Privacy Policy
Last updated: June 15, 2026
Information We Collect
We collect only the information necessary to provide our form-building service. Here's what that includes:
- Account information: When you sign up, we collect your email address and an optional display name. Your password is never sent to our servers in plaintext — we use the SRP protocol, so it's verified locally before transmission.
- Form submissions on behalf of form owners: When someone fills out a form built on Fillr, their answers and any file uploads are stored on our infrastructure. This data belongs to the form owner (the creator of the form), not to Fillr. We process and store it solely on their behalf.
- Submission metadata: Each submission includes technical metadata such as the referrer URL, user agent string, and the page URL where the form was embedded. This helps form owners understand where submissions come from.
- Local storage: We use browser localStorage to keep you signed in and remember your language preference. We do not use cookies for tracking, analytics, or advertising.
How We Use Your Information
We use your information only for these purposes:
- To provide and maintain the Fillr service — hosting your forms, storing submissions, and delivering your dashboard.
- To process billing through Stripe. Fillr never sees or stores your payment card details.
- To send you service-related communications (e.g., payment receipts, plan changes, service notices).
- To respond to your support requests.
We do not use your data for advertising, sell it to third parties, or use form submission data for any purpose beyond providing the service.
Data Sharing
We share your data only with the subprocessors essential to running the service. Each is contractually bound to protect your data:
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, DynamoDB database, S3 file storage | us-east-1 (N. Virginia) |
| Stripe | Payment processing (Fillr never sees card details) | Varies — see Stripe's Data Processing Agreement |
| Cloudflare | CDN and DNS for the landing page only | Edge network (global) |
Data Retention
We retain form submission data based on your plan. After the retention period ends, submission data is permanently deleted.
| Plan | Retention Period |
|---|---|
| Free | 30 days |
| Starter | 90 days |
| Pro | 365 days |
| Enterprise | Unlimited (until account deletion) |
Account information (email, display name) is retained until you delete your account. You can request account deletion at any time.
Data Security
We take data protection seriously. Here are the measures we have in place:
- Encryption at rest: All data stored in DynamoDB and S3 is encrypted at rest using AES-256.
- Encryption in transit: All traffic between your browser and our servers uses TLS 1.2 or higher. Form submissions via our Web Component are always sent over HTTPS.
- Secure authentication: We use AWS Cognito with the SRP (Secure Remote Password) protocol. Your password is never transmitted to our servers in plaintext.
- Token-based sessions: API requests are authenticated with short-lived JWTs. Sessions are stateless and expire automatically.
Your Rights (GDPR)
If you are in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
- Right to access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data and account.
- Right to data portability: Request your data in a machine-readable format.
- Right to restrict processing: Request restriction of how we use your data.
- Right to object: Object to the processing of your personal data.
To exercise any of these rights, contact us at hello@fillr.cloud. We will respond within 30 days.
Children's Privacy
Fillr is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us so we can delete it.
Form owners are responsible for ensuring their forms comply with applicable laws regarding data collection from children. If you collect data from children, you must obtain appropriate parental consent.
International Data Transfers
All data is stored in AWS data centers in us-east-1 (Northern Virginia, United States). If you are located in the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for transferring personal data to the United States. Our subprocessors (AWS, Stripe, Cloudflare) also adhere to SCCs or equivalent transfer mechanisms.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes via email or through the Fillr dashboard. Continued use of the service after changes constitutes acceptance of the updated policy.
Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: