Privacy Policy
Last updated: April 12, 2026
1. Who We Are
MagicForm is operated by Always be Shipping B.V., registered at Vondelstraat 19, 1901 HT Castricum, the Netherlands. In this Privacy Policy, "MagicForm", "we", "us", and "our" refer to Always be Shipping B.V.
For privacy-related inquiries, contact us at: legal@getmagicform.com
2. Scope & Roles
This Privacy Policy applies to:
- Users — individuals and organizations that create a MagicForm account and use the Service to build and manage forms.
- Website Visitors — individuals who visit getmagicform.com.
- Respondents — individuals who fill out forms created by Users through the MagicForm widget.
Data controller and processor roles
| Context | Controller | Processor |
|---|---|---|
| User account data (name, email, billing) | MagicForm | — |
| Website visitor data (analytics, cookies) | MagicForm | — |
| Respondent data (form submissions) | The User who created the form | MagicForm |
When a Respondent submits a form, the User is the data controller for that submission data. MagicForm processes it on the User's behalf as a data processor under Article 28 GDPR. Users are responsible for having a lawful basis to collect Respondent data and for informing Respondents about how their data is used.
3. What Data We Collect
3.1 Account data (Users)
When you create an account, we collect:
- First name and last name
- Email address
- Organization name (if provided)
- Authentication credentials (password hash or OAuth token — we never store plaintext passwords)
3.2 Billing data (Users on paid plans)
When you subscribe to a paid plan, we collect billing details (name, address, payment method) through our payment processor. We do not store credit card numbers or bank account details on our servers. All financial data is handled and stored by our payment processor in accordance with PCI-DSS standards.
3.3 Usage data (Users and Visitors)
We automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and actions taken within the Service
- Referrer URL (how you arrived at our site)
- Approximate location (derived from IP address, not precise geolocation)
3.4 Form submission data (Respondents)
When someone fills out a MagicForm, we collect and store on behalf of the User:
- Field values entered by the Respondent
- Submission metadata: IP address, browser user agent, referrer URL, device type
- UTM parameters and ad platform click IDs (if present on the embedding page URL)
- Cookies detected on the embedding page (Google Analytics client ID, Facebook Pixel IDs — only if these cookies are already set by the embedding site)
- Files uploaded through form fields
- Analytics events: form views, step completions, form submissions, and abandonment signals
MagicForm does not control what data Users choose to collect through their forms. Users are responsible for ensuring their forms comply with applicable privacy laws and for providing appropriate privacy notices to Respondents.
3.5 Integration data
When Users connect third-party services (HubSpot, Slack, Google Sheets, webhooks), we store:
- OAuth tokens (encrypted at rest using AES-256-GCM)
- Integration configuration (connected accounts, channel selections, field mappings)
- Delivery logs (job status, timestamps, attempt history)
For details specific to Google APIs (Google Sheets integration and Sign in with Google), see §10.
4. Why We Process Data
4.1 User and Visitor data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails | Performance of contract (Art. 6(1)(b)) |
| Send product updates and marketing communications | Legitimate interest (Art. 6(1)(f)) or consent where required |
| Analyze usage to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Detect and prevent fraud or abuse | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
4.2 Respondent data
We process Respondent data solely on the instructions of the User (data controller) to provide the Service. Our legal basis is Article 28 GDPR (processor obligations). We do not use Respondent data for our own purposes.
5. How We Share Data
We do not sell personal data. We share data only with the following categories of recipients, all of whom are bound by appropriate data protection agreements:
Service providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | Frankfurt, Germany (EU) |
| Vercel | Application hosting and edge delivery | EU (primary), global CDN |
| Resend | Transactional email delivery | US (EU SCCs in place) |
| Sentry | Error monitoring | EU |
| Upstash | Rate limiting | EU |
| Giphy | GIF search for success screen content blocks | US |
User-configured integrations
When a User configures integrations, Submission Data is transmitted to third-party services as directed by the User:
- HubSpot — contact, deal, and company data
- Slack — formatted submission notifications
- Google Sheets — submission data as spreadsheet rows
- Webhooks — submission data to User-specified URLs
These transmissions are initiated by the User's configuration. The User is responsible for ensuring compliance with the third party's terms and applicable data protection laws.
Legal requirements
We may disclose data if required by law, legal process, or governmental request, or to protect the rights, property, or safety of MagicForm, our Users, or the public.
6. Data Storage & Transfers
Storage location
All primary data (accounts, forms, submissions, files) is stored in Frankfurt, Germany (EU-West) on Supabase infrastructure.
International transfers
Some service providers process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Certification under recognized frameworks
| Provider | Location | Safeguard |
|---|---|---|
| Resend | US | Standard Contractual Clauses |
| Giphy | US | Standard Contractual Clauses |
When Users transmit Submission Data to third-party services via integrations, the data may be transferred to locations determined by the third-party service. Users are responsible for evaluating the data protection practices of services they choose to connect.
7. Data Retention
Account data
We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to retain it for legal or accounting purposes (up to 7 years for tax-related records under Dutch law).
Submission data
Submission Data is retained for as long as the User's account is active and the User chooses to keep it. Users can delete individual submissions or all form data at any time through the Service. Deleted Submission Data is permanently removed and cannot be recovered.
Analytics events
Form analytics events (views, step completions, abandonment) are retained for 7 days and then automatically deleted. Aggregated, non-personal statistics derived from these events may be retained longer.
Rate limiting data
Hashed IP addresses used for rate limiting are stored temporarily and automatically expire within 24 hours.
OAuth integration tokens
OAuth tokens for connected third-party integrations (including Google) are retained while the integration is connected and deleted within 30 days of disconnection or account deletion. See §10.6 for Google-specific details.
