Privacy Policy

Last updated: 11 June 2026

TEMPLATE — review required. This is a starting draft, not legal advice. Replace [Company], the contact address, and jurisdiction details, and have a qualified lawyer review it before you launch or sell. Your obligations depend on where you and your customers operate (GDPR, UK GDPR, CCPA/CPRA, etc.).

This Privacy Policy explains how [Company] (“Submitbox”, “we”, “us”) collects, uses, and protects information in connection with the Submitbox form-submission service (the “Service”).

1. Who we are & our two roles

Submitbox processes two broad categories of data with two different roles:

Account data — information about the customers who sign up for Submitbox. For this, we are the data controller.
Submission data — the content end users enter into our customers' forms. For this, our customer is the controller and Submitbox acts as a data processor on their behalf.

2. Information we collect

Category	Examples
Account	Name, email, securely hashed password, plan, billing status
Submissions	Whatever a form collects — e.g. name, email, message, and uploaded files
Technical	IP address, user agent, referrer, and timestamps (used for spam protection and abuse prevention)
Payment	Processed by Stripe. We receive subscription status only — we never store card numbers

3. How we use information

To deliver submissions to our customers by email, webhook, and dashboard;
To protect the Service from spam and abuse (honeypot, rate limiting, CAPTCHA);
To provide accounts, authentication, billing, and support;
To maintain, secure, and improve the Service and comply with law.

4. Sub-processors

We share data only with the vendors needed to run the Service:

Amazon Web Services — hosting, database (DynamoDB), and file storage (S3), United States.
Resend — transactional email delivery.
Stripe — subscription billing and payment processing.

We do not sell personal information and do not share it for cross-context behavioral advertising.

5. Storage, security & retention

Data is encrypted in transit (TLS) and at rest (AES-256). Access keys can be restricted to specific domains. Submissions are retained according to the customer's plan and settings; customers can delete submissions, forms, or their account at any time, after which the associated data is removed from active systems within a commercially reasonable period.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Account holders can export submissions as CSV and delete data directly from the dashboard. For requests about submission data, contact the relevant form owner (the controller); we will assist them as their processor. To exercise rights regarding your account data, email us at the address below.

7. Cookies & local storage

The marketing site uses no tracking cookies. The dashboard stores a session token in your browser's local storage solely to keep you signed in. We do not use third-party advertising trackers.

8. International transfers & children

The Service is operated from the United States; using it may involve transferring data there. The Service is not directed to children under 16, and we do not knowingly collect their personal data.

9. Changes & contact

We may update this policy and will revise the “last updated” date above. Questions or requests: privacy@submitbox.dev (replace with your real contact address).