Privacy Policy

1. Data We Collect

Account data

When you create a Submitly account we collect your name, email address, and a hashed password. We do not store plain-text passwords.

Form submission data

When a visitor submits a form that points to your Submitly endpoint, we store the raw field values exactly as received. This data belongs to you (our customer). We also record metadata for each submission: the submitter's IP address, the HTTP Referer header, the User-Agent string, and the submission timestamp.

Notification configuration

If you configure email or SMS notifications, we store the destination email address or phone number. We do not store the content of notification messages after they are delivered.

2. How We Use Your Data

• To authenticate you and keep your session secure.
• To display form submissions in your dashboard.
• To send email notifications via Resend and SMS notifications via Twilio when you have configured those alerts.
• To detect and suppress spam using the built-in honeypot mechanism.
• To operate, maintain, and improve the service.

We do not sell, rent, or trade your data or your end-users' submission data to any third party.

3. Data Storage and Security

All data is stored in Cloudflare D1 (SQLite), hosted on Cloudflare's global infrastructure. Data is encrypted at rest and in transit (TLS).

We apply the principle of least privilege internally: only the components that need access to a piece of data can read it. Your account data and your form data are scoped strictly to your user ID.

4. Data Retention

• Account data — retained for as long as your account is active.
• Form submissions — retained until you delete the individual submission or the endpoint it belongs to.
• Notification settings — retained until you remove them in your endpoint settings.
• Account deletion — when you delete your account, all associated forms, submissions, and notification configurations are permanently removed within 30 days.

5. Cookies and Sessions

We use a single HTTP-only, secure session cookie to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

6. Third-Party Services

Submitly relies on the following sub-processors to deliver the service:

7. Your Responsibilities as a Customer

Because Submitly accepts and stores whatever fields your visitors submit, you are responsible for:

• Informing your website visitors that their form data is processed by Submitly as a sub-processor.
• Ensuring you have a lawful basis for collecting the personal data your forms request (e.g. consent, legitimate interest).
• Responding to any data subject access or deletion requests that relate to data your forms have collected.

8. Your Rights

Depending on your jurisdiction (including the EU/EEA under GDPR and California under CCPA), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your account and associated data.
• Object to or restrict certain processing.
• Data portability — export your submissions from the dashboard at any time.

To exercise any of these rights, contact us at contact@submitly.io.

9. Children's Privacy

Submitly is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted data through one of your forms, contact us and we will help you remove it.

10. Changes to This Policy

We may update this policy occasionally. We will notify registered users by email before material changes take effect. Continued use of Submitly after the effective date constitutes acceptance of the revised policy.

11. Contact

Questions about this policy? Reach us at contact@submitly.io.