Lead Form logoLead Form

Last updated: May 8, 2026

Privacy Policy

This policy explains what information Lead Form collects when you use our form builder, how we use that information, who we share it with, and the choices you have. It applies to account holders who sign up for Lead Form and to end users who submit responses through forms built on our platform.

1. Who we are

Lead Form is a multi-tenant form builder. Account holders use it to design multi-step forms, publish them under their own domains, run A/B tests, and collect submissions. Throughout this policy, "we", "us", and "our" refer to Lead Form. "You" refers to the person using the service.

When an account holder builds a form and collects responses, they are the data controller for those responses and we act as their data processor. End users submitting a form should review the form owner's own privacy notice for details specific to that collection.

2. Information we collect

Account information

When you create an account, we collect your email address, name, and an authentication credential (password, magic link, or OAuth identifier). Passwords are hashed by Supabase Auth and we never see them in plaintext. If you enable two-factor authentication, we store a hashed TOTP secret and SHA-256 hashes of your recovery codes -- the plaintext codes are shown to you once and are not recoverable.

Form content you create

We store the questions, conditional logic, branding, custom domains, and configuration that you build inside the editor. We use this content to render your forms and to power features like A/B testing and analytics.

Submissions and lead data

When an end user completes a form, we store their answers along with technical metadata such as timestamps, partial-submission progress, drop-off step, and a hashed identifier used to detect duplicate submissions. The fields collected are determined by the form's owner, not by us. We may also store the answers to optional honeypot or anti-spam fields and discard submissions that match spam patterns.

Integration credentials

If you connect a third-party service (for example, an SMTP provider, Zapier, Make, a CRM, or an email marketing platform), we store the credentials needed to send data on your behalf. Sensitive credentials such as SMTP passwords are encrypted at rest with AES-256-GCM before they reach the database.

Usage and device data

We collect standard log data when you use the service: IP address, user-agent, pages visited, and timestamps. We use this for security monitoring, abuse prevention, debugging, and to power the analytics dashboards that account holders see for their own forms (completion rate, drop-off step, conversion).

AI processing inputs

Some features (such as drop-off analysis and form copy suggestions) send anonymised summaries of submission patterns to our AI sub-processor (OpenAI). We do not send the content of individual end-user responses unless an account holder explicitly opts in. OpenAI does not use these inputs to train its models.

3. How we use information

  • To operate, secure, and improve the service.
  • To render your forms, store submissions, and deliver them to the integrations you have configured.
  • To authenticate you, verify two-factor codes, and detect unusual sign-in activity.
  • To send transactional emails (account, security, billing, form-submission notifications) using Resend.
  • To produce analytics that help you understand how end users move through your forms.
  • To comply with legal obligations and enforce our Terms.

We do not sell personal data, and we do not use end-user submission content to advertise to those end users.

4. Sub-processors

We rely on a small number of trusted vendors to run the service. Each of them processes data only on our instructions and under a data-processing agreement.

  • Supabase -- Postgres database, authentication, file storage. Hosts account data, form definitions, and submissions.
  • Vercel -- application hosting, edge functions, CDN.
  • OpenAI -- AI features such as drop-off analysis and copy suggestions.
  • Resend -- transactional email delivery.
  • Twilio -- SMS delivery and (where used) HLR phone-number validation.
  • Google Maps Platform -- address autocomplete inside form fields.
  • Ideal Postcodes -- UK address lookup inside form fields.

We update this list when we add or change vendors. Material changes are reflected in the "Last updated" date above.

5. Cookies and similar technologies

We use first-party cookies and similar storage to keep you signed in, remember your preferences, and protect against CSRF. We do not use third-party advertising cookies. Embedded forms may set cookies on the form owner's domain to maintain progress across steps; the form owner controls those.

6. Data retention

  • Account data is retained for as long as your account is active and for a short period after deletion to allow recovery and meet legal obligations.
  • Form submissions are retained until the account holder deletes the submission, deletes the form, or deletes their account. End users who want a submission removed should contact the form owner first.
  • Logs and analytics are retained for up to 12 months and then aggregated or deleted.
  • Backups are kept for up to 30 days on a rolling basis.

7. Your rights

Depending on where you live (for example, the EU/UK under GDPR, California under CCPA, or Brazil under LGPD), you may have the right to:

  • access the personal data we hold about you;
  • correct data that is inaccurate or incomplete;
  • delete your data ("right to be forgotten");
  • export your data in a portable format;
  • object to or restrict certain processing;
  • withdraw consent where processing is based on consent.

To exercise any of these rights, account holders can use the tools inside the dashboard or contact us. End users should contact the owner of the form they submitted to first; if they cannot reach the owner, we will help where we can.

8. Security

We take security seriously. The service is built on a multi-tenant Postgres database with row-level security so an account can only read its own rows. Sensitive integration credentials are encrypted with AES-256-GCM at rest. We support TOTP-based two-factor authentication with hashed recovery codes. Traffic is encrypted with TLS in transit, and the production database is encrypted at rest.

No system is perfectly secure. If you believe your account has been compromised, change your password and contact us immediately.

9. International data transfers

Our infrastructure and sub-processors are based primarily in the United States and the European Union. Where data crosses borders, we rely on Standard Contractual Clauses or equivalent safeguards required by applicable law.

10. Children's privacy

Lead Form is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify account holders by email or in-app notice. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact us

Questions about this policy or about the data we hold? Reach the Lead Form team via our contact form.