Privacy Policy
Last updated: April 5, 2026
1. Introduction
Stepform ("we", "us", "our") operates the website www.stepform.ai and the Stepform platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or use our Service.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive, and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
Stepform
Email: privacy@stepform.ai
3. Personal Data We Collect
3.1 Data you provide directly
- Account information: name, email address, and profile picture when you create an account (including via Google Sign-In).
- Organization data: workspace name and team member email addresses when you create or join an organization.
- Form content: the forms, funnels, pages, and associated content you create using our Service.
- Communications: any information you provide when contacting our support team.
- Integration data: when you connect third-party services (e.g., Slack), we store OAuth access tokens, workspace identifiers, and workspace names required to maintain the connection.
3.2 Data collected automatically
- Usage data: pages visited, features used, clicks, session duration, and other interaction data.
- Device and browser data: IP address, browser type and version, operating system, device type, and screen resolution.
- Cookies and similar technologies: we use strictly necessary cookies for authentication and session management. See Section 8 for details.
3.3 Data from form respondents
When end users ("respondents") fill out forms created with Stepform, the form creator (our customer) is the data controller for that submission data. We act as a data processor on behalf of our customers. Submission data may include any information the form creator chooses to collect (e.g., names, emails, addresses, phone numbers, or other responses).
4. Legal Basis for Processing
We process your personal data based on the following legal grounds under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)): to provide and maintain our Service, process your registration, and manage your account.
- Legitimate interests (Art. 6(1)(f)): to improve our Service, prevent fraud, ensure security, and send non-marketing service communications.
- Consent (Art. 6(1)(a)): where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): to comply with applicable laws and regulations.
5. How We Use Your Data
- Provide, operate, and maintain the Service
- Create and manage your account
- Process and store forms and submissions on behalf of our customers
- Send transactional emails (e.g., magic link sign-in, team invitations)
- Monitor and analyze usage trends to improve the Service
- Detect, prevent, and address technical issues and security threats
- Comply with legal obligations
6. Data Sharing and Transfers
We do not sell your personal data. We may share data with:
- Service providers (sub-processors): trusted third-party providers that help us operate our Service. These providers are contractually obligated to process data only on our behalf and in compliance with GDPR. See Section 6.1 for the full list.
- Customer-configured integrations: when you connect third-party services (e.g., Slack) or enable tracking pixels (e.g., Meta Pixel, Google Ads), data is shared with those services as directed by you. You are the data controller for these transfers.
- Legal requirements: if required by law, regulation, or legal process, or to protect our rights, safety, or property.
6.1 Sub-processors
The following third-party sub-processors are used to operate the Service. We ensure appropriate safeguards are in place for each, including Standard Contractual Clauses (SCCs) where data is transferred outside the European Economic Area (EEA).
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, realtime infrastructure | EU (Frankfurt) |
| Vercel Inc. | Application hosting, file storage, domain management | EU (Frankfurt) |
| Hetzner Online GmbH | WebSocket server hosting | EU (Frankfurt) |
| Postmark (ActiveCampaign LLC) | Transactional email delivery | USA |
| OpenAI Inc. | AI copilot functionality | USA |
| Anthropic Inc. | AI copilot functionality | USA |
| Stripe Inc. | Payment processing, billing | USA |
| Unsplash Inc. | Stock photo search | USA |
| Mapbox Inc. | Address autocomplete | USA |
| Google LLC | Social login (OAuth) | USA |
6.2 International transfers
Some of our sub-processors are located outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:
- Account data: retained while your account is active. Upon account deletion, your data is permanently removed within 30 days.
- Form submission data:retained as long as the form creator's account is active, or until the form creator deletes the data.
- Integration data: OAuth tokens and connection metadata are retained while the integration is active. When you disconnect an integration or delete your organization, all associated tokens and connection data are permanently deleted.
- Usage and analytics data: retained in anonymized or aggregated form for up to 24 months.
8. Cookies
We use only strictly necessary, first-party cookies required for the functioning of our Service. No cookie consent banner is required for these cookies under the ePrivacy Directive, as they are essential for the service you have requested.
8.1 Platform cookies (logged-in users)
- Session cookies: to authenticate your identity and maintain your login session.
- Security cookies: to prevent cross-site request forgery and other security threats.
8.2 Published form cookies (form respondents)
When a respondent interacts with a form created with Stepform, the following first-party cookies may be set. These are strictly functional and contain no personal data:
- Submission cookie: links a respondent's browser to their in-progress form submission so they can resume where they left off if they return. Contains only a random identifier. Expires after 30 days.
- Start page cookie: remembers which start page variant was shown to a respondent for consistent A/B testing. Contains only a page identifier. Expires after 30 days.
- Analytics visitor cookie: an anonymous, randomly generated visitor identifier used for privacy-friendly, aggregate analytics (e.g., unique visitor counts). It contains no personal data and cannot be used to identify an individual. Expires after 30 days.
8.3 Third-party tracking
We do not use tracking or advertising cookies ourselves. Third-party integrations configured by form creators (e.g., Meta Pixel, Google Ads, Google Tag Manager) on published forms are the responsibility of the form creator as the data controller.
9. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17):request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): request restriction of processing in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at privacy@stepform.ai. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- Access controls and authentication mechanisms
- Regular security assessments
While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately.
11. Data Processing Agreement
Where Stepform acts as a data processor on behalf of customers (form creators), we enter into a Data Processing Agreement (DPA) in accordance with Article 28 GDPR. If you require a signed DPA, please contact us at privacy@stepform.ai.
12. Children's Privacy
Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Stepform
Email: privacy@stepform.ai