Back to registration

Privacy Policy

Last updated: March 28, 2026

Terms Privacy Cookies AI Transparency

1. Who We Are

FormAI is operated by DBM-AI ("we", "us", "our"). We provide an AI-powered form assistant service that website owners ("Customers") embed on their sites to help end users fill out forms.

2. Data We Collect

2.1 Customer Account Data

When you create an account, we collect:

  • Email address (used for login, verification, and essential communications)
  • Company name (optional)
  • Password (stored as a one-way hash -- we cannot see your password)
  • Timestamp of terms acceptance

2.2 Usage Data

  • Monthly form session counts (for plan limit enforcement)
  • Registered domains and form configurations
  • API key (auto-generated, used for plugin authentication)
  • IP addresses (forwarded by nginx via X-Forwarded-For, held in memory cache for rate limiting, auto-expires after 10 minutes, never persisted to disk or database)

2.3 End User Data (Your Website Visitors)

We minimize end user personal data through client-side tokenization. The plugin uses pattern matching to detect and replace common PII formats (emails, phone numbers, government IDs, credit cards, IBANs, dates of birth) with safe tokens before data reaches our servers. Tokenization covers structured data in form fields and recognized patterns in chat messages.

Limitations of tokenization: Pattern-based detection is best-effort. Unstructured personal data such as names, physical addresses, or free-text descriptions of personal circumstances typed into the chat may not be detected and could be transmitted to our servers and AI providers. The plugin cannot guarantee complete PII removal from free-text input.

3. How We Use Your Data

  • Service delivery: Authenticating your API requests, enforcing plan limits, and delivering AI form assistance.
  • Account management: Email verification, password resets, and account-related communications.
  • Security: Rate limiting, abuse prevention, and fraud detection.
  • Service improvement: Aggregated, non-personal usage statistics to improve the product.

We do not use your data for advertising, profiling, or selling to third parties.

4. Third-Party Processors

We use the following third-party services to deliver the Service:

  • AI providers (e.g., OpenAI): Process conversation data to generate AI responses. Messages are tokenized client-side before transmission, but unstructured PII (names, addresses) in free-text chat may pass through. See Section 2.3 for limitations.
  • Microsoft (edge-tts): Text-to-speech synthesis for accessibility features. Text is sent to Microsoft's TTS service on demand for audio generation. TTS audio is streamed directly to the user and is not cached or stored on our servers.
  • AWS (Amazon Web Services): Infrastructure hosting and email delivery (SES).
  • Stripe: Payment processing for paid plans. We do not store credit card details -- Stripe handles this directly.

5. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion.
  • Conversations: Ephemeral. Not stored on our servers after the session ends.
  • Usage metrics: Monthly counters reset each billing cycle. Historical totals may be retained in aggregated form.
  • Rate-limiting data: IP-based counters are stored in volatile memory cache and expire automatically after 10 minutes. They are never written to disk or database and are cleared on server restart.

6. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights under GDPR:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Update your account information through the Account settings.
  • Erasure: Request deletion of your account and all associated data via Account > Request Deletion.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing of your data for specific purposes.
  • Withdrawal of consent: You may withdraw consent at any time by deleting your account.

To exercise any of these rights, contact contact@dbm-ai.com or use the in-app deletion request feature.

7. Data Security

  • All communications are encrypted via HTTPS/TLS.
  • Passwords are stored using industry-standard one-way hashing (PBKDF2/bcrypt).
  • API keys are unique 64-character cryptographically random strings.
  • PII is tokenized client-side in the browser before data is transmitted to our servers. Server-side logs apply additional pattern-based masking before writing to disk. No conversation data is retained on the server.
  • Log files are size-limited (15 MB max), automatically rotated, and contain only masked content.
  • Infrastructure is hosted on AWS with standard security controls.

8. Customer Responsibilities

As a Customer embedding our plugin on your website, you are the data controller for your end users. You are responsible for:

  • Updating your own privacy policy to disclose the use of AI-powered form assistance.
  • Informing your end users that the form assistant is powered by AI.
  • Ensuring your use of the Service complies with applicable data protection laws in your jurisdiction.

9. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a dashboard notice. The "Last updated" date at the top reflects the most recent revision.

11. Further Reading

For a detailed technical explanation of how FormAI protects personal data, including tokenization architecture, voice privacy, and GDPR compliance details, see our Privacy & Security tutorial. For information on how AI is used in the service, see our AI Transparency page.

12. Contact

For privacy-related questions or to exercise your rights, contact us at contact@dbm-ai.com.

Terms  ·  Privacy  ·  Cookies  ·  AI Transparency