PRIVACY POLICY

Last updated July 06, 2025

This Privacy Notice for Formlink AI ('we', 'us', or 'our'), describes how and why we might access, collect, store, use, and/or share ('process') your personal information when you use our services ('Services'), including when you:

• Visit our website at https://formlink.ai/, or any website of ours that links to this Privacy Notice.
• Register for and use Formlink AI. Formlink AI lets you create forms effortlessly with AI.
• Integrate our Services with third-party services like Google Sheets.
• Engage with us in other related ways, including any sales, marketing, or events.

Formlink AI is currently operated as a service by individuals. We plan to register a formal entity, FORMLINK (OPC) PRIVATE LIMITED, in India. This Privacy Notice will be updated with the formal entity details upon successful registration.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information (as a user of Formlink AI) is processed. If you do not agree with our policies and practices, please do not use our Services.

SUMMARY OF KEY POINTS

• What personal information do we process? When you register for and use our Services, we process your email address, display name, and profile picture (obtained via Google OAuth). We also process information related to your usage of the Services, such as forms you create and interactions with our AI features. We do not collect sensitive personal information for our own purposes, nor do we collect your location data.
• Do we process any sensitive personal information? We do not directly collect or process sensitive personal information (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation) for providing the Formlink AI service. Users who create forms using our Services are responsible for any personal information, including sensitive information, they choose to collect through those forms and must do so in compliance with applicable laws.
• Do we collect any information from third parties? We collect your email, display name, and profile picture from Google when you choose to register or log in using Google OAuth.
• How do we process your information? We process your information to provide, improve, and administer our Services, enable AI-powered form creation, communicate with you (including for service updates, support, OTPs, and promotional offers), for security and fraud prevention, and to comply with law.
• In what situations and with which types of third parties do we share personal information? We share information with service providers who help us operate our Services, such as Supabase (authentication, database), OpenRouter (AI processing), Vercel (hosting), and Stripe (payment processing - planned). We also share information as required by law or in connection with business transfers.
• How do we keep your information safe? We rely on the robust security measures of our chosen service providers and implement appropriate technical and organizational measures to protect your personal information. However, no system is 100% secure.
• How long do we keep your information? We keep your personal information for as long as you have an account with us. Upon account deletion, all your personal data associated with your account is deleted immediately.
• What are your rights? Depending on your location, you may have rights such as access, correction, deletion, and portability of your personal information.
• How do you exercise your rights? You can exercise your rights by managing your account settings or by contacting us at privacy@formlink.ai.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
7. HOW DO WE USE ARTIFICIAL INTELLIGENCE (AI)?
8. HOW LONG DO WE KEEP YOUR INFORMATION?
9. HOW DO WE KEEP YOUR INFORMATION SAFE?
10. DO WE COLLECT INFORMATION FROM MINORS?
11. WHAT ARE YOUR PRIVACY RIGHTS?
12. CONTROLS FOR DO-NOT-TRACK FEATURES
13. DATA CONTROLLER AND DATA PROCESSOR
14. SUBSCRIPTION AND BILLING
15. DO WE MAKE UPDATES TO THIS NOTICE?
16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services (like creating forms), or otherwise when you contact us.

The personal information we collect includes:

• Account Information: When you register using Google OAuth, we collect your email address, display name, and profile picture.
• User Content: We collect the information you provide when you create forms, including the structure and content of those forms, and any input you provide to our AI features.

We do not collect sensitive personal information (such as race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation) for the operation of Formlink AI. If you, as a user, create forms that collect such sensitive information from your respondents, you are solely responsible for ensuring compliance with all applicable data protection laws for that collection.

Payment Data We plan to offer subscription services. If you subscribe, we will use a third-party payment processor (e.g., Stripe) to handle your payment. We will not store your full payment card details. The payment processor will collect data necessary to process your payment, such as your payment instrument number and security code. All payment data is handled and stored by our chosen payment processor. You may find their privacy notice link(s) on their website (e.g., Stripe: https://stripe.com/privacy).

