Privacy Policy

Last updated: February 24, 2026

This Privacy Policy describes how FormSentry ("we", "us", or "our") collects, uses, and shares information when you install and use our Shopify application. By using FormSentry, you agree to the practices described in this policy.

1. Information We Collect

Store Information

When you install FormSentry, we receive basic information about your Shopify store through the Shopify API, including your store name, domain, and email address. This is required to authenticate your account and provide the service. We request only the minimum Shopify API scopes necessary to operate: reading theme data (to verify app embed status) and managing app subscriptions (for billing).

Form Submission Data

FormSentry processes form submissions made through your Shopify storefront's contact forms. This includes:

  • Form field contents (name, email, message body)
  • Submitter IP address
  • Browser and device metadata (user agent)
  • Behavioral signals (time on page, mouse movement patterns, keyboard timing, scroll and focus interactions)

This data is used solely for the purpose of detecting and preventing spam submissions. Behavioral signals are collected as aggregate metrics (e.g., total mouse distance, keystroke count) and do not capture the content of what is typed or specific page coordinates.

Usage Data

We collect anonymized usage data such as the number of submissions processed, spam detection rates, and feature usage to improve the service.

2. How We Use Your Information

We use the information we collect to:

  • Analyze form submissions for spam and bot activity
  • Display submission history and detection results in your dashboard
  • Enforce your configured block and allow lists
  • Check submitter reputation (IP ranges, email domain quality)
  • Manage your subscription and billing through Shopify
  • Improve our spam detection algorithms
  • Provide customer support

3. AI Processing

FormSentry uses artificial intelligence to analyze the content of form submissions. Submission content may be sent to third-party AI providers (currently OpenAI) for classification. This processing is done in real time and the AI provider does not retain your data for training purposes. We use API configurations that opt out of data retention by the provider.

AI classification is one layer in our multi-layered detection pipeline and is only invoked when earlier layers (behavioral analysis, reputation checks, content pattern matching) produce an inconclusive result. Most submissions are classified without any data leaving our infrastructure.

4. Data Retention

Submission data is retained according to your plan's history period:

  • Starter plan: 3 days
  • Pro plan: 30 days
  • Business plan: 90 days

After the retention period, submission data is permanently deleted through an automated daily cleanup process. Store account data is retained for as long as the app is installed. When you uninstall FormSentry, all associated data is deleted within 30 days.

5. Data Sharing and Sub-processors

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • Service providers: We use third-party infrastructure providers that process data on our behalf under contractual obligations. Our current sub-processors are:
    • Cloudflare — Application hosting and edge network (USA/global)
    • Neon / Prisma Accelerate — PostgreSQL database and connection pooling (USA)
    • Upstash — Redis caching and job scheduling (USA)
    • OpenAI — AI content classification (USA)
  • Legal requirements: We may disclose information if required by law, regulation, or legal process.
  • Shopify: As a Shopify app, certain data flows through Shopify's infrastructure in accordance with Shopify's privacy policy.

We will update this list if we add or change sub-processors. Material changes will be communicated through the app dashboard.

6. International Data Transfers

Your data may be processed in the United States and other countries where our sub-processors operate. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that do not have an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as implemented by our sub-processors.

7. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), encrypted database storage, and access controls. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that affects your personal data, we will notify affected merchants without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR requirements. Notification will be sent to the email address associated with your Shopify store.

8. GDPR Compliance (EEA, UK, Switzerland)

For merchants and customers in the European Economic Area, United Kingdom, or Switzerland, we comply with applicable data protection regulations including the GDPR and UK GDPR.

Our Role

We act as a data processor on your behalf. You (the merchant) are the data controller for personal data submitted through your store's forms. We process this data only as necessary to provide the Service under your instructions.

Lawful Basis

We process personal data on the following bases: performance of a contract (providing the Service you subscribed to), legitimate interest (improving spam detection accuracy and maintaining service security), and compliance with legal obligations where applicable.

Your Rights

Under GDPR, you and your customers have the right to:

  • Access personal data we hold
  • Request correction of inaccurate data
  • Request deletion of personal data
  • Object to or restrict processing
  • Request data portability
  • Lodge a complaint with your local supervisory authority (e.g., the relevant EU Data Protection Authority or the UK ICO)

To exercise any of these rights, contact us at support@formsentry.app. We will respond within 30 days.

Data Processing Agreement

If you require a Data Processing Agreement (DPA) for GDPR compliance, please contact us at support@formsentry.app and we will provide one.

Shopify GDPR Webhooks

We support Shopify's mandatory GDPR webhooks for customer data requests, customer data erasure, and shop data erasure.

9. CCPA/CPRA Compliance (California)

If you or your customers are California residents, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights regarding personal information.

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected.
  • Right to delete: You may request deletion of personal information we hold, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell personal information to third parties, and we do not share personal information for cross-context behavioral advertising.
  • Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at support@formsentry.app.

10. Cookies and Tracking

The FormSentry storefront script does not set cookies, use localStorage, or use sessionStorage on your customers' browsers. It does not track users across websites. Behavioral signals are collected only during the active form session and are not persisted on the client.

Our marketing website (formsentry.app) uses Google Analytics to understand how visitors interact with the site. By default, Google Analytics runs in cookieless mode — no cookies are set and no personal identifiers are stored. If you accept cookies via our consent banner, Google Analytics sets cookies (such as _ga and _ga_*) to distinguish unique users and track session information. You can change your preference at any time by clearing your browser's local storage for this site. This data is processed by Google in accordance with Google's Privacy Policy. You can also opt out of Google Analytics entirely by installing the Google Analytics Opt-out Browser Add-on.

11. Children's Privacy

FormSentry is a business tool intended for use by Shopify merchants. We do not knowingly collect personal information from children under the age of 13 (or 16 in the EEA). If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the app dashboard or sending an email to the address associated with your Shopify store. We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at support@formsentry.app.