Privacy Policy
This privacy policy explains how Jotform handles your personal information and data, and applies to all of the products, services and websites offered by Jotform Inc., Jotform Ltd, Jotform Pty Ltd, Jotform Canada Inc., and their affiliates (collectively, “Jotform”), except where otherwise noted. Jotform products, services and websites are collectively referred to as the “services” in this policy. Unless otherwise noted, all services are provided by Jotform Inc., which is based in the United States.
In this policy, “you” refers to those who use and/or interact with any or all of our products, services, and websites, and “we”, “us”, and “our” refer to Jotform. “Customer”(s) refers specifically to those who use Jotform services. “Form Responders” refers to those who fill in and/or submit forms used by our Customers.
INFORMATION WE COLLECT
From Our Customers
- Registration information. When you register for an account with us so you can create and/or use forms, we collect your username, password and email address.
- Billing information. If you make a payment to Jotform Inc., we require that you provide your billing details, including name, address, email address and financial information corresponding to your selected method of payment (e.g. a credit card number and expiration date or a bank account number). If you provide a billing address, we will regard that as the location of the account holder. Our integrations with third party payment gateways are for processing only. We don’t store or log any sensitive cardholder data provided by you or your form users. We follow industry-standard best practices to protect the security of cardholder data during processing and transmission. Jotform Inc. is certified as a PCI DSS Level 1 Compliant Service Provider, and we perform annual audits to ensure that our handling of your credit card information aligns with industry guidelines. Read more here.
- Account settings. Our customers can set various preferences and personal details on pages, such as your account settings page. For example, your default language, timezone and communication preferences (e.g. opting in or out of receiving marketing emails from us).
- Form data. We store our customers’ form data (questions and responses), in some cases using third party server providers such as Amazon Web Services and Google Cloud.
- Data you use to create forms is owned by you. Jotform Inc. treats your forms as private, unless you make them available to members of the public. We don’t sell or make forms you’ve created available to anyone, nor do we use the form responses you collect, for purposes unrelated to you or our services, except in a limited set of circumstances (e.g. Jotform Inc. is compelled by a subpoena or court order, or if you’ve given us permission to do so).
- Jotform safeguards responders’ email addresses. To make it easier for you to invite people to complete your forms via email, you may upload lists of email addresses, in which case we act as a mere custodian of that data. We don’t sell these email addresses or make them available to others except as directed by you and in accordance with this policy. The same is true for any email addresses collected through your forms.
- Jotform Inc. holds your data securely. Read our Security Statement for more information.
- Form data is stored on servers located in the United States. Our customers have the option to store their data in the EU. See https://www.jotform.com/security/ for more information.
From Visitors to Our Websites
- Usage data. We collect usage data when you interact with our services. This may include which web pages you visit, what you click on, when you performed those actions, and so on. Additionally, like most websites today, our web servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system versions, and timestamps.
- Device data. We collect data from the device and application you use to access our services, such as your IP address, operating system version, device type, system and performance information, and browser type. We may also infer your geographic location based on your IP address.
- Referral data. If you arrive at a Jotform website from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.
- Information from third parties. We may collect your personal information or data from third parties, if you have given permission to those third parties to share your information.
- Information from page tags. We use third party tracking services that employ cookies and page tags (also known as web beacons) to collect aggregated and anonymized data about visitors to our websites. This data includes usage and user statistics. Emails sent by Jotform or by users through our services may include page tags that allow the sender to collect information about who opened those emails and clicked on links in them. We do this to allow the email sender to measure the performance of their email messaging and to learn how to improve email deliverability and open rates.
- See our Cookie Policy for more info
From Form Responders
When you fill in or complete a form used by one of our Customers, we collect information relating to you and your use of our services:
- Form responses. We collect and store the form responses that you submit, in some cases using third party server providers like Amazon Web Services or Google Cloud, on behalf of our Customers. The form creator (Customer) is responsible for this data, and they manage it. A form may ask you to provide personal information or data. If you have any questions about a form which a Customer has sent to you or given you access to fill in, or about the data to be provided in the form, please contact the form creator directly, since Jotform is not responsible for the content of that form. The form creator may have their own privacy policy.
