Join now

Privacy Policy

Last updated: 01 January 2025

This Privacy Policy explains how Formlio (“we”, “us”, or “our”) collects, uses, processes, and protects personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable European laws.

By using the platform, website, and services of Formlio (collectively referred to as the Platform), you agree to this Privacy Policy.

1. Definitions

Data Controller: The entity that determines the purposes and means of processing personal data. In the context of our services, the Users (agencies, companies, or individuals) are the Data Controllers of their clients' or recipients' data.

Processor: Formlio, which processes personal data on behalf of the Data Controller.

Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, email address, IP address).

Users: The individuals, agencies, or companies that use the Formlio Platform to create and send proposals or interactive documents.

Recipients: The individuals or entities that receive proposals or interactive documents via the Platform.

Cookies: Small text files placed on your device to collect and track information about your activity on the Platform.

Sub-processors: Third-party service providers that process personal data for the Formlio Platform.

2. Who We Are

Formlio is a web platform that allows Users to create, customise, and send proposals and other interactive documents in the form of private web pages, and to track Recipient engagement with these documents.

For any questions regarding this policy or to exercise your rights, please contact us at contact@formlio.com.

3. To Whom This Policy Applies

This policy applies to:

Users: Businesses, agencies, freelancers, and individuals using the Platform to create and send proposals and other interactive documents.

Recipients: Persons or businesses receiving proposals and other interactive documents via the Platform.

Visitors: Persons accessing the Formlio website without creating an account.

4. Data We Collect

Data Collected from Users

Account Information: Full name, email address, job title, company name, telephone number (if applicable). Professional information for billing purposes (e.g., VAT number, billing address).

Financial Information: Payment details, such as billing address, payment card information (processed by PCI-DSS-compliant third parties), and transaction history.

Content Data: Proposals, images, videos, logos, fonts, and other files uploaded to the Platform.

Usage Data: Data relating to the use of the Platform, including actions performed, preferences, and settings.

Data Collected from Recipients

Contact Information: Name, email address, job title, company.

Engagement Data: Tracking and analysis of proposal openings, sections viewed, time spent on each section, shares made.

Technical Data: IP address, browser type, operating system, device type.

Data Collected from Visitors

Browsing Data: Pages visited and interactions with the site.

Technical Data: IP address, browser type, operating system, device type.

Cookies and Similar Technologies: See section 10 for more details.

5. Purposes of Data Processing

We process personal data for the following purposes:

Category of Data Purpose Legal Basis Account Information: Creation and management of User accounts, communication, customer support. Performance of a contract (Article 6(1)(b) GDPR).

Financial Information: Payment processing, billing management, tax compliance. Legal obligation (Article 6(1)(c)) and performance of a contract.

Content Data: Storage and sharing interactive documents or proposals through our Platform. Performance of a contract (Article 6(1)(b)).

Recipient Engagement Data: Tracking how Recipients interact with interactive documents proposals to provide Users with insights. Legitimate interest (Article 6(1)(f)).

Technical Data: Security, fraud prevention, service improvement. Legitimate interest (Article 6(1)(f).

Cookies and Browsing Data: Enhancing User experience, analytics, marketing. Consent for non-essential cookies (Article 6(1)(a)); Legitimate interest for essential cookies.

6. Data Sharing and Sub-processors

Third-Party Service Providers

We collaborate with trusted third-party service providers to deliver, improve, and maintain our services. These providers may include:

Hosting and Infrastructure: Providers of hosting services and cloud storage to securely host the Platform and store your data.

Payment Processing: Secure payment services to process financial transactions.

Analytics and Statistics: Analytical tools to understand the use of the Platform and improve our services.

Marketing and Advertising: Partners who assist us in our marketing activities.

Communication: Services facilitating the sending of transactional emails and notifications.

Guarantees and Compliance

We ensure that all our sub-processors:

  • Comply with the GDPR and applicable data protection laws.
  • Are contractually obligated to protect your personal data and process it only according to our instructions.
  • Implement appropriate security measures to protect your data.

7. How We Collect Consent from Recipients

For Recipients of proposals or interactive documents, consent for the processing of their personal data, including the tracking of their engagement, is obtained as follows:

  • Before accessing the document sent by the User, Recipients are prompted to accept the Terms and Conditions (T&Cs) and this Privacy Policy.
  • This explicit consent is required to access the content, thus ensuring that Recipients are informed and agree to the processing of their data.

8. How We Facilitate the Exercise of Data Subject Rights

We are committed to facilitating the exercise of data subject rights in accordance with the GDPR. To this end:

Request Procedure: Individuals can exercise their rights by contacting us at contact@formlio.com, specifying the nature of their request.

Response Time: We commit to responding to any legitimate request within one (1) month of receipt. This period may be extended by two (2) additional months in cases of complexity or a high volume of requests.

Identity Verification: To protect confidentiality, we may request additional information to verify the identity of the requester before processing the request.

Cost: Exercising these rights is free of charge, except in cases of manifestly unfounded or excessive requests, where reasonable fees may be charged.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

Type of Data Retention Period Account Information: As long as the account is active, then deletion within twelve (12) months after account closure, unless otherwise required by law.

Content Data: As long as the account is active, then immediate deletion after account closure, unless otherwise requested or legally required.

Recipient Engagement Data: Retained for twenty-four (24) months after collection.

Financial Information: Retained for seven (7) years, in accordance with legal tax and accounting obligations.

Browsing Data and Cookies: Variable depending on the type of cookie (see section 10).

10. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Ensure the essential functioning of the Platform.
  • Enhance your user experience by remembering your preferences.
  • Analyse the use of the Platform to improve our services.
  • Provide you with personalised content and advertisements.

Managing Cookies

Initial Consent: During your first visit, a consent banner allows you to accept or refuse the use of non-essential cookies.

Changing Preferences: You can modify your cookie preferences at any time by accessing the cookie settings available on our site.

Browser Settings: You can configure your browser to refuse cookies or to alert you when cookies are being sent.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, disclosure, alteration, or destruction.

Encryption: Sensitive data is encrypted in transit (TLS) and at rest.

Access Controls: Access to personal data is restricted to employees and providers who need to access it.

Security Testing: Regular security audits and vulnerability assessments.

Strong Authentication: Use of two-factor authentication (2FA) for administrative access.

12. Your Rights Under the GDPR

As a data subject, you have the following rights:

Right of Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You can request the correction of inaccurate or incomplete data.

Right to Erasure: You can request the deletion of your personal data under certain circumstances.

Right to Restrict Processing: You can request the restriction of processing of your data under certain conditions.

Right to Object: You can object to the processing of your personal data on legitimate grounds.

Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format.

To exercise these rights, please contact us at contact@formlio.com. We will respond to your request within one (1) month, in accordance with applicable law.

13. Automated Decision-Making

We do not engage in any automated decision-making or profiling that produces legal effects or similarly significant effects on you.

14. International Data Transfers

Compliance of Recipient Countries: We transfer your data only to countries recognised by the European Commission as providing an adequate level of data protection.

Contractual Commitments: For other countries, we use standard contractual clauses approved by the European Commission to ensure the protection of your data.

Provider Certification: Our providers commit to adhering to strict data protection protocols.

Additional Protective Measures

In addition to legal safeguards, we implement technical and organisational measures to ensure the security of your personal data, such as:

  • Encryption of data in transit and at rest.
  • Minimisation of data collected and processed.
  • Strict access controls to limit access to personal data to authorised personnel only.

Your Rights

You have the right to contact us for more information about the international transfers of your personal data and the safeguards we have implemented. To do so, please write to us at contact@formlio.com.

15. Data Protection Contact

Although we have not appointed a Data Protection Officer (DPO), we take data protection very seriously. For any questions or requests regarding personal data protection, please contact us at contact@formlio.com.

We are committed to responding promptly to your questions and handling your data protection requests.

16. Data Breach

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we commit to:

  1. Notifying the competent supervisory authority (e.g., the CNIL in France) within 72 hours of becoming aware of the breach.
  2. Informing you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, by providing:
  • The nature of the breach.
  • Contact details for obtaining more information.
  • The likely consequences of the breach.
  • The measures taken to address the breach.

17. Children

Our services are not intended for individuals under the age of 18. We do not collect personal data from minors.

18. Changes to This Policy

We may update this Privacy Policy at any time to reflect changes to our practices or for other operational, legal, or regulatory reasons.

Notification of Changes: In case of significant changes, we will notify you by email (if possible) or via a notification on the Platform before the changes take effect.

Effective Date: The date of the last update is indicated at the top of this Privacy Policy.

Your Responsibility: We recommend that you regularly review this Privacy Policy to stay informed of any changes.

19. Supervisory Authority

You have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés, www.cnil.fr (http://www.cnil.fr/)) if you believe that the processing of your personal data does not comply with the regulations.

20. Contact

For any questions or requests regarding this Privacy Policy, or to exercise your rights, please contact us at contact@formlio.com.