Privacy Policy

a. Forminit Users

Payments are processed by Stripe using Stripe Checkout. We do not receive or store your full card number or security code.

b. Forminit Respondents

When you complete a Forminit form hosted by us, we collect information on behalf of and under the instructions of the Forminit User (the person or organisation that created the form).

We collect and store the answers you submit to Forminit forms.

The Forminit User is the controller of this data and manages it. They may also provide their own privacy notice.

If you have questions about the form or how your data is used, please contact the form owner (the Forminit User) directly. Forminit is not responsible for the form's content.

Forminit's role as Data Processor (Respondents' data)

When Forminit processes Respondents' data on a User's behalf, the User who created the form acts as the Data Controller, and Forminit acts as the Data Processor for that Respondents' data.

In this capacity, Forminit (as Data Processor) undertakes to comply with its obligations under the Data Processing Agreement and applicable data protection laws (including the UK GDPR/GDPR) when processing Respondents' data on the Data Controller's instructions.

For the processing of Respondents' data on behalf of the Data Controller, the Data Processor undertakes to fulfill the following obligations:

• 1. Implement appropriate technical and organisational measures to protect the data.
• 2. Ensure confidentiality and restrict access to authorised personnel and approved Subprocessors.
• 3. Assist the Data Controller with data subject requests, security incident notifications, and DPIAs where required.
• 4. Delete or return Respondents' data at the end of the provision of services, and delete existing copies, subject to legal retention requirements.
• 5. Maintain records and enable appropriate audits/assessments consistent with the DPA.
• 6. Process personal data solely to deliver the contracted Services and only on the documented, written instructions of the Data Controller. If a legal obligation requires additional processing, we will inform the Data Controller before processing (unless the law prohibits notice on public-interest grounds).
• 7. Keep all personal data confidential during and after the engagement, and ensure all personnel with access are bound in writing by confidentiality obligations.
• 8. Taking into account technology, implementation costs, and the nature, scope, context and purposes of processing as well as the risks to individuals implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where relevant:

• pseudonymisation and encryption of personal data;
• the ability to ensure ongoing confidentiality, integrity, availability and resilience of systems and services;
• the ability to restore availability and access to personal data promptly following a physical or technical incident;
• regular testing, assessment and evaluation of the effectiveness of security measures.

• 9. Keep personal data under our control and custody and do not disclose, transfer or otherwise communicate it to anyone unrelated to delivery of the Services under this Agreement (including for storage), unless instructed or permitted in writing by the Data Controller or required by law.
• 10. Engage another processor ("Sub-processor") only with the Data Controller's prior, written authorisation. We will provide the Data Controller with the Sub-processor's identity (legal name and tax ID) and the services to be subcontracted at least one (1) month in advance, and notify any intended additions or replacements so the Data Controller has the opportunity to object.
• 11. Flow down to every authorised Sub-processor all obligations imposed on Forminit by this Agreement, and obtain sufficient guarantees that they will implement appropriate technical and organisational measures to ensure processing in compliance with applicable data protection law.
• 12. Permit access to personal data by natural persons engaged by the Data Processor within our organisational framework (including non-employee contractors) and by companies/professionals providing internal services (e.g., IT, consulting, audits), provided such access is necessary to deliver those services and is not used to subcontract all or a material part of the Services to a third party without authorisation.
• 13. At the Data Controller's choice, return or delete all personal data processed on their behalf when the Services end, and delete existing copies, unless retention is required by law. (Personnel may access Users' and Respondents' data only insofar as necessary to discharge their contractual duties.)
• 14. Notify the Data Controller without undue delay upon becoming aware of a personal data breach, and provide reasonable assistance with any notifications to the UK Information Commissioner's Office (ICO) or other competent supervisory authority, and where required affected individuals. Provide reasonable assistance with data protection impact assessments (DPIAs) and any prior consultations with the ICO, and support the Data Controller in responding to data subject rights requests.
• 15. Keep a written record of all categories of processing activities carried out on the Data Controller's behalf.
• 16. Co-operate with the UK Information Commissioner's Office (ICO) or any other competent supervisory authority upon request.
• 17. Make available to the Data Controller all information necessary to demonstrate compliance with this Agreement and applicable data protection law, and allow for and contribute to audits and inspections by the Data Controller or its authorised third-party auditor.
• 18. If the Data Processor or any authorised Sub-processor determines the purposes and means of processing in breach of this Agreement or applicable law, they will be responsible for that processing.
• 19. Where a Sub-processor is located in a country without data protection laws equivalent to those of the UK/EU ("Third Country"), the Data Processor will implement all safeguards required under UK/EU data protection law (e.g., Standard Contractual Clauses and appropriate supplementary measures) for data transfers, and will promptly inform the Data Controller of those safeguards upon request.