- Are your form responses anonymous?
You will need to ask the form creator as it depends on how the individual, company or organization has chosen to configure the form(s). We provide information to form creators on how they can collect responses anonymously. However, even if a form creator has followed those steps, specific questions in the form may still ask you for your personal information or data that could be used to identify you.
HOW WE USE AND DISCLOSE YOUR INFORMATION
Customers
We treat unique form questions and responses as information that is private, unless a party other than Jotform has made that information public. We don’t use form data other than as described in this privacy policy without our Customers’ consent. We don’t sell Customers’ form data, nor do we make it available to third parties without the Customer’s permission.
We use information gathered from and provided by our Customers to do the following for our Customers:
Provide services and technical support, assist them with form design and creation, provide technical troubleshooting, manage our relationship with them, and to gather information on how they use our services.
Certain features of our services use the content of form questions and responses and Customer account information in additional ways. Feature descriptions will identify where this is the case. Customers can avoid the use of form data in this way by simply choosing not to use such features. For example, by using our form templates feature, to add questions to forms, you also permit us to aggregate the responses you receive to those questions with responses received by other form templates users who have used the same questions. We may then report statistics about the aggregated (and de-identified) data sent to you and other form creators.
If you choose to link your Jotform account with a third party account, such as your Google or Facebook account, Jotform may use the information you allow us to collect from those third parties to provide you with additional features, services, and personalized content.
In order to provide you with useful options to use the services together with social media and other applications, we may give you the option to export information to, and collect information from, third party applications and websites, including platforms such as Google and Twitter and social networking sites such as Facebook. When exporting and collecting such information, you may be disclosing your information to the individuals or organizations responsible for operating and maintaining such third party applications and sites, and your information may be accessible by others visiting or using those applications or sites. We do not own or operate third party applications or websites that you connect with – you should review the privacy policies and statements of such websites to ensure you are comfortable with the ways in which they use the information you share with them.
To manage our services. We use your information, including certain form data, for the following limited purposes:
- To monitor, maintain, and improve our services and features. We internally perform statistical and other analysis on information we collect, including usage data, device data, referral data, question and response data and information from page tags, to analyze and measure user behavior and trends, to understand how people use our services, and to monitor, troubleshoot and improve our services, including to help us evaluate and design new features. We may use your information internally in order to keep our services secure and operational, such as for troubleshooting and testing purposes, and for service improvement, marketing, research and development purposes.
- To enforce our Terms of Use.
- To prevent potentially illegal activities.
- To screen for and prevent undesirable or abusive activity. For example, we have automated systems that screen content for activities such as, phishing, spam, and fraud.
To create new services, features or content. We may use your form data and form metadata (that is, data about the characteristics of a form) for our internal purposes to create and provide new services, features or content. Regarding form metadata, we may look at statistics like response rates, question and answer word counts, and the average number of questions in a form, and publish interesting observations about these for informational or marketing purposes. When we do this, neither individual form creators nor form responders will be identified or identifiable unless we have obtained their permission.
To facilitate account creation and the logon process. If you choose to link your Jotform account to a third party account, such as your Google or Facebook account, we use the information you allowed us to collect from those third parties to facilitate the account creation and login process.
To contact you about your service or account. We will occasionally send you communications of a transactional nature (e.g. service-related announcements, billing-related matters, changes to our services or policies, a welcome email when you first register). You are prevented from opting out of this type of communication since it is required to provide our services to you.
To contact you for marketing purposes. We will send you promotional emails only if you have consented to us contacting you for this purpose. You may opt out of these communications at any time by clicking on the “unsubscribe” link in them, or changing the relevant setting on your My Account page.
Legal Process and Law Enforcement Requests for Information
As a service provider, Jotform is legally required to turn over user data in our possession when we receive valid legal process from government authorities with proper jurisdiction. We strive to balance the needs of law enforcement and other legal process with the privacy of our customers and third parties who submit their information to our customers on their forms. Accordingly, we carefully review each legal and law enforcement request for information, and where we do produce personal information, we endeavor to produce only that information which is actually required.
