Privacy Policy

1. The short version

We collect what we need to run the Service, we don't sell your data, we don't run third-party ad trackers, and your form respondents' data is yours — we just store it for you.

2. What we collect

3. How we use it

To provide and improve the Service, process payments, send transactional email (verification, receipts via Stripe, submission alerts you enable), and — only with an unsubscribe link — occasional product updates. We use aggregate, de-identified numbers (like signup counts) to understand what's working.

4. Form respondents

If you filled in a form hosted on Bloodweb, the form's owner decides why your data was collected and is your first contact for access or deletion. We process and store it on their behalf. If you can't reach the owner, contact us and we'll help.

5. Where your data lives and how it's protected

Data is stored on our servers in Australia, encrypted in transit (HTTPS everywhere), with passwords hashed (bcrypt), role-restricted admin access, and nightly encrypted backups retained for 30 days.

6. Sharing

We share data only with the processors needed to operate: Stripe (payments), our email delivery provider (transactional mail), and Let's Encrypt (certificate issuance for domains you connect). We disclose data to authorities only when legally required.

7. Your rights

You can access and update account data on your account page, export your form responses (CSV) any time, and request full deletion of your account and content via contact — completed within 30 days. Australian Privacy Principles apply; complaints can also go to the OAIC.

8. Changes

Material changes to this policy will be announced by email or in-app at least 14 days before they take effect.