Privacy Policy
Last updated: 22 March 2026
1. Data Controller
FormGuard is operated by a Romanian PFA (Persoana Fizica Autorizata) registered in Romania. For all matters related to data protection, you may contact us at pixeyo@gmail.com.
As the data controller, we determine the purposes and means of processing personal data collected through the FormGuard platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Data We Collect
We collect and process the following categories of personal data:
Account Data
When you create an account, we collect your email address and password (stored in hashed form). This data is necessary for the performance of our contract with you (Art. 6(1)(b) GDPR).
Form Data
When you create forms using FormGuard, we store the form structure, field configurations, and settings you define. This data is processed on the basis of our contractual obligation to provide the service (Art. 6(1)(b) GDPR).
Submission Data
When respondents fill out your forms, we store the submitted data on your behalf. In this capacity, you act as the data controller for the submission data and we act as the data processor. The legal basis for this processing is determined by you as the form creator.
3. Where Your Data Is Stored
All data is stored exclusively within the European Union. Our servers are located in Frankfurt, Germany, hosted by Hostinger (UAB Hostinger, registered in Lithuania). Your data never leaves EU infrastructure and is never transmitted to any US-based service or any jurisdiction outside the European Economic Area.
All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
4. Data Retention
We retain your account data for as long as your account is active. If you delete your account, all associated data — including your forms and their submissions — will be permanently deleted within 30 days. Submission data is retained for as long as the associated form exists, unless you delete it earlier. Backups containing deleted data are purged within 90 days.
5. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of access (Art. 15) — You may request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — You may request correction of inaccurate personal data.
- Right to erasure (Art. 17) — You may request deletion of your personal data. You can delete your account and all associated data at any time from your dashboard.
- Right to data portability (Art. 20) — You may request your data in a structured, commonly used, and machine-readable format (CSV or JSON).
- Right to restriction of processing (Art. 18) — You may request that we restrict the processing of your personal data under certain circumstances.
- Right to object (Art. 21) — You may object to the processing of your personal data where we rely on legitimate interests.
- Right to lodge a complaint — You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or with any supervisory authority in your EU member state.
To exercise any of these rights, contact us at pixeyo@gmail.com. We will respond within 30 days.
6. Cookies
FormGuard does not use tracking cookies, advertising cookies, or any third-party analytics cookies. We only use strictly necessary cookies required for authentication and session management. These cookies are essential for the functioning of the service and do not require consent under the ePrivacy Directive.
7. Third-Party Analytics
We do not use any third-party analytics services such as Google Analytics. If we implement analytics in the future, we will use a self-hosted, privacy-respecting solution that does not transfer data outside the EU and does not use cookies.
8. Subprocessors
We use the following subprocessors to deliver our service:
| Subprocessor | Location | Purpose |
|---|---|---|
| Hostinger (UAB Hostinger) | Lithuania, EU | Infrastructure and hosting (servers in Frankfurt, Germany) |
| Stripe | EU (Stripe Payments Europe, Ltd., Ireland) | Payment processing for paid subscriptions |
All subprocessors are contractually bound to process data in compliance with the GDPR. We will update this list if we add new subprocessors and will notify affected users in advance.
9. Data Processing Agreement (DPA)
For customers on our Business plan, we provide a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR. The DPA covers the processing of form submission data where you are the data controller and FormGuard acts as the data processor. To request a DPA, contact us at pixeyo@gmail.com.
10. Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data at rest (AES-256) and in transit (TLS), regular security assessments, access controls, and secure development practices. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by Articles 33 and 34 of the GDPR.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on our website. The "Last updated" date at the top of this page indicates when this policy was last revised.
12. Contact
If you have any questions about this Privacy Policy or our data practices, please contact us at: pixeyo@gmail.com.