For parties in North America, disclosures are governed by U.S. law and the Federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 . For parties outside the US, our disclosures are governed by the laws of the applicable jurisdiction. In general, we will turn over general information such as name, subscription inception date, information on form creation, email address, registration IP address, and, where we believe required, billing information. We require a valid subpoena, or a law enforcement request issued in connection with an official criminal investigation.
Form Responders
Personal information a form responder includes in a form belongs to the responder, unless the responder has given rights in that information to the Customer who provided them with the form. Check with the Customer if you have questions about that. Form submission data is managed by the form creator (the Customer). Jotform treats that information as private unless the responder and/or Customer has made it publicly available. Please contact the form creator directly to understand how they use your form responses. Some form creators may provide you with a privacy policy or notice at the time you complete its form, and we encourage you to review that to understand how the form creator will handle your responses.
We do not sell personal information gathered from form responses. We won’t use any contact details collected in our customers’ forms to contact form responders.
See the section above for information on how we use data provided by our Customers or to which our Customers have given us access.
Website Visitors
See the section above regarding information related to visitors to our websites. We use that information, including but not limited to cookies, customer data, usage data, device data, referral data and information from page tags, to manage and improve our services, to serve and support our Customers, for research purposes, and for the other various purposes described in this privacy policy.
No Sale or Leasing of Your Information
We will not sell or lease your personal information to any third party. We may disclose aggregate demographic and statistical information with our business partners, but this information is not specific to the identification of you as an individual.
Children’s Privacy
Use of our websites is intended for adults at least eighteen (18) years of age. We do not knowingly collect personally-identifying information from children under the age of thirteen (13).
Generally
We may disclose information with third parties, for limited purposes, as follows:
- Your information to our service providers. We use service providers who help us to provide you with our services. We give some personnel of these providers access to your information, but only to the extent necessary for them to perform their services for us. Our contracts with our service providers require them to maintain technical protections to ensure the confidentiality of your personal information and data, to use it only for the provision of their services to us, and to handle it in accordance with this privacy policy. Examples of service providers include payment processors, hosting services, email service providers, and web traffic analytics tools.
- Your account details to your billing contact. If your account holder details are different from the billing contact listed for your account, we may disclose your identity and account details to the billing contact upon their request. We typically will attempt to notify you of such requests. By using our services and agreeing to this privacy policy, you consent to this disclosure.
- Your email address to your organization. If the email address under which you’ve registered your account belongs to or is controlled by an organization, we may disclose that email address to that organization in order to help it understand who associated with that organization uses our services, and to assist the organization with its enterprise accounts.
- Aggregated or de-identified (anonymized) information to third parties to improve or promote our services. We do this so that no individuals can reasonably be identified or linked to any part of the information we share with third parties to improve or promote our services.
- The presence of a cookie to advertise our services. We may ask advertising networks and exchanges to display ads promoting our services on other websites. We may ask such parties to deliver those ads based on the presence of a cookie that was placed when you visited one of our websites, but in doing so we will not share any other personal information with the advertiser. Our advertising network partners may also use cookies and page tags or web beacons to collect certain non-personal information about your activities on this and other websites to provide you with targeted advertising based upon your interests.
- Your information if required or permitted by law. We may disclose your information as required or permitted by law, or when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.
- Your information if there’s a change in business ownership or structure. If ownership of all or substantially all of our business changes, or we undertake a corporate reorganization, including a merger, acquisition or consolidation or any other action or transfer between Jotform entities, you expressly consent to Jotform Inc. transferring your information to the new owner or successor entity so that we can continue providing our services.
- Information you expressly consent to be shared. For example, Jotform Inc. may expressly request your permission to provide your contact details to third parties for various purposes, including to allow those third parties to contact you for marketing purposes. If you give your permission, you may later revoke your permission, but if you wish to stop receiving communications from a third party to which we provided your information with your permission, you will need to contact that third party directly.
- If you’re a Customer, you are able to control who can take your form by changing your collector settings. For example, forms can be made completely public, and indexable by search engines. You can also choose to share your form responses instantly or at a public location.
