In this policy, “you” refers to those who use and/or interact with any or all of our products, services, and websites, and “we”, “us”, and “our” refer to Jotform. “Customer”(s) refers specifically to those who use Jotform services. “Form Responders” refers to those who fill in and/or submit forms used by our Customers.
INFORMATION WE COLLECT
From Our Customers
- Registration information. When you register for an account with us so you can create and/or use forms, we collect your username, password and email address.
- Billing information. If you make a payment to Jotform Inc., we require that you provide your billing details, including name, address, email address and financial information corresponding to your selected method of payment (e.g. a credit card number and expiration date or a bank account number). If you provide a billing address, we will regard that as the location of the account holder. Our integrations with third party payment gateways are for processing only. We don’t store or log any sensitive cardholder data provided by you or your form users. We follow industry-standard best practices to protect the security of cardholder data during processing and transmission. Jotform Inc. is certified as a PCI DSS Level 1 Compliant Service Provider, and we perform annual audits to ensure that our handling of your credit card information aligns with industry guidelines. Read more here.
- Account settings. Our customers can set various preferences and personal details on pages, such as your account settings page. For example, your default language, timezone and communication preferences (e.g. opting in or out of receiving marketing emails from us).
- Form data. We store our customers’ form data (questions and responses), in some cases using third party server providers such as Amazon Web Services and Google Cloud.
- Data you use to create forms is owned by you. Jotform Inc. treats your forms as private, unless you make them available to members of the public. We don’t sell or make forms you’ve created available to anyone, nor do we use the form responses you collect, for purposes unrelated to you or our services, except in a limited set of circumstances (e.g. Jotform Inc. is compelled by a subpoena or court order, or if you’ve given us permission to do so).
- Jotform safeguards responders’ email addresses. To make it easier for you to invite people to complete your forms via email, you may upload lists of email addresses, in which case we act as a mere custodian of that data. We don’t sell these email addresses or make them available to others except as directed by you and in accordance with this policy. The same is true for any email addresses collected through your forms.
- Jotform Inc. holds your data securely. Read our Security Statement for more information.
- Form data is stored on servers located in the United States. Our customers have the option to store their data in the EU. See https://www.jotform.com/security/ for more information.
From Visitors to Our Websites
- Usage data. We collect usage data when you interact with our services. This may include which web pages you visit, what you click on, when you performed those actions, and so on. Additionally, like most websites today, our web servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system versions, and timestamps.
- Device data. We collect data from the device and application you use to access our services, such as your IP address, operating system version, device type, system and performance information, and browser type. We may also infer your geographic location based on your IP address.
- Referral data. If you arrive at a Jotform website from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.
- Information from third parties. We may collect your personal information or data from third parties, if you have given permission to those third parties to share your information.
- Information from page tags. We use third party tracking services that employ cookies and page tags (also known as web beacons) to collect aggregated and anonymized data about visitors to our websites. This data includes usage and user statistics. Emails sent by Jotform or by users through our services may include page tags that allow the sender to collect information about who opened those emails and clicked on links in them. We do this to allow the email sender to measure the performance of their email messaging and to learn how to improve email deliverability and open rates.
From Form Responders
When you fill in or complete a form used by one of our Customers, we collect information relating to you and your use of our services:
- Are your form responses anonymous?
You will need to ask the form creator as it depends on how the individual, company or organization has chosen to configure the form(s). We provide information to form creators on how they can collect responses anonymously. However, even if a form creator has followed those steps, specific questions in the form may still ask you for your personal information or data that could be used to identify you.
HOW WE USE AND DISCLOSE YOUR INFORMATION
We use information gathered from and provided by our Customers to do the following for our Customers:
Provide services and technical support, assist them with form design and creation, provide technical troubleshooting, manage our relationship with them, and to gather information on how they use our services.
Certain features of our services use the content of form questions and responses and Customer account information in additional ways. Feature descriptions will identify where this is the case. Customers can avoid the use of form data in this way by simply choosing not to use such features. For example, by using our form templates feature, to add questions to forms, you also permit us to aggregate the responses you receive to those questions with responses received by other form templates users who have used the same questions. We may then report statistics about the aggregated (and de-identified) data sent to you and other form creators.
If you choose to link your Jotform account with a third party account, such as your Google or Facebook account, Jotform may use the information you allow us to collect from those third parties to provide you with additional features, services, and personalized content.