Social Media Login Data We provide you with the option to register and log in using your existing Google account details (Google OAuth). If you choose to register or log in to our Services using Google OAuth, we will collect and store your email address, display name, and profile picture associated with your Google account. We use this information to create and manage your Formlink AI account.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we automatically collect includes:

• Log and Usage Data: Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. This log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use).
• Device Data: Information about your computer, phone, tablet, or other device you use to access the Services. This device data may include information such as your IP address (or proxy server), device and application identification numbers, operating system, browser type, hardware model, Internet service provider and/or mobile carrier.
• We do not collect precise location data.

Information collected through integrations (e.g., Google Sheets) If you choose to integrate Formlink AI with third-party services like Google Sheets, we will access and process data from those services only as necessary to provide the integration features you enable. Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your information for various purposes, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts. We process your information so you can create and log in to your account, as well as keep your account in working order.
• To deliver and facilitate delivery of Services to the user. We process your information to provide you with the requested Services, including AI-powered form generation and management.
• To respond to user inquiries/offer support to users. We process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
• To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information. This includes sending One-Time Passwords (OTPs) for actions like password resets.
• To fulfill and manage your orders and subscriptions. We may process your information to fulfill and manage your orders, payments, returns, and exchanges made through the Services.
• To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
• To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time.
• To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
• To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
• To comply with our legal obligations. We may process your information to comply with our legal obligations, respond to legal requests, and exercise, establish, or defend our legal rights.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law. This includes:

• Consent: We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract: We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
• Legitimate Interests: We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:
  • Send users information about special offers and discounts on our products and services
  • Analyze how our services are used so we can improve them to engage and retain users
  • Support our administrative operations
  • Diagnose problems and/or prevent fraudulent activities
  • Understand how our users use our products and services so we can improve user experience
• Legal Obligations: We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
• Vital Interests: We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

(For EU, UK, and Canada residents, specific legal bases are outlined in the "WHAT ARE YOUR PRIVACY RIGHTS?" section.)

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We may need to share your personal information in the following situations:

• Service Providers: We share your information with third-party vendors, service providers, contractors, or agents ('Service Providers') who perform services for us or on our behalf and require access to such information to do that work. The categories of Service Providers we may share personal information with are as follows:
  • Cloud Computing Services & Hosting: Vercel
  • Data Storage & Authentication Services: Supabase
  • Artificial Intelligence Processing: OpenRouter (and its underlying LLM providers)
  • Payment Processors (Planned): Stripe or similar providers
  • Communication & Collaboration Tools
  • Analytics Services We have contracts in place with our Service Providers, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Legal Obligations and Rights: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements). We may also disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.
• With Your Consent: We may disclose your personal information for any other purpose with your consent.
• User-Directed Sharing (e.g., Google Sheets Integration): If you instruct us to share your data with a third-party service like Google Sheets, we will do so on your behalf. You are responsible for managing your account and data with such third-party services.

We do not sell or rent your personal information to third parties for their marketing purposes.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We do not directly set many cookies ourselves. However, our Services integrate with third-party services like Supabase (for authentication) and potentially others (analytics, etc.) that may use cookies and similar tracking technologies (like web beacons and pixels) to collect or store information.

• Essential Cookies: Supabase uses cookies that are essential for providing authentication services (e.g., keeping you logged in). These are necessary for the Services to function.
• Analytics and Other Cookies: We may in the future use analytics services that use cookies to help us understand how our Services are used.

Because essential cookies are used by our core service providers (like Supabase for login), we may not display a separate cookie banner for these. However, we are reviewing our cookie practices to ensure full compliance with all applicable regulations, including the GDPR and ePrivacy Directive. For detailed information about the cookies used by our third-party providers, please refer to their respective privacy and cookie policies (e.g., Supabase, Google).

You can typically control cookies through your browser settings. However, disabling essential cookies may affect the functionality of our Services.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

Our Services offer you the ability to register and log in using your Google account (Google OAuth). If you choose to do this, we will receive certain profile information about you from Google, including your email address, display name, and profile picture. We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by Google. We recommend that you review Google's privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.

7. HOW DO WE USE ARTIFICIAL INTELLIGENCE (AI)?

Formlink AI utilizes artificial intelligence, including large language models (LLMs) via our AI Service Provider, OpenRouter, to help you create forms. When you provide input (e.g., describing the form you want to create), this input is sent to OpenRouter for processing to generate the form structure and content.

• Data Shared with AI Providers: Your input prompts are shared with OpenRouter and its underlying LLM providers.
• User Responsibility: IMPORTANT: Do not include any sensitive personal information, confidential information, or any data you would not want shared with third-party AI providers in your AI prompts. While we and our AI providers have security measures, the nature of AI processing means your input data will be processed by these external services. We provide warnings within the application where AI processing occurs.
• Purpose: This processing is solely to enable the AI-powered form creation features of our Services.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Generally, this means we keep your personal information (account details, forms you've created) for as long as you maintain an account with us.

Account Deletion: If you choose to delete your account, we will delete all your personal data associated with your account from our active systems immediately. Please note that some data may remain in our backups for a limited period as per our backup schedules, after which it will also be deleted. Data processed by our AI service providers may be subject to their retention policies.

Data collected by forms you create is your responsibility. If a respondent requests deletion of their data from a form you created, you are responsible for handling that request.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented and rely on the technical and organizational security measures of our reputable Service Providers (Supabase, Vercel, OpenRouter, Stripe) designed to protect the security of any personal information we process. These measures include data encryption, access controls, and secure infrastructure.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. Therefore, we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

10. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@formlink.ai.

Users creating forms are responsible for complying with applicable laws regarding collecting data from minors, such as obtaining verifiable parental consent.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In some regions (like the European Economic Area (EEA), United Kingdom (UK), Canada, and India), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. You can make such a request by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

We will consider and act upon any request in accordance with applicable data protection laws.

• Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below or updating your preferences. However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
• Account Information: If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account or contact us using the information provided. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases immediately.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner. If you are located in Canada, you may contact the Office of the Privacy Commissioner of Canada. Residents of India have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correct, complete, update, and erase their personal data, and the right to grievance redressal.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ('DNT') feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

13. DATA CONTROLLER AND DATA PROCESSOR

This section clarifies our roles concerning your data:

• Formlink AI as Data Controller: For the personal information of our registered users (e.g., your account information like email, display name, forms you create), Formlink AI is the Data Controller. We determine the purposes and means of processing this data.
• Formlink AI as Data Processor: When you use Formlink AI to create forms and collect responses from individuals ('Respondents'), you are the Data Controller for the personal information collected through those forms. In this scenario, Formlink AI acts as a Data Processor on your behalf. You are responsible for ensuring that your collection and use of Respondents' data comply with all applicable privacy laws, including providing necessary notices and obtaining consents. Our processing of such data will be governed by our Terms of Service and any applicable Data Processing Addendum.

14. SUBSCRIPTION AND BILLING

We plan to offer paid subscription plans for Formlink AI.

• Free Trial: We may offer a 7-day free trial for our subscription plans.
• Automatic Charging: If you subscribe to a plan with a free trial, unless you cancel before the end of the trial period, you will be automatically charged the applicable subscription fee.
• Payment Processing: All payments will be processed by a third-party payment processor (e.g., Stripe). We do not store your full payment card information.

Details regarding subscription terms, fees, and cancellation will be provided at the time of subscription and in our Terms of Service.

15. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this Privacy Notice as necessary to stay compliant with relevant laws and to reflect any changes in our Services or data processing practices. The updated version will be indicated by an updated 'Last updated' date and the updated version will be effective as soon as it is accessible. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at privacy@formlink.ai or contact us by post at:

Formlink AI (To be updated to FORMLINK (OPC) PRIVATE LIMITED upon registration) 121 Karni mata mandir ke pass Sadulpur, Rajasthan 331023 India

17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, correct inaccuracies, or delete your personal information. To do so, please log into your account settings or fill out and submit a data subject access request by contacting us at privacy@formlink.ai. We will respond to your request within a reasonable timeframe in accordance with applicable law.