Please note that, if you’re a form responder or Customer who has entrusted us with safeguarding the privacy of your personal information, we will not disclose or share it with third parties unless we have (a) given you notice, such as in this privacy policy, (b) obtained your express consent, such as through an opt-in checkbox, or (c) de-identified or aggregated the information so that individuals or other entities cannot reasonably be identified by it.
By using our services or visiting our websites, you consent to the above-described disclosures.
In some cases, the applications or user interfaces you encounter while on our sites are managed by third parties, who may require that you provide your personal information. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
HOW LONG WE RETAIN YOUR INFORMATION
We generally retain your information for as long as you have an account with us, as necessary to otherwise to provide services to you, to comply with our legal obligations, to enforce our agreements and terms of use, and for as long as one or more of your forms remain publicly accessible on our website. If you close your account and make your forms publicly unavailable through your account dashboard, your personal info will be deleted after one month. If your account has not been closed but is inactive for one year, we will hold your personal data in encrypted form for one additional year, at which time we will delete it. We will delete personal info in response to valid data subject requests made under applicable privacy law such as under the GDPR. This paragraph constitutes our data retention policy as to your personal information.
REQUESTS TO DELETE, AMEND OR WITHDRAW CONSENT – NON-EEA, UK OR AUSTRALIAN RESIDENTS
You may be entitled to request that we delete or amend your personal information. You may also be entitled to withdraw your consent, when consent is the basis for processing your personal information. We apply the same procedures, limitations and exceptions established for European Economic Area (EEA), UK and Australian residents in this privacy policy to all who make such requests to delete or amend personal information, or withdraw consent for processing personal information, regardless of geographic location. Please read the “Your Rights” paragraph under the “ADDITIONAL TERMS FOR EUROPEAN ECONOMIC AREA, UK AND AUSTRALIA RESIDENTS” below for details. If you are a resident of the EEA, UK or Australia, see below for more specific details on how that applies to you.
ADDITIONAL TERMS FOR EUROPEAN ECONOMIC AREA, UK AND AUSTRALIA RESIDENTS
Legal Basis for Use of Your Information
Personal information that we collect is processed under the following legal basis:
Our legitimate interests. This includes:
- to enable us to provide our products and services and website use and access to you
- for analytics, to gather metrics to better understand how users use the our websites, and to evaluate and improve our websites
- to prevent fraud and other illegal activity
- the legitimate interests of others (for example, to ensure the security of our website)
- to comply with legal obligations, as part of our general business operations, and for other internal business administration purposes
- if we collect demographic information from you (such as gender and ethnic origin) in order to carry out diversity monitoring and such information is not collected in an anonymous format, then we rely on our legitimate interest to do so.
Contractual obligations. For the performance of contractual obligations between you and Jotform, including the Jotform Terms of Use and/or in our separate written contract with you.
Consent. Where required by law, we may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time after giving it, as described in this privacy policy).
See our GDPR page at https://www.jotform.com/gdpr-compliance/.
Australian Privacy Principles (APP) Privacy Policy
Scope
This policy relates to the requirements of the Australian Privacy Principles (APP) contained in the Australian Privacy Act 1988 (the Act). This policy applies to the collection of Australian residents’ personal information by customers of Jotform utilising our service provision in the Australian region. In circumstances where it is construed as an APP Entity, Jotform complies with the APP and has implemented suitable controls and measures to ensure that personal information is collected, held and disclosed in a manner that is secure
Collection of Personal Information
Jotform does not actively collect personal information from Australian residents directly (solicited information). We may collect personal unsolicited information in the course of our service provision to our Australian customers. Our Australian customers use the Jotform platform and software as a service provision within their business operations to improve business practices. This may include the use of our forms and tables, and other services we offer, in the process of collecting personal information of end users. The types of personal information collected by our customers varies, and they should provide a detailed list in their own privacy policy.