In order to provide you with useful options to use the services together with social media and other applications, we may give you the option to export information to, and collect information from, third party applications and websites, including platforms such as Google and Twitter and social networking sites such as Facebook. When exporting and collecting such information, you may be disclosing your information to the individuals or organizations responsible for operating and maintaining such third party applications and sites, and your information may be accessible by others visiting or using those applications or sites. We do not own or operate third party applications or websites that you connect with – you should review the privacy policies and statements of such websites to ensure you are comfortable with the ways in which they use the information you share with them.
To manage our services. We use your information, including certain form data, for the following limited purposes:
- To monitor, maintain, and improve our services and features. We internally perform statistical and other analysis on information we collect, including usage data, device data, referral data, question and response data and information from page tags, to analyze and measure user behavior and trends, to understand how people use our services, and to monitor, troubleshoot and improve our services, including to help us evaluate and design new features. We may use your information internally in order to keep our services secure and operational, such as for troubleshooting and testing purposes, and for service improvement, marketing, research and development purposes.
- To prevent potentially illegal activities.
- To screen for and prevent undesirable or abusive activity. For example, we have automated systems that screen content for activities such as, phishing, spam, and fraud.
To create new services, features or content. We may use your form data and form metadata (that is, data about the characteristics of a form) for our internal purposes to create and provide new services, features or content. Regarding form metadata, we may look at statistics like response rates, question and answer word counts, and the average number of questions in a form, and publish interesting observations about these for informational or marketing purposes. When we do this, neither individual form creators nor form responders will be identified or identifiable unless we have obtained their permission.
To facilitate account creation and the logon process. If you choose to link your Jotform account to a third party account, such as your Google or Facebook account, we use the information you allowed us to collect from those third parties to facilitate the account creation and login process.
To contact you about your service or account. We will occasionally send you communications of a transactional nature (e.g. service-related announcements, billing-related matters, changes to our services or policies, a welcome email when you first register). You are prevented from opting out of this type of communication since it is required to provide our services to you.
To contact you for marketing purposes. We will send you promotional emails only if you have consented to us contacting you for this purpose. You may opt out of these communications at any time by clicking on the “unsubscribe” link in them, or changing the relevant setting on your My Account page.
Legal Process and Law Enforcement Requests for Information
As a service provider, Jotform is legally required to turn over user data in our possession when we receive valid legal process from government authorities with proper jurisdiction. We strive to balance the needs of law enforcement and other legal process with the privacy of our customers and third parties who submit their information to our customers on their forms. Accordingly, we carefully review each legal and law enforcement request for information, and where we do produce personal information, we endeavor to produce only that information which is actually required.
For parties in North America, disclosures are governed by U.S. law and the Federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 . For parties outside the US, our disclosures are governed by the laws of the applicable jurisdiction. In general, we will turn over general information such as name, subscription inception date, information on form creation, email address, registration IP address, and, where we believe required, billing information. We require a valid subpoena, or a law enforcement request issued in connection with an official criminal investigation.
We do not sell personal information gathered from form responses. We won’t use any contact details collected in our customers’ forms to contact form responders.
See the section above for information on how we use data provided by our Customers or to which our Customers have given us access.
No Sale or Leasing of Your Information
We will not sell or lease your personal information to any third party. We may disclose aggregate demographic and statistical information with our business partners, but this information is not specific to the identification of you as an individual.
We may disclose information with third parties, for limited purposes, as follows:
- Your email address to your organization. If the email address under which you’ve registered your account belongs to or is controlled by an organization, we may disclose that email address to that organization in order to help it understand who associated with that organization uses our services, and to assist the organization with its enterprise accounts.
- Aggregated or de-identified (anonymized) information to third parties to improve or promote our services. We do this so that no individuals can reasonably be identified or linked to any part of the information we share with third parties to improve or promote our services.
- Your information if required or permitted by law. We may disclose your information as required or permitted by law, or when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, and/or to comply with a judicial proceeding, court order, subpoena, or other legal process served on us.
- Your information if there’s a change in business ownership or structure. If ownership of all or substantially all of our business changes, or we undertake a corporate reorganization, including a merger, acquisition or consolidation or any other action or transfer between Jotform entities, you expressly consent to Jotform Inc. transferring your information to the new owner or successor entity so that we can continue providing our services.
- Information you expressly consent to be shared. For example, Jotform Inc. may expressly request your permission to provide your contact details to third parties for various purposes, including to allow those third parties to contact you for marketing purposes. If you give your permission, you may later revoke your permission, but if you wish to stop receiving communications from a third party to which we provided your information with your permission, you will need to contact that third party directly.
- If you’re a Customer, you are able to control who can take your form by changing your collector settings. For example, forms can be made completely public, and indexable by search engines. You can also choose to share your form responses instantly or at a public location.
