SubmitKit
Sign inGet started free

Privacy Policy

Last updated: 3 May 2025

1. Who we are

SubmitKit (“we”, “our”, “us”) is a form-backend service operated from the European Union. Our servers are located in Germany (Hetzner Online GmbH). Contact: [email protected]. For privacy-specific requests, email [email protected].

2. Data we collect

  • Account data: email address and display name when you sign up via magic link or Google OAuth.
  • Billing data: payment method and billing details handled directly by Stripe, Inc. We store only the Stripe customer ID and subscription status.
  • Form submission data: field values submitted by your end-users through your forms, including any files uploaded. You control what fields you collect.
  • Technical data: IP address, user-agent, and referer header for each submission, used for spam detection and abuse prevention.
  • Usage data: submission counts per billing period, stored in Redis and your database.

3. How we use your data

  • To provide and operate the SubmitKit service.
  • To send you form-submission notification emails via Resend.
  • To process payments and manage your subscription via Stripe.
  • To detect and prevent spam and abuse.
  • To comply with legal obligations.

We do not sell your data or your end-users' data to third parties.

4. Data retention

Submissions are stored until you delete them or close your account. When you delete a form or submission, data is permanently removed from our databases. Account data is deleted within 30 days of account closure.

5. Third-party processors

  • Stripe, Inc. — payment processing. See Stripe's Privacy Policy.
  • Resend, Inc. — transactional email delivery.
  • Hetzner Online GmbH — server hosting (Frankfurt, Germany).

6. Cookies and tracking

We set a single session cookie (authjs.session-token) to keep you signed in. We do not use analytics cookies, advertising trackers, or third-party pixel tags.

7. Your rights (GDPR)

If you are located in the EEA, you have the right to access, rectify, erase, and export your personal data. To exercise these rights, email [email protected]. We will respond within 30 days.

8. Security

All data is transmitted over TLS. API keys are stored as hashed prefixes. Webhook secrets use HMAC-SHA256 signatures. We conduct regular dependency audits. To report abuse or a security concern, email [email protected].

9. Changes to this policy

We will notify account holders by email of any material changes at least 14 days before they take effect.