1. Information We Collect

1.1 Information You Provide

When you create an account or use our Service, we collect:

• Account Information: Name, email address, company name, billing address
• Payment Information: Processed and stored securely by our payment processor, Paddle.com
• Form Data: Data submitted through forms you create using FiraForm
• Communication Data: Messages, support tickets, and feedback you send us

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Data: Pages viewed, features used, time spent on the Service
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Server logs, error reports, API requests
• Cookies: Session cookies, preference cookies, analytics cookies

1.3 End-User Data

As a form backend service, we process data submitted by your end-users through forms you create. You are the data controller for this data, and we act as a data processor on your behalf. You are responsible for obtaining necessary consents from your end-users.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your transactions and send billing notifications
• Send you technical notices, updates, and security alerts
• Respond to your comments, questions, and support requests
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our Terms of Service
• Send marketing communications (with your consent, where required)

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data based on:

• Contract Performance: Processing necessary to provide the Service you signed up for
• Legitimate Interests: Improving our Service, preventing fraud, and ensuring security
• Legal Compliance: Meeting legal and regulatory requirements
• Consent: For marketing communications and optional features (you may withdraw consent at any time)

4. Data Sharing and Disclosure

4.1 Service Providers

We share your information with third-party service providers who perform services on our behalf:

• Payment Processing: Paddle.com Market Limited (for payment processing)
• Cloud Hosting: Infrastructure providers for data storage and processing
• Email Services: For transactional and marketing emails
• Analytics: To understand Service usage and improve performance

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests from law enforcement or regulatory authorities
• Court orders or subpoenas
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.

5. Data Storage and Security

5.1 Data Location

Your data is stored on secure servers located in data centers compliant with industry standards. Data may be processed in Malaysia or other jurisdictions where our service providers operate.

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your data:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and monitoring
• Access controls and authentication mechanisms
• Employee training on data protection
• Incident response procedures

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as:

• Your account is active and you use the Service
• Needed to provide the Service and fulfill our contractual obligations
• Required by law, regulation, or legal proceedings
• Necessary for our legitimate business interests (e.g., fraud prevention)

When you close your account, we will delete or anonymize your data within 90 days, except where retention is required by law.

7. Your Rights and Choices

7.1 Access and Control

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Deletion: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for marketing or optional processing

7.2 Exercising Your Rights

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

7.3 Marketing Communications

You can opt out of marketing emails by clicking the "unsubscribe" link in any email or contacting support.

7.4 Cookies

You can control cookies through your browser settings. Note that disabling cookies may affect Service functionality.

8. International Data Transfers

As we serve a global customer base, your data may be transferred to and processed in countries outside of Malaysia or your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by relevant authorities.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

10. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.

11. Data Breach Notification

In the event of a data breach that may affect your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or through a prominent notice on the Service. Your continued use after changes constitutes acceptance of the updated policy.

13. Supervisory Authority

If you are in the EEA or Malaysia and have concerns about our data practices, you have the right to lodge a complaint with a supervisory authority:

• Malaysia: Personal Data Protection Department, Ministry of Communications and Digital
• EEA: Your local data protection authority