Privacy Policy
Last updated: February 24, 2026
This Privacy Policy describes how Synergistic ("we", "us", "our") collects, uses, and protects information through inForm, our form submission backend service.
1. Two Types of Data
We handle two distinct categories of data:
- Account data — information about you as an inForm user (dashboard users who sign in and manage forms)
- Submission data — information submitted by third parties through forms you create (your end users / form respondents)
2. Account Data We Collect
When you sign in with Google, we receive and store:
- Email address — from your Google account, used to identify your profile
- Full name — from your Google profile, used to name your initial organization
- Google user ID — used internally to link your authentication session
We also store data you create within the Service: organizations, forms, notification rules, API keys (hashed), and membership records.
3. Submission Data We Store
When someone submits a form through your inForm endpoint, we store:
- Form field data — all key-value pairs submitted in the request body (JSON, form-data, or URL-encoded)
- IP address — of the person submitting the form
- User agent — browser/client information from the request headers
- Referrer URL — the page the submission originated from
- Timestamp — when the submission was received
- Spam status — whether the submission was flagged by honeypot detection
You control what fields your forms collect. We store whatever data is submitted. As the form operator, you are the data controller for this information.
4. How We Use Data
Account data
- Authenticate your sessions and manage access control
- Display your email in the dashboard and membership lists
- Match invite emails to incoming sign-ins
- Communicate with you about the Service if necessary
Submission data
- Store and display submissions in your dashboard
- Send email notifications to recipients you configure
- Send submitter confirmation emails when you enable them
- Evaluate spam status via honeypot field detection
We do not use submission data for analytics, advertising, model training, or any purpose other than providing the Service to you.
5. Email & Notifications
When you configure notification rules, the Service sends emails through our email provider, Resend. These emails may contain submission data (field values, metadata). Admin notification emails are sent to addresses you specify. Submitter confirmation emails are sent to the email address included in the form submission.
6. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Google OAuth | Authentication | Email, name, user ID (received from Google) |
| Supabase | Database & authentication infrastructure | All account and submission data (hosted) |
| Resend | Email delivery | Recipient addresses, email content (submission data in notifications) |
7. Data Retention
- Submissions — stored until you delete them individually or delete the form/organization
- Account data — stored as long as your account exists
- API keys — hashed keys stored until you delete them; raw keys are never stored
- Invites — deleted automatically when accepted or cancelled
When you delete an organization, all associated data (forms, submissions, API keys, notification rules, memberships, and invites) is permanently deleted via cascading database deletion.
8. Data Security
- All traffic is encrypted in transit via HTTPS
- API keys are stored as bcrypt hashes — we cannot view or recover your raw keys
- Row-level security policies ensure users can only access data belonging to their organizations
- The admin service key is used only server-side for provisioning and is never exposed to the client
9. Your Rights
As an inForm user, you can:
- Access — view all your data through the dashboard
- Delete — delete individual submissions, forms, API keys, or your entire organization
- Export — view submission data in the dashboard (bulk export coming soon)
- Leave — leave any organization you are a member of (non-owners)
If you are located in the EU/EEA or California, you may have additional rights under GDPR or CCPA. Contact us to exercise these rights.
10. Form Respondent Rights
People who submit data through your forms should direct privacy requests to you, the form operator. You are responsible for handling data subject requests (access, deletion, correction) for submission data. We will assist you in fulfilling these requests upon written request.
11. Cookies
We use the following cookies:
- Supabase session cookies — required for authentication (HttpOnly, secure)
- active_org_id — stores your currently selected organization (HttpOnly, secure)
We do not use analytics cookies, advertising cookies, or third-party tracking.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top. Material changes will be communicated through the Service or via email.
13. Contact
For privacy questions or data requests, contact us at hello@synergistic.io.