Privacy Policy

    Last updated: March 30, 2026

    1. Introduction

    OmniWise AB ("we," "us," or "our"), a company registered in Sweden, operates RocketFormsPro (the "Service"), accessible via the website at https://www.rocketformspro.com, the RocketFormsPro mobile application (available on iOS and Android), and the RocketFormsPro WordPress plugin.

    This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use the Service. It applies to all users worldwide, including users within the European Economic Area (EEA), the United Kingdom, and the State of California (USA). By using the Service you acknowledge that you have read and understood this Privacy Policy.

    If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

    2. Data Controller

    The data controller responsible for your personal data is:

    OmniWise AB

    Sweden

    Email: [email protected]

    3. Data We Collect

    3.1 Account Data

    When you create an account, we collect:

    • Email address
    • Avatar seed (randomly generated visual identifier)
    • Privacy consent status and timestamp
    • Marketing consent status and timestamp
    • Data retention date preference
    • Authentication credentials (managed securely via OAuth or password hash)

    3.2 Subscription and Billing Data

    When you subscribe to a paid plan, we collect and process:

    • Subscription tier and status
    • Trial start and end dates
    • Stripe customer ID (payment processing is handled entirely by Stripe; we do not store your credit card details)

    3.3 Form Submissions and Content

    When you or your end-users submit forms, we collect:

    • Form data (JSON-structured responses)
    • Electronic signatures (when form creators enable the signature field)
    • Submission timestamps
    • Anonymous submission data (when forms allow anonymous submissions, no identifying information is required)

    3.4 Device and Technical Data

    We may automatically collect the following technical data:

    • Device-unique identifier stored in localStorage (used for form draft persistence)
    • Browser type and version
    • Operating system
    • IP address (temporarily, for security and abuse prevention)

    3.5 Mobile Application Data

    When you use the RocketFormsPro mobile application (built with React Native/Expo):

    • Device identifiers for session management
    • Local storage data for offline form drafts
    • Push notification tokens (if you enable notifications)

    The mobile application does not access your camera, contacts, microphone, or location data unless explicitly required by a form feature and with your consent.

    3.6 Data We Do Not Collect

    We do not use third-party analytics services such as Google Analytics, Amplitude, or any similar external tracking tools. We do not sell, rent, or trade your personal data to third parties for marketing purposes.

    4. How We Use Your Data

    We use the collected data for the following purposes:

    • Provide the Service: To operate, maintain, and deliver the form building, submission, and analytics features.
    • Account Management: To create and manage your account, authenticate your identity, and manage subscriptions.
    • Process Payments: To process subscription payments through Stripe.
    • Communication: To send service-related emails (e.g., form submission notifications, password resets, account alerts) via Brevo.
    • Security: To protect against spam, fraud, and abuse, including the use of Google reCAPTCHA v2.
    • Service Improvement: To improve the Service based on usage patterns and feedback.
    • Legal Compliance: To comply with applicable laws and respond to lawful requests from authorities.

    5. Legal Basis for Processing (GDPR)

    If you are in the EEA or the United Kingdom, we process your personal data under the following legal bases:

    • Contractual Necessity (Art. 6(1)(b) GDPR): Processing necessary to perform our contract with you (e.g., providing the Service, managing your account).
    • Consent (Art. 6(1)(a) GDPR): Where you have given consent, for example for marketing communications or cookie usage.
    • Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring security, provided such interests are not overridden by your rights.
    • Legal Obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with applicable law (e.g., tax and accounting obligations).

    6. Third-Party Services and Data Sharing

    We share data with the following third-party service providers, strictly for the purposes described below. We do not sell your data.

    6.1 Supabase

    Purpose: Backend infrastructure, database, authentication, and file storage. All account data, form data, and submission data are stored in Supabase. Supabase may process and store data in the United States or other regions outside the EEA (see Section 11 on international transfers).

    6.2 Stripe

    Purpose: Payment processing for subscriptions. Stripe receives your email and payment information to process transactions. We do not store credit card numbers on our servers. Stripe's privacy policy: https://stripe.com/privacy

    6.3 Google reCAPTCHA v2

    Purpose: Spam and bot protection on forms. Google reCAPTCHA may collect hardware and software information (such as device and application data) and send it to Google for analysis. Google's privacy policy: https://policies.google.com/privacy

    6.4 Brevo (formerly Sendinblue)

    Purpose: Transactional and marketing email delivery (e.g., form submission notifications, account-related emails). Your email address is shared with Brevo to facilitate email delivery. Brevo's privacy policy: https://www.brevo.com/legal/privacypolicy/

    6.5 Google Fonts

    Purpose: Typography rendering. When you access the Service, your browser may download fonts from Google's servers, which may log your IP address. Google's privacy policy applies.

    6.6 Unsplash

    Purpose: Stock image library for form backgrounds and design elements. When you browse or select images from Unsplash, requests are made to Unsplash's API. Unsplash's privacy policy: https://unsplash.com/privacy

    6.7 OAuth Providers

    Purpose: Single sign-on authentication. If you choose to sign in via Microsoft (Microsoft Graph) or Google OAuth, we receive your email address and basic profile information from the provider. We do not receive or store your password from these providers.

    7. Cookies and Local Storage

    We use a limited number of cookies and local storage items, strictly for functional purposes:

    NameTypePurposeDuration
    rocketforms_cookie_consentCookieRecords your cookie consent preference365 days
    device-unique-idlocalStorageIdentifies the device for form draft persistencePersistent until cleared
    Form draftslocalStorageSaves in-progress form submissions locally7 days
    Supabase auth tokenslocalStorageMaintains your authenticated sessionSession-based

    We do not use advertising cookies, tracking cookies, or third-party analytics cookies. Google reCAPTCHA may set its own cookies when activated on a form; these are governed by Google's privacy policy.

    You can manage cookies through your browser settings. Disabling essential cookies may affect Service functionality.

    8. Data Retention

    We retain your data according to the following schedule:

    • Account data: Retained for as long as your account is active. Account data is automatically scheduled for deletion 2 years after account creation unless you update your retention preferences in your account settings.
    • Form submissions: Retained for as long as the associated form exists and the account is active, subject to the 2-year auto-deletion policy.
    • Form drafts: Stored locally on your device for 7 days, then automatically deleted.
    • Billing records: Retained as required by applicable tax and accounting laws (typically 7 years under Swedish law).
    • Server logs: Retained for a maximum of 90 days for security and debugging purposes.

    You can delete your account and all associated data at any time through your account settings. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

    9. Your Rights Under the GDPR

    If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:

    Right of Access (Art. 15 GDPR)

    You have the right to request a copy of the personal data we hold about you.

    Right to Rectification (Art. 16 GDPR)

    You have the right to request correction of inaccurate personal data.

    Right to Erasure (Art. 17 GDPR)

    You have the right to request deletion of your personal data, subject to legal retention requirements.

    Right to Data Portability (Art. 20 GDPR)

    You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV export).

    Right to Restriction of Processing (Art. 18 GDPR)

    You have the right to request that we limit the processing of your personal data under certain circumstances.

    Right to Object (Art. 21 GDPR)

    You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

    Right to Withdraw Consent

    Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

    To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (in Sweden: Integritetsskyddsmyndigheten, IMY).

    10. Your Rights Under the CCPA (California Residents)

    If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

    • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share it.
    • Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain exceptions.
    • Right to Opt-Out of Sale: We do not sell your personal information. Therefore, there is no need to opt out.
    • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

    To exercise your CCPA rights, contact us at [email protected].

    11. International Data Transfers

    OmniWise AB is based in Sweden. However, some of our third-party service providers (including Supabase, Stripe, and Google) may process and store data in the United States or other countries outside the EEA. When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

    • EU-U.S. Data Privacy Framework (where applicable)
    • Standard Contractual Clauses (SCCs) approved by the European Commission
    • Service providers certified under recognized data protection frameworks

    By using the Service, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, which may have different data protection laws.

    12. Data Security

    We implement appropriate technical and organizational measures to protect your personal data, including:

    • Encryption of data in transit (TLS/HTTPS) and at rest
    • Row-Level Security (RLS) policies on all database tables to ensure data isolation between users
    • Secure authentication with support for multi-factor authentication (MFA)
    • Regular security reviews and updates
    • Access controls limiting employee access to personal data on a need-to-know basis
    • Secure password hashing (passwords are never stored in plain text)

    While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

    13. Children's Privacy

    The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected]. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

    This applies in compliance with the U.S. Children's Online Privacy Protection Act (COPPA) and the GDPR provisions for children's data.

    14. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. When we make material changes, we will:

    • Update the "Last updated" date at the top of this page
    • Notify registered users via email for significant changes
    • Display a prominent notice within the Service

    We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

    15. Contact Information

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    OmniWise AB

    Sweden

    Email: [email protected]

    Website: https://www.rocketformspro.com

    For complaints related to data protection in the EU, you may also contact the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se.

    We value your privacy

    We use cookies to enhance your browsing experience and analyze our traffic. By clicking "Accept All", you consent to our use of cookies for analytics and marketing. Privacy Policy | Terms of Service