Back to Home

Privacy Policy

Last updated: May 1, 2026

Instaform is operated by TDI d.o.o., a company registered in Croatia and based in Rijeka, Croatia. For the purposes of the EU General Data Protection Regulation, TDI d.o.o. is the data controller for personal information collected through this website and our services.

This Privacy Policy governs the manner in which Instaform collects, uses, maintains, and discloses information collected from users of our website and services.

Data We Collect

Form Submissions

  • All data submitted through forms you create, including text, files, and attachments
  • IP addresses of form submitters
  • Browser/device information
  • Submission timestamps

Account Information

  • Registration data (name, email, password)
  • Billing information
  • Communication preferences

Analytics

  • Page views and interactions
  • Feature usage patterns
  • Error reports

How We Use Your Data

  • To provide and improve our services
  • To send transactional emails (submission notifications)
  • To detect and prevent abuse
  • To comply with legal obligations
  • To communicate important service updates

Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): To provide and operate the Instaform service, including form creation, submission storage, account management, and billing.
  • Legitimate interest (Art. 6(1)(f)): For product analytics, security and fraud prevention, error monitoring, and improving the service. Where these activities involve cookies or device storage, we obtain consent first.
  • Consent (Art. 6(1)(a)): For non-essential cookies, marketing emails, and analytics tools such as Mixpanel and Google Analytics 4. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose information to comply with applicable law (e.g., tax records, valid law-enforcement requests).

Data Security

We implement comprehensive security measures:

  • All data encrypted in transit using TLS 1.2 or higher
  • Sensitive data encrypted at rest
  • Regular security audits and vulnerability assessments
  • Access controls and monitoring systems
  • Secure data centers with physical security measures
  • Regular backups with secure storage

Data Breach Notification

In the event of a personal data breach that affects your information, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly and without undue delay (Article 34). Our notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take to address it. For users covered by California law, equivalent breach notifications are provided in accordance with applicable state law (including Cal. Civ. Code § 1798.82).

Your Rights

You have the following rights regarding your data:

  • Export your data at any time through your account settings — this satisfies both your right to data portability (GDPR Art. 20) and your right of access (Art. 15)
  • Delete your account and all associated data upon request
  • Opt out of marketing communications via the unsubscribe link in any marketing email
  • Correct inaccurate personal information
  • Object to processing of your data in certain circumstances (you can also opt out of analytics on the Do Not Sell page)

Categories of Personal Information Collected (CCPA / CPRA)

California residents have the right to know which categories of personal information we collect. Over the past 12 months we have collected the following categories:

  • Identifiers (Cal. Civ. Code § 1798.140(v)(1)(A)): name, email address, IP address, account ID, device identifiers.
  • Customer records (Cal. Civ. Code § 1798.80(e)): billing name, billing address, phone number, payment information processed by Stripe.
  • Commercial information (1798.140(v)(1)(D)): subscription history, plan tier, purchase records.
  • Internet or other electronic network activity (1798.140(v)(1)(F)): pages visited, features used, error reports, session metadata.
  • Geolocation data (1798.140(v)(1)(G)): coarse IP-based geolocation; we do not collect precise GPS data.
  • Inferences drawn from the above (1798.140(v)(1)(K)): usage patterns aggregated for product analytics.

We do not collect protected classification characteristics, biometric data, sensory data, or non-public education information. Note: data submitted through forms you create or receive is controlled by the form owner — Instaform acts as a processor, not a controller, of that data.

Data Retention

  • Account data: Retained while your account is active
  • Form submissions: Retained according to your account settings
  • Deleted accounts: All data permanently removed within 30 days
  • Inactive accounts: May be archived after 12 months of inactivity

Cookies

Our site uses cookies to enhance user experience. Cookies are small files placed on your device for record-keeping purposes. You may choose to set your web browser to refuse cookies, though some parts of the site may not function properly without them.

Third-Party Services

We use third-party services for analytics, payment processing, and email delivery. These services have their own privacy policies governing their use of your data.

International Data Transfers

Instaform is operated from the European Union (Croatia). Some of our subprocessors are based outside the European Economic Area (EEA), primarily in the United States — including Stripe, Mixpanel, Google Analytics 4, and Sentry. When we transfer your personal data to these subprocessors, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF). For UK users we apply the UK International Data Transfer Addendum (IDTA). See our subprocessor list for details on each provider's region and safeguards.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify account holders by email at the address associated with the account at least 14 days before the changes take effect. The 'Last updated' date at the top of this page reflects the most recent change.

Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected]