Privacy Policy

1. Who we are

This service ("Basilform", "we", "us") is operated by Borislav Grigorov, based in Bulgaria. We are the data controller for personal data described below, except where this policy states that we act as a processor on behalf of an account holder.

For any privacy question or to exercise your rights, contact us at [email protected].

2. Our two roles

Basilform lets people ("account holders") create forms whose endpoints can be embedded on their own websites. When a visitor submits one of those forms ("submitter"), the data flows through Basilform on the way to the account holder.

• We are the controller for account data (the information about people who sign up for Basilform).
• We are a processor for form submission content. The account holder who owns the form is the controller of that content; the form owner's own privacy notice and lawful basis apply to those submitters. See our Data Processing Addendum for the processor terms.

3. What we collect

3.1 Account data

• Email address (used to sign in and to contact you).
• A bcrypt hash of your password (never the password itself).
• A verification token and verification status, so we know you control the email address.

3.2 Form submissions

• The content submitters send through forms you create (whatever fields you configured).
• Files attached to those submissions, stored in Cloudflare R2.
• The submitter's IP address and User-Agent header, captured for rate limiting, spam prevention, and CAPTCHA verification.

3.3 Cookies

We only use essential cookies. No analytics, no advertising.

• A signed session cookie that keeps you logged in.
• A CSRF token cookie that protects forms against cross-site request forgery.
• A small cookie_notice_dismissed cookie that remembers you closed the cookie notice bar.

3.4 Technical logs

Our servers record request metadata (timestamp, IP address, HTTP method, path, status code, duration, request ID) and application errors. Logs are typically retained for around 30 days.

3.5 Billing and payment data

Basilform offers a free tier and paid upgrades. Checkout, payment-method processing, subscriptions, invoices, receipts, tax calculation, tax remittance, and legally required payment records are handled by Creem, our Merchant of Record. We do not store full card numbers on our servers.

We store the billing information needed to manage your subscription: Creem customer ID, Creem subscription ID, plan or product ID, billing status, renewal date, invoice or receipt IDs or URLs, billing email, name, company, billing address, and tax ID where you provide one.

4. Why we process this data — legal bases (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — to provide the service you signed up for: hosting your forms, storing submissions, sending you operational email, and managing your subscription.
• Legitimate interests (Art. 6(1)(f)) — to keep the service secure: rate limiting, CAPTCHA verification, spam and abuse prevention, fraud prevention, billing support, and error logging.
• Legal obligation (Art. 6(1)(c)) — tax and accounting records related to paid subscriptions.
• Consent (Art. 6(1)(a)) — only where we explicitly ask for it (currently we do not run optional analytics or marketing).

5. Subprocessors

We rely on a small number of vetted providers to run the service. Each receives only the data needed for its function.

6. International transfers

Where a subprocessor is located outside the European Economic Area, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary safeguards.

7. Retention

• Account data: kept while your account is active and for up to 30 days after deletion to handle clean-up and any disputes.
• Form submissions: retained until you delete them. Deleted submissions go through a soft-delete window before being permanently purged.
• Uploaded files: deleted together with the submission they belong to.
• Technical logs: typically around 30 days.
• Billing records: kept for the period required by Bulgarian and EU tax and accounting law, and as needed for Creem's Merchant-of-Record obligations.

8. Security

• Passwords are hashed with bcrypt; we never see the plaintext.
• All traffic is served over HTTPS.
• Form submission rate limiting and CAPTCHA reduce abuse and credential-stuffing.
• Access to production data is limited to the operator and is protected by authentication and audited via server logs.
• File uploads are stored in Cloudflare R2 with encryption at rest.

9. Your rights under GDPR

If the GDPR applies to you, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased ("right to be forgotten");
• restrict or object to processing;
• receive your data in a portable, machine-readable format;
• withdraw any consent you have given, at any time;
• lodge a complaint with a supervisory authority. In Bulgaria, that is the Commission for Personal Data Protection (CPDP / КЗЛД) — www.cpdp.bg.

To exercise any of these rights, email us at [email protected]. We respond within 30 days.

If you are a submitter and your data appears in someone else's form, please contact that form's owner first; they control the submission. We will assist them in fulfilling your request as a processor.

10. Children

Basilform is not directed at children. You must be at least 16 to create an account. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes we will notify account holders by email.

12. Contact

Borislav Grigorov
Bulgaria
[email protected]