Privacy Policy

1. Introduction

BiteForm (“we”, “us”, or “our”) operates the BiteForm platform at biteform.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information. This policy applies directly to visitors of our website and registered users of the Service. For individuals whose data is submitted through forms created by our users, this policy describes BiteForm's role as a data processor; the relevant account holder's own privacy notice may also apply.

We are committed to protecting your privacy and complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), and other relevant US state and federal privacy regulations.

2. Data Controller and Data Processor

For the purposes of data protection law, BiteForm is the data controller for personal data collected from our registered users (account holders), such as your account details, brand settings, and usage data.

When you create forms and collect data from your own clients, you act as the data controller for that client data. BiteForm acts as a data processor on your behalf. This means:

• We process form submission data on the account holder's instructions and as necessary to provide, secure, maintain, and support the Service
• We may also process such data where required by applicable law
• We do not sell form submission data or use it for our own marketing, profiling, or commercial exploitation
• You are responsible for ensuring you have a lawful basis to collect your clients' data

Our Data Processing Agreement available at biteform.com/dpa, sets out the detailed terms on which we process personal data on your behalf as a data processor.

If you have questions about this policy or wish to make a data protection request, please contact us at support@biteform.com.

3. Information We Collect

3.1 Account Information

When you register for a BiteForm account, we collect:

• Name and email address (via our authentication provider, Clerk)
• Company or business name
• Brand settings (logo, brand colour, website URL, phone number, address)
• Reply-to email address for form communications

3.2 Payment Information

We use Stripe to process payments. We do not store your full credit or debit card details on our servers. Stripe handles all payment data in accordance with PCI DSS standards. We retain your Stripe customer ID, subscription status, and billing history.

3.3 Form Submission Data

When end users (your clients) complete forms created through BiteForm, the data they submit is stored on our platform. This may include personal information such as names, contact details, addresses, and any other information requested by the form creator. File uploads submitted through forms are stored using Supabase Storage.

As outlined in Section 2, we process this data on your behalf as a data processor and do not use it for our own marketing or commercial purposes.

3.4 Usage and Technical Data

We automatically collect certain technical information, including:

• IP address and approximate location
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Dates and times of access

3.5 Email Engagement Data

When emails are sent through the Service (form invitations, reminders, etc.), we track delivery status, opens, clicks, and bounces. This data is used to provide the Service, including email activity reporting and deliverability monitoring. Our legal basis for this tracking is performance of the contract (providing you with the email features you use) and, where applicable, our legitimate interest in maintaining email quality and preventing abuse. If you send emails to your own clients through the Service, you are responsible for ensuring your use of engagement data complies with applicable laws in your jurisdiction.

3.6 Cookies

We use only essential cookies that are strictly necessary for the Service to function. These include:

• Authentication session cookies set by our provider (Clerk) to keep you securely signed in
• Preference cookies to remember your settings within the application

We do not use advertising, marketing, or third-party tracking cookies. You can manage cookies through your browser settings, though disabling essential cookies may prevent you from using the Service.

3.7 Analytics

We do not use third-party analytics or tracking tools. Any usage data we collect (as described in Section 3.4) is gathered through our own application logs for the purposes of operating, securing, and improving the Service.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the BiteForm Service
• Process your account registration and manage your subscription
• Send transactional emails on your behalf (form invitations, reminders, submission notifications)
• Process payments and manage billing
• Provide customer support
• Send service-related communications (trial warnings, account notifications)
• Monitor and prevent abuse, fraud, and security threats
• Improve and develop new features for the Service
• Comply with legal obligations

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing your personal data are:

• Performance of a contract — Processing necessary to provide the Service you have subscribed to, including account management, form hosting, email delivery, and payment processing.
• Legitimate interests — Processing for our legitimate business interests, such as improving the Service, email engagement tracking, preventing fraud, and ensuring security, where those interests are not overridden by your rights.
• Legal obligation — Processing necessary to comply with applicable laws and regulations.
• Consent — Where we rely on your consent, you have the right to withdraw it at any time by contacting us.

6. Third-Party Service Providers (Subprocessors)

We share your data with the following third-party processors (subprocessors) to deliver the Service:

Each provider processes data in accordance with their own privacy policies and applicable data protection agreements. We may update or replace subprocessors from time to time as needed to operate the Service. When we do, we ensure appropriate safeguards and data protection agreements are in place with any new provider.

7. International Data Transfers

Our Service and some of our third-party providers operate in the United States and other countries outside the UK and EEA. If you are located in the UK or EEA, your data may be transferred to, stored, and processed in countries that may not offer the same level of data protection as your home country.

For transfers from the UK, we rely on appropriate safeguards including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms.

These safeguards ensure your data is protected to a standard consistent with UK GDPR and EU GDPR regardless of where it is processed.

8. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

• Account data — Retained while your account is active and for 30 days after deletion to allow recovery.
• Form submissions and uploads — Retained for as long as the account holder requires them. We do not retain this data indefinitely; it is removed when the account holder deletes it or when the account is permanently closed.
• Email activity logs — Retained for as long as reasonably necessary for reporting, deliverability monitoring, abuse prevention, and legal compliance, and removed when the associated account is permanently deleted.
• Payment records — Retained as required by tax and financial regulations (typically 7 years).
• Usage logs — Retained for up to 12 months for security and analysis purposes.

When an account is deleted, we permanently remove the associated data after a 30-day grace period, including customers, form templates, submissions, uploaded files, and email records. We may also delete or anonymise data following prolonged account inactivity, in line with our retention practices.

9. Data Security and Breach Notification

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encrypted data transmission (TLS/SSL)
• Secure authentication via Clerk with session management
• Role-based access controls within the platform
• Webhook signature verification for third-party integrations
• Email rate limiting and abuse detection
• Regular security reviews

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify affected users and the relevant supervisory authority in accordance with our obligations under applicable data protection law.

10. Your Rights

10.1 Rights Under GDPR (EEA & UK)

If you are located in the EEA or UK, you have the following rights:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data in certain circumstances.
• Right to restrict processing — Request that we limit how we use your data.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests.
• Right to withdraw consent — Where processing is based on consent, withdraw it at any time.

You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK or your national data protection authority in the EU).

10.2 Rights Under CCPA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose.
• Request deletion of your personal information.
• Opt out of the sale of your personal information. We do not sell personal information.
• Non-discrimination for exercising your privacy rights.

10.3 Exercising Your Rights

To exercise any of these rights, please contact us at support@biteform.com. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before fulfilling your request.

Where BiteForm acts as a data processor (for example, in relation to form submission data), rights requests from form respondents should be directed to the relevant account holder as the data controller. We will assist account holders in fulfilling such requests where reasonably required, but we may not be able to respond to data subject requests directly where we act only as a processor.

11. Children's Privacy

The Service is not intended for use by children. We do not knowingly collect personal data directly from children for our own purposes. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

12. Data Protection Officer

We have not appointed a Data Protection Officer, as we are not required to do so under applicable law. For any privacy-related enquiries or data protection requests, please contact us at support@biteform.com.

13. Legal Disclosures

We may disclose personal data where we believe it is necessary to comply with applicable law or a lawful request from a public authority, to respond to valid legal process, or to protect the rights, property, safety, or security of BiteForm, our users, or the public.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify registered users of material changes via email or through a notice on the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: