GDPR & Your Rights

Last updated: October 19, 2025

Scope

This page summarizes how we comply with the EU General Data Protection Regulation (GDPR) for residents of the European Economic Area (EEA).

1. Data Controller

Data controller: FormCraft (legal entity address to be specified).
Contact: shawprem217@gmail.com

2. Legal Bases for Processing

  • Performance of a contract — to provide the service you signed up for (accounts, forms, analytics)
  • Legal obligation — where required by law (e.g., tax records, legal requests)
  • Legitimate interests — fraud detection, security, and service improvement (balanced against individual rights)
  • Consent — where explicitly requested (rare for core product features, used for marketing)

3. Rights of Data Subjects

EEA residents may exercise the following rights:

Right to Access

Request a copy of your personal data

Right to Rectification

Correct inaccurate data

Right to Erasure

Delete personal data (with legal caveats)

Right to Restrict Processing

Limit how we process your data

Right to Data Portability

Export data in machine-readable format

Right to Object

Object to processing based on legitimate interests

4. How to Exercise Your Rights

Contact shawprem217@gmail.com with a clear subject line (e.g., "GDPR data access request") and include proof of identity. We'll respond within one month, subject to verification and lawful extensions.

5. Data Protection Measures

We use appropriate technical and organisational measures to keep personal data secure:

  • Encryption at rest and in transit (TLS/SSL)
  • Role-based access controls and authentication
  • Regular security audits and vulnerability assessments
  • Incident response procedures
  • Data minimization and purpose limitation

6. Data Transfers Outside the EEA

Where we transfer personal data outside the EEA, we rely on adequacy decisions, standard contractual clauses (SCCs), or other lawful transfer mechanisms approved by the European Commission.

7. Supervisory Authority

If you're unhappy with our response, you may lodge a complaint with your local data protection authority in the EU/EEA. You can find your authority at edpb.europa.eu.

Note: This GDPR summary simplifies obligations. For production use, consult a qualified privacy lawyer and adapt wording to your exact processing activities.