Privacy Policy

Megaforms (operated by MEGA PROMOTING SRL, Chișinău, Moldova) takes your privacy seriously. This document explains what we collect, why, and your rights under GDPR.

1. Data we collect

Account data: email, name, hashed password, workspace name.
Form data: questionnaires you create, sessions, answers from respondents (only data they voluntarily provide).
Usage: IP address, user agent, page views (for analytics & rate limiting).
Billing: handled by Stripe — we store only customer IDs and subscription status.

2. Where data is stored

All data is stored in the European Union on OVHcloud servers (Strasbourg / Roubaix, France). Data does not leave EU-controlled infrastructure unless you explicitly enable a third-party integration.

3. Why we process data

To provide the form-builder service, to handle billing, to send transactional email (signup, password reset, payment receipts), and to enforce plan limits and abuse prevention.

4. Sub-processors

• Stripe (payment processing) — Ireland
• Resend (transactional email) — EU
• OVHcloud (hosting) — France
• Plausible Analytics (privacy-friendly web analytics) — Germany

5. Your rights (GDPR)

You can access, export, correct, or delete your personal data at any time from your account or by writing to privacy@megapromoting.com. You also have the right to data portability, to restrict processing, and to lodge a complaint with your supervisory authority.

6. Retention

Account data is kept while your account is active. Form sessions/responses default to 365 days retention (configurable per workspace 30/90/180/365/forever from Settings → Data retention). After account deletion, we retain only what is legally required (tax records: 10 years for invoices) and anonymize the rest within 30 days. Backups are purged within additional 60 days.

6.1. Voice recordings

Audio files are encrypted at rest (LUKS) on OVH servers (France). Default retention is 90 days (shorter than text answers because higher sensitivity). Whisper transcription is performed via OpenAI with Zero Data Retention contract (audio not stored by OpenAI). See sub-processors for details.

6.2. Form access (private forms)

Forms are private by default (requires_auth=1). Respondents enter their email, receive a 6-digit code, and get a signed cookie valid 24h. Forms are not indexed by Google or AI bots (X-Robots-Tag noindex + robots.txt Disallow + sitemap exclusion). Workspace owners can opt-out to public access for genuinely public forms.

7. Cookies

We use a strictly necessary megaforms_token cookie for authentication and (for private forms) a per-form mf_q_<slug> signed cookie. We do not use tracking, advertising, or profiling cookies. Plausible Analytics is cookieless. The cookie banner offers symmetric Accept / Refuse buttons (per EDPB Guidelines 03/2022).

7.1. Marketing email opt-out

Lifecycle emails (welcome, usage threshold, win-back) carry an List-Unsubscribe header (RFC 8058). Gmail / Apple Mail render a one-click „Unsubscribe" button. Transactional emails (auth code, payment receipt, password reset) are excluded — they are contract-necessary.

7.2. AI transparency (EU AI Act Art. 50)

When AI follow-up is enabled on a form, respondents are informed that they are interacting with an AI system. AI processing is opt-out per form by the workspace owner. See legal hub for our DPIA (Art. 35 GDPR + AI Act) and Transfer Impact Assessment.

8. Contact

Privacy questions: privacy@megapromoting.com
Postal: MEGA PROMOTING SRL, Chișinău, Republic of Moldova