Privacy Policy

This policy explains what data JustForms collects, why, and your rights over it. Plain English. No tracking jargon.

1. Who we are

JustForms is operated by MacNetwork / JustWeb. Contact: hello@justforms.io.

2. What we collect

From you (the account holder):

• Email address (required for login + receipts)
• Password (PBKDF2-hashed, never stored in plain text)
• Display name (optional)
• Stripe customer ID + subscription ID (no card data — Stripe handles that)
• IP address hash (SHA-256) for rate limiting + audit only
• Account activity timestamps

From form submissions on your site (your customers' data, processed on your behalf):

• Whatever the form's name fields contain (name, email, message, etc.)
• Submitter's IP address hash (never raw IP)
• User-Agent, Referer, and UTM parameters from the URL
• Country (from Cloudflare edge headers, ISO code only)
• File attachments if your form accepts them

3. Why we collect it

• Email + password — sign in, password reset, billing receipts
• Submission data — to deliver to your inbox, log in your dashboard, fire your webhooks
• IP hash — block abuse and spam; never linked back to identity
• UTM data — to help you measure attribution; we don't aggregate or sell it

4. Sub-processors

We use these third parties:

• Cloudflare — Workers, D1, R2, Turnstile (compute + storage + DDoS protection)
• Resend — email delivery
• Stripe — payment processing

All three are SOC 2 / ISO 27001 certified. Their privacy policies apply to data they receive.

5. Where data lives

Data is stored on Cloudflare's global edge network. Primary D1 region is auto-selected by Cloudflare based on first-write location. R2 buckets are auto-distributed.

6. How long we keep it

• Free plan — 30 days of submission history
• Starter — 1 year
• Pro / Business — Forever (until you delete or close account)
• Account email + auth records — until you delete your account
• Billing records — 7 years (legal requirement)
• IP hashes — 90 days for active rate-limit windows; deleted thereafter

7. Your rights (GDPR / CCPA)

• Access — download all your data via GET /api/v1/me/export or by emailing us
• Correction — edit your profile in Settings
• Deletion — delete account in Settings → hard-deleted 30 days later
• Portability — CSV export of submissions from the dashboard
• Object — opt out of any non-essential processing by emailing us

8. Cookies

The marketing site uses zero tracking cookies. The dashboard uses one cookie — jf_session — strictly necessary for authentication. No third-party analytics, no advertising trackers.

9. Children

JustForms is not designed for under-16s. Don't sign up if you're under 16.

10. Changes

We'll email account holders at least 30 days before any material change.

11. Contact

Privacy questions, data requests, or DPA requests: privacy@justforms.io.