Disclosure (Data Sharing)
Information that is collected by our customers may be disclosed to and stored on our servers (and backups) which are provided by Google Cloud Platform (GCP) and by Amazon Web Services (AWS). This may include overseas disclosures and Australian resident personal information may be transferred to cloud providers based in the United States of America. We work closely with our service providers to ensure a high standard of security is maintained to ensure that personal information is protected from unauthorized access. Our cloud service providers also have certifications including ISO27001 and SOC 2 which evidence high standards of information security management.
Individual Rights
As an Australian resident you have rights under the Australian Privacy Act 1988. You have the right to access your personal information, and to have your personal information corrected if it is not accurate. We will respond to your request as soon as is practicable. Ordinarily a charge will not be required for this service, unless the request is excessive or requires significant resources. To exercise these rights, contact [email protected].
Making a Complaint
As an Australian resident whose personal information we may have collected, you can make a complaint to us using the email address below, and we will deal with the issues you are reporting as swiftly as we can. If you are not satisfied with our response, you can make a complaint to the Office of the Australian Information Commissioner (OAIC) by emailing this address https://www.oaic.gov.au/privacy/privacy-complaints
Contact UsFor further information, or to make a request for access or correction of personal information, please contact us by email at [email protected].
Transfer Impact Assessment
Please see our transfer impact assessment page for information that may assist you in assessing potential transfers of data to the United States from within the EU or UK.
Your Rights
Deletion of Personal Information
You may be entitled to request that we delete your personal information in certain specific circumstances. If you wish to exercise this right, please submit your request using this form. We will consider all such requests and provide our response within a reasonable period (but no longer than one calendar month from our receipt of your request unless we tell you that we are entitled to a longer period under applicable law). We may require you to verify your identity before we respond to your request. Certain personal information may be exempt from such requests in certain circumstances, including as provided for in this privacy policy.
Access, Update, Data Portability and Other Rights
You may also be entitled to access your information, update your personal information which is out of date or incorrect, restrict use of your personal information in certain specific circumstances, place a data portability request (applicable only when we use your personal information on the basis of your consent or performance of a contract, and where our use of your information is carried out by automated means), and ask us to consider any valid objections which you have to our use of your personal information where we process it on the basis of our or another person’s legitimate interest. Requests should be directed via this form.
We will consider all such requests and provide our response within a reasonable period (but no longer than one calendar month from our receipt of your request unless we tell you we are entitled to a longer period under applicable law). We may require you to verify your identity before we respond to any of your requests. Certain personal information may be exempt from such requests in certain circumstances, including as provided for in this privacy policy.
Complaints
You also have the right to lodge a complaint before a supervisory data protection authority regarding our data processing. If you are in Europe, an up to date list of data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. If you are in the UK, the data protection authority is the UK Information Commissioner’s Office available at https://ico.org.uk/.
EU-U.S. and Swiss Data Privacy Frameworks (“DPF”)
Jotform complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Jotform has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Jotform has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Jotform commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS (www.jamsadr.com), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you.
See the “Information We Collect” section above for information on what personal data we collect, and the “How We Use and Disclose Your Information” section for information on how we use such data and to whom we may disclose it. Whatever personal data our user or customer (the data “controller”) collects via submissions to their forms on our platform is determined by the user or customer on the one hand and by the persons who fill in and submit their forms on the other hand.
See above for information on the choices you have concerning limiting the use and disclosure of your data, and your right to access your personal data. We are subject to the investigatory and enforcement powers of the FTC. We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. See above. We may be liable for onward transfers to third parties if and to the extent determined by law. Complaints regarding our compliance with the DPF may be subject to binding arbitration before the American Arbitration Association in the US – see our terms of use. You may address any complaints directly to us using this form, free of charge, worldwide.
Representation for Data Subjects in the EU
We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/11830216921
BRAZIL USERS AND CUSTOMERS
In most cases where Jotform may receive personal data of and/or for our Brazilian customers, the customer is the Controller under the LGPD, rather than Jotform. For purposes where Jotform does in fact function as a Controller with respect to our customer, our Privacy Team is the designated Data Protection Officer, and may be contacted at [email protected].
HOW TO CONTACT US REGARDING YOUR PERSONAL INFORMATION
If you have any questions about this privacy policy, you may contact us using this form.
Revision May 30, 2024