← Back to home

Privacy policy

Last updated: February 2026

SubmitFlow (“we”, “the service”) is committed to protecting users’ privacy. This policy describes what data we collect, how we use it, and your rights.

1. Data controller

The controller of your personal data is the operator of the SubmitFlow service (the owner of the domain and application you use to access the dashboard and submit forms). If the service is hosted by a third party, the controller’s identity may be stated on the contact page or in the terms of service.

2. Data we collect

• Account: email, first name, last name, and password (stored securely using hashing). Optionally, forward email address on paid plans.
• Dashboard use: login data (token, recent use) to maintain your session and improve security.
• Form submissions: data that visitors submit through your forms (fields you define: email, name, message, etc.) is stored in our system and shown in your inbox. On paid plans you can enable forwarding to an email; in that case, content is also sent by email.
• Technical metadata: IP address, headers, and user-agent of form submissions for abuse prevention and, on paid plans, for basic statistics (e.g. country).

3. Purpose of processing

We use your data to: (a) create and manage your account; (b) show you submissions received in your forms and provide dashboard features (filters, export, analytics on paid plans); (c) send you verification emails and, if configured, forward submissions to your email; (d) comply with legal obligations and address incidents or abuse.

4. Legal basis

Processing is based on performance of the contract (form and dashboard service), your consent when given (e.g. notifications), and, where applicable, the controller’s legitimate interest (security, service improvement, aggregated analytics).

5. Retention

We keep your account data while your account is active. Form submissions on the free plan are automatically deleted after 30 days. On paid plans retention may be longer depending on service configuration. Logs and technical metadata are kept as long as needed for security and support.

6. Recipients and transfers

Data is processed on the servers where SubmitFlow is hosted (and, if used, the database provider indicated in the service documentation). We do not sell or share your data with third parties for commercial purposes. Where we use providers (e.g. email or storage), they act as processors under the controller’s instructions.

7. Your rights

You may access, rectify, and delete your personal data, object to or restrict certain processing, and request portability by contacting the controller (e.g. via the service’s contact email or form). You have the right to lodge a complaint with a supervisory authority.

8. Cookies and similar technologies

The service may use cookies or local storage strictly necessary for session and security (e.g. authentication token). We do not use advertising or tracking cookies.

9. Changes

Any material change to this policy will be communicated by updating this page and, when appropriate, by email or notice in the dashboard. We recommend reviewing it periodically.

For privacy questions, contact the service controller through the means indicated on the website or in the dashboard.