After account termination
Upon account termination, we make Submission Data available for export for 30 days. After this period, all User Content and Submission Data is permanently deleted.
8. Your Rights
Users (account holders)
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service (in a structured, machine-readable format)
- Object to processing based on legitimate interest
- Withdraw consent at any time (where processing is based on consent)
To exercise these rights, contact us at legal@getmagicform.com. We will respond within 30 days.
Respondents (people who filled out a form)
If you submitted data through a MagicForm, the User who created the form is the data controller for your data. Please contact the form creator directly to exercise your rights (access, correction, deletion).
If you cannot reach the form creator, contact us at legal@getmagicform.com and we will make reasonable efforts to assist you. We will forward your request to the relevant User and cooperate in fulfilling it.
9. Cookies & Tracking
Cookies we set
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Authentication session | Keep you logged in | Session / 7 days | Strictly necessary |
Cookies we read (embed widget)
When a form is embedded on a third-party website, the MagicForm widget may read (but does not set) the following cookies if they are already present on the embedding site:
| Cookie | Source | Purpose |
|---|---|---|
_ga | Google Analytics | Client ID — used for marketing attribution in submission metadata |
_fbp | Facebook Pixel | Browser ID — used for marketing attribution in submission metadata |
_fbc | Facebook Pixel | Click cookie — used for marketing attribution in submission metadata |
These values are stored as Submission metadata to support the User's marketing attribution. The embedding site's own cookie policy governs whether these cookies are set.
Analytics
We use privacy-focused analytics to understand how the Service is used. We do not use Google Analytics or similar third-party tracking on the MagicForm application.
Opting out
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Service. Marketing communications can be opted out of via the unsubscribe link in any email.
10. Google User Data
10.1 When this section applies
This section specifically describes how MagicForm accesses, uses, stores, and shares data obtained from Google APIs. It applies when:
- A User connects the Google Sheets integration to send form submissions to a spreadsheet, and
- A User chooses to sign in to MagicForm with their Google account (authentication handled via Supabase Auth).
10.2 Data Accessed
For the Google Sheets integration, MagicForm requests a single OAuth scope: https://www.googleapis.com/auth/drive.file. This scope grants per-file access only — MagicForm can read and write only the spreadsheet(s) the User explicitly selects through Google's own file picker. We do not have visibility into the rest of the User's Google Drive.
For Sign in with Google, MagicForm (via Supabase Auth) receives the basic identity profile: email address, name, profile picture URL, and the Google account identifier.
MagicForm requests offline access so it can continue syncing submissions on the User's behalf after the initial authorization. A refresh token is issued by Google and stored as described in §10.5.
10.3 Data Usage
MagicForm uses Google user data strictly for the following purposes:
- Allowing the User to choose a destination spreadsheet via Google's file picker.
- Appending rows to the User-selected spreadsheet when a new form submission is received.
- Authenticating the User when they sign in with Google.
MagicForm's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We do not use Google user data to:
- Train, fine-tune, or improve any AI/ML models (ours or any third party's).
- Serve advertising or build advertising profiles.
- Enable any use case outside the user-facing features described above.
Human access to Google user data is limited to what is necessary for security, legal compliance, or troubleshooting at the User's explicit request.
10.4 Data Sharing
We do not sell Google user data and we do not share it with advertisers, data brokers, or AI providers. Google user data is only handled by the infrastructure sub-processors already listed in §5 that are strictly necessary to operate the Service:
- Supabase (Frankfurt, EU) — encrypted token storage and database.
- Vercel — application hosting and request handling.
- Sentry (EU) — error monitoring. Tokens are never logged to Sentry.
Form submission rows that a User chooses to write into their own Google Sheet remain inside the User's own Google account. MagicForm does not retain a separate copy of the spreadsheet's existing contents.
10.5 Data Storage & Protection
- Google OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before being stored in our database (Supabase, Frankfurt, EU).
- All traffic between the User's browser, MagicForm, and Google APIs is encrypted in transit with TLS 1.2+.
- Tokens are isolated per User via database row-level security and are only decrypted in-memory at the moment of an API call.
- We follow the security practices described in §11, including infrastructure hosted in SOC 2 certified data centers.
10.6 Data Retention & Deletion
Google OAuth tokens are retained only while the integration is connected. A User may revoke MagicForm's access to their Google data at any time through any of the following methods:
- Disconnecting the Google Sheets integration from the Integrations page inside MagicForm.
- Revoking access directly on Google at myaccount.google.com/permissions.
- Deleting their MagicForm account, which cascades to all connected integrations.
Upon disconnection, account deletion, or a direct request to legal@getmagicform.com, all Google OAuth tokens and any cached Google Drive file metadata are permanently deleted within 30 days. Data that has already been written into the User's own Google Sheet remains in the User's Google account and is under the User's sole control.
11. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for sensitive data (AES-256-GCM for integration tokens)
- Row-level security on database tables
- Authentication via secure session tokens
- Rate limiting on public API endpoints
- Infrastructure hosted in SOC 2 certified data centers (Supabase/AWS)
No system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify affected Users and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.
12. Children's Data
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If a User uses MagicForm to collect data from children, the User is responsible for compliance with applicable child data protection laws (including obtaining verifiable parental consent where required).
If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify account holders by email at least 14 days before material changes take effect
- Post a notice within the Service
Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.
14. Supervisory Authority
If you are in the EU/EEA and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Phone: +31 (0)88 1805 250
We encourage you to contact us first at legal@getmagicform.com so we can address your concern directly.
15. Contact
For any questions or requests related to this Privacy Policy:
MagicForm (Always be Shipping B.V.)
Vondelstraat 19, 1901 HT Castricum, Netherlands
Email: legal@getmagicform.com