By using our services or visiting our websites, you consent to the above-described disclosures.
In some cases, the applications or user interfaces you encounter while on our sites are managed by third parties, who may require that you provide your personal information. We are not responsible for the privacy practices of these third party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third party service, website, and/or application prior to use.
HOW LONG WE RETAIN YOUR INFORMATION
REQUESTS TO DELETE, AMEND OR WITHDRAW CONSENT – NON-EEA, UK OR AUSTRALIAN RESIDENTS
ADDITIONAL TERMS FOR EUROPEAN ECONOMIC AREA, UK AND AUSTRALIA RESIDENTS
Legal Basis for Use of Your Information
Personal information that we collect is processed under the following legal basis:
Our legitimate interests. This includes:
- to enable us to provide our products and services and website use and access to you
- for analytics, to gather metrics to better understand how users use the our websites, and to evaluate and improve our websites
- to prevent fraud and other illegal activity
- the legitimate interests of others (for example, to ensure the security of our website)
- to comply with legal obligations, as part of our general business operations, and for other internal business administration purposes
- if we collect demographic information from you (such as gender and ethnic origin) in order to carry out diversity monitoring and such information is not collected in an anonymous format, then we rely on our legitimate interest to do so.
See our GDPR page at https://www.jotform.com/gdpr-compliance/.
This policy relates to the requirements of the Australian Privacy Principles (APP) contained in the Australian Privacy Act 1988 (the Act). This policy applies to the collection of Australian residents’ personal information by customers of Jotform utilising our service provision in the Australian region. In circumstances where it is construed as an APP Entity, Jotform complies with the APP and has implemented suitable controls and measures to ensure that personal information is collected, held and disclosed in a manner that is secure
Collection of Personal Information
Disclosure (Data Sharing)
Information that is collected by our customers may be disclosed to and stored on our servers (and backups) which are provided by Google Cloud Platform (GCP) and by Amazon Web Services (AWS). This may include overseas disclosures and Australian resident personal information may be transferred to cloud providers based in the United States of America. We work closely with our service providers to ensure a high standard of security is maintained to ensure that personal information is protected from unauthorized access. Our cloud service providers also have certifications including ISO27001 and SOC 2 which evidence high standards of information security management.
As an Australian resident you have rights under the Australian Privacy Act 1988. You have the right to access your personal information, and to have your personal information corrected if it is not accurate. We will respond to your request as soon as is practicable. Ordinarily a charge will not be required for this service, unless the request is excessive or requires significant resources. To exercise these rights, contact firstname.lastname@example.org.
Making a Complaint
As an Australian resident whose personal information we may have collected, you can make a complaint to us using the email address below, and we will deal with the issues you are reporting as swiftly as we can. If you are not satisfied with our response, you can make a complaint to the Office of the Australian Information Commissioner (OAIC) by emailing this address https://www.oaic.gov.au/privacy/privacy-complaints
Contact UsFor further information, or to make a request for access or correction of personal information, please contact us by email at email@example.com.
Transfer Impact Assessment
Please see our transfer impact assessment page for information that may assist you in assessing potential transfers of data to the United States from within the EU or UK.
Deletion of Personal Information
Access, Update, Data Portability and Other Rights
You may also be entitled to access your information, update your personal information which is out of date or incorrect, restrict use of your personal information in certain specific circumstances, place a data portability request (applicable only when we use your personal information on the basis of your consent or performance of a contract, and where our use of your information is carried out by automated means), and ask us to consider any valid objections which you have to our use of your personal information where we process it on the basis of our or another person’s legitimate interest. Requests should be directed via this form.
Use of our websites is intended for adults at least eighteen (18) years of age. We do not knowingly collect personally-identifying information from children under the age of thirteen (13).
You also have the right to lodge a complaint before a supervisory data protection authority regarding our data processing. If you are in Europe, an up to date list of data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. If you are in the UK, the data protection authority is the UK Information Commissioner’s Office available at https://ico.org.uk/.
Despite the July 12, 2016 decision of the European Commission’s Decision (EU) 2016/1250 regarding Privacy Shield, the U.S. Department of Commerce still requires adherence to Privacy Shield Principles. As such, Jotform continues to comply with those principles and to remain certified by the U.S. Department of Commerce. Where applicable, Jotform has committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information. Jotform is committed to abiding by the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
How to Contact Us Regarding Your Personal Information
Representation for Data Subjects in the EU
We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/11830216921
Last Update: Mar 06, 2023