Privacy Policy

Last updated: June 26, 2026

⚠ Draft template — review with legal counsel and fill the [bracketed] details before relying on this. Not legal advice.

This Privacy Policy explains what information ApiForm collects, how we use it, and your choices. It applies to our website, dashboard, and API.

1. Information we collect

Account data — name, email, and authentication credentials.
Billing data — plan, subscription, and usage counts. Card details are handled by our payment processor; we do not store card numbers.
Customer Content — the templates, JSON data, and PDFs you submit or generate. We store generated output and uploaded source files to operate the Service.
Provenance metadata — for each render we store SHA-256 hashes of the data, template, and output (not the data itself) to support the audit/verify feature.
Usage & technical data — API request metadata, timestamps, and logs needed to run, secure, and meter the Service.

2. How we use information

To provide and improve the Service; authenticate accounts; meter and bill usage; secure the platform and prevent abuse; provide support; and comply with legal obligations. We do not sell personal information.

3. Sub-processors

We share data with service providers strictly to operate the Service, including: our cloud hosting and object-storage provider; our payment processor (Stripe) for billing; and, only when you enable AI-assisted field suggestions, our AI provider (Anthropic) for the page image you submit. A current sub-processor list is available on request.

4. Data retention

Account and billing records are retained while your account is active and as required by law. Generated PDFs, uploaded source files, and render artifacts are retained to provide the Service and may be deleted after a defined retention window or on request. Provenance hashes may be retained for the audit trail.

5. Security

We use encryption in transit, scoped API keys, access controls, request rate limiting, and server-side request filtering to protect against internal-network access. Output can be digitally signed and is hashed for tamper-evidence. No method is perfectly secure, but we work to protect your data.

6. Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, contact us at legal@apiform.io. If you are an end customer of one of our customers, please contact that customer directly.

7. Cookies

We use a strictly necessary session cookie to keep you signed in to the dashboard. We do not use third-party advertising cookies.

8. International transfers

We may process information in countries other than your own. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal information.

10. Changes & contact

We may update this policy; the latest version is always posted here. Questions or requests: legal@apiform.io.