiries
Updates: Notify you about service updates and new features
Legal Compliance: Comply with legal obligations and protect our rights

Third-Party Services

We use the following third-party services and packages to provide and improve our service:

Infrastructure and Database Services

Google Cloud Platform (GCP): Used for server hosting and infrastructure
MongoDB Cluster: Used for database storage
Redis: Used for data caching

Security and Form Protection

Google reCAPTCHA: Used to protect forms from spam and abuse
Cloudflare Turnstile: Used for form captcha protection

User Experience and Analytics

Google Maps API: Used for auto-completing form fields to improve user experience
ipinfo Service: Used to determine user country from IP address for analytics purposes
react-circle-flags (npm package): Used for displaying country flags in the user interface

Integration Services

monday.com: We work with your monday.com board data as per your usage of the app and how you use and design forms. We access and process board data, items, and columns necessary to create forms, process form submissions, and update your boards based on your form configurations and design choices

Cookies and Third-Party Tracking

These third-party services may store and use browser cookies, local storage, and other tracking technologies as per their requirements. Cookies are small text files stored on your device that help these services function properly and provide analytics.

Cookie Usage:

Functional Cookies: Used by third-party services to provide core functionality (e.g., Google Maps, reCAPTCHA, Cloudflare Turnstile)
Analytics Cookies: Used to collect usage statistics and improve service performance
Security Cookies: Used for security and fraud prevention

Your Cookie Choices: You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of FormFlow features that depend on these third-party services.

Third-Party Privacy Policies: We recommend reviewing the privacy policies of our third-party service providers for detailed information about their cookie usage and data handling practices:

No Sale: We do not sell your personal information
Limited Sharing: We only share information necessary for service provision with the third-party services listed above
Legal Disclosure: We may disclose information when required by law or to protect our legal rights
Security: We implement appropriate security measures to protect your data when sharing with third-party services

Data Security

Security Measures

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). API communications use OAuth 2.0 authentication
Infrastructure: Hosted on Google Cloud Platform (GCP) in EU regions with enterprise-grade security, network protection, and DDoS mitigation
Database: MongoDB Cluster provides encryption, access controls, regular security updates, and automated encrypted backups
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege. All access is logged and monitored
Monitoring: Continuous security monitoring, intrusion detection, and regular security assessments
Incident Response: Comprehensive incident response plan with notification procedures for affected users and authorities as required by law
Updates: Regular security updates, patches, and vulnerability assessments
Continuous Improvement: We are actively working to improve our security standards. While we do not currently hold official security certifications, we continuously enhance our security measures and implement industry best practices

Your Responsibilities

Account Security: Maintain the security of your monday.com account credentials. Use strong, unique passwords and enable multi-factor authentication when available
Data Accuracy: Ensure the accuracy of information you provide to us
Access Control: Manage permissions within your monday.com workspace appropriately. Only grant access to FormFlow to users who need it
Reporting Security Issues: If you discover a security vulnerability or suspect unauthorized access, please contact us immediately at formflow@baruzotech.com

Data Retention

Retention Periods

Form Data: Retained as long as your account is active
Usage Data: Retained for service improvement and analytics
Support Data: Retained for customer support purposes
Legal Requirements: Retained as required by applicable laws

App Uninstallation and Reinstallation

OAuth Tokens: Deleted immediately upon app uninstallation for security
Metadata: Only minimal metadata (userID and accountId, no personal information) is retained to restore your data if you reinstall
Data Retention: Your data (forms and analytics) is retained after uninstallation unless you request deletion. By using FormFlow, you provide express consent to retain data beyond the standard 10-day period for seamless restoration, as permitted by monday.com’s developer terms
Reinstallation: You’ll be asked to reauthorize (OAuth). After reauthorization, you regain access to all your previous forms and data

Data Deletion

Request Deletion: Contact formflow@baruzotech.com to request deletion of all your data, including forms, submissions, analytics, and metadata. We’ll verify your identity and delete within 30 days
Account Closure: All data is permanently deleted when you close your account (typically within 30 days)
What Gets Deleted: All form data, submissions, metadata, analytics, configuration, and OAuth tokens. Backup data is removed according to retention policies (typically up to 90 days)
Retention Exceptions: Some data may be retained if required by law, for legal proceedings, or security purposes (anonymized/aggregated)
Your Rights: You can request deletion, withdraw consent, object to processing, or restrict processing at any time

Your Rights

You have the right to access, correct, delete, or transfer your personal data, as well as object to or restrict certain processing. You can also withdraw consent at any time. To exercise these rights, contact us at formflow@baruzotech.com. For details on data deletion, see the Data Deletion section above.

Data Storage and Processing

Storage Infrastructure

Hosting: Google Cloud Platform (GCP) in EU regions (Belgium). All infrastructure is located within the European Union
Database: MongoDB Cluster with EU-based servers, automatic backups, encryption, and high availability
Caching: Redis for data caching to improve performance
Data Types: Form configurations, submissions, minimal metadata (userID and accountId), analytics, OAuth tokens (deleted on uninstall), and app settings
Backups: Daily encrypted backups stored in separate EU locations with point-in-time recovery

Geographic Location

All Data in EU: All data storage and processing occurs exclusively within EU regions. We do not transfer data outside the European Union
Data Sovereignty: All data remains within EU jurisdiction and is subject to EU data protection laws
Processing: Form submissions, data synchronization, analytics (aggregated/anonymized), and authentication all occur within EU data centers

Children’s Privacy

FormFlow is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it.

Changes to This Policy

Policy Updates

Notification: We will notify you of significant changes
Review: We encourage you to review this policy periodically
Effective Date: Changes will be effective as of the date specified

Continued Use

Your continued use of FormFlow after changes to this policy constitutes acceptance of the updated terms.

Contact Information

For questions about this Privacy Policy, data protection inquiries, or to exercise your rights, contact us:

Email: formflow@baruzotech.com

Compliance

Applicable Laws

We are actively working towards full compliance with:

GDPR: General Data Protection Regulation (EU)
EU Data Protection Laws: All applicable European Union data protection regulations
Belgian Data Protection Law: Belgian national data protection requirements

Compliance Status

Data Subject Rights: We support GDPR rights (access, rectification, erasure, portability). Contact formflow@baruzotech.com to exercise these rights
Data Breach Notification: Procedures in place for timely notification to affected users and authorities as required by law
Ongoing Improvement: We continuously improve our security standards, data protection practices, and compliance procedures. While we do not currently hold official security certifications, we maintain high security standards through regular assessments and best practices
Regulatory Cooperation: We cooperate with EU regulatory authorities and comply with lawful requests from European data protection authorities