Effective April 20, 2026
When you create an account we collect your email address and password (hashed). When you connect OAuth providers (e.g., Gmail) we store the OAuth tokens needed to operate the integration.
When a form submission arrives at your endpoint we store the submitted payload (fields, values, IP address, user-agent, timestamp) so we can route it to your configured destinations and show it in your dashboard.
We log standard server-side request metadata (IP addresses, HTTP headers, response codes) for security and debugging purposes.
We do not sell your data or your end-users' submission data to third parties.
Data is stored in PostgreSQL on servers located in the United States. Backups are encrypted at rest. We retain submission data as long as your account is active. When you delete a form, its submissions are deleted. When you close your account, all associated data is deleted.
We use a small number of sub-processors to operate the service:
Each processor receives only the data necessary to perform their function.
When you connect a Gmail account, RizzForms requests read-only access to your Gmail messages (the gmail.readonly scope) along with your basic Google profile and email address. We use this access for two purposes: reading your email threads to generate AI-powered qualifying questions for the form you connected, and checking whether you have already replied to a lead so we can show accurate response-time indicators in your inbox. We never send email on your behalf, modify your mailbox, or use Gmail data for advertising.
RizzForms' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as necessary to provide or improve this feature, to comply with applicable law, or as part of a merger or acquisition. We do not use Google user data for advertising, and no humans read your Google user data except where you give explicit consent, where required for security or to comply with applicable law, or on data that has been aggregated and anonymized for internal operations.
You can disconnect Gmail at any time from your RizzForms account, which revokes our access and deletes the stored OAuth tokens.
We use a single session cookie to keep you logged in. We do not use tracking cookies or third-party advertising pixels.
You can export or delete your submissions from within the dashboard at any time. To close your account and delete all associated data, contact us. If you are subject to GDPR or CCPA and have a request regarding personal data, use the same contact page and we will respond within 30 days.
All traffic is encrypted via HTTPS. Passwords are hashed with bcrypt. API keys are stored as hashed values and displayed in full only once at creation. If you discover a security vulnerability, please report it via the contact page.
If we make material changes we will update the effective date at the top of this page and, for significant changes, notify you by email.
Questions about this policy? Get in touch.