Privacy Policy
Last updated: March 14, 2026
1. Who We Are
MagicForm is operated by Always be Shipping B.V., registered at Vondelstraat 19, 1901 HT Castricum, the Netherlands. In this Privacy Policy, "MagicForm", "we", "us", and "our" refer to Always be Shipping B.V.
For privacy-related inquiries, contact us at: legal@getmagicform.com
2. Scope & Roles
This Privacy Policy applies to:
- Users — individuals and organizations that create a MagicForm account and use the Service to build and manage forms.
- Website Visitors — individuals who visit getmagicform.com.
- Respondents — individuals who fill out forms created by Users through the MagicForm widget.
Data controller and processor roles
| Context | Controller | Processor |
|---|---|---|
| User account data (name, email, billing) | MagicForm | — |
| Website visitor data (analytics, cookies) | MagicForm | — |
| Respondent data (form submissions) | The User who created the form | MagicForm |
When a Respondent submits a form, the User is the data controller for that submission data. MagicForm processes it on the User's behalf as a data processor under Article 28 GDPR. Users are responsible for having a lawful basis to collect Respondent data and for informing Respondents about how their data is used.
3. What Data We Collect
3.1 Account data (Users)
When you create an account, we collect:
- First name and last name
- Email address
- Organization name (if provided)
- Authentication credentials (password hash or OAuth token — we never store plaintext passwords)
3.2 Billing data (Users on paid plans)
When you subscribe to a paid plan, we collect billing details (name, address, payment method) through our payment processor. We do not store credit card numbers or bank account details on our servers. All financial data is handled and stored by our payment processor in accordance with PCI-DSS standards.
3.3 Usage data (Users and Visitors)
We automatically collect:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and actions taken within the Service
- Referrer URL (how you arrived at our site)
- Approximate location (derived from IP address, not precise geolocation)
3.4 Form submission data (Respondents)
When someone fills out a MagicForm, we collect and store on behalf of the User:
- Field values entered by the Respondent
- Submission metadata: IP address, browser user agent, referrer URL, device type
- UTM parameters and ad platform click IDs (if present on the embedding page URL)
- Cookies detected on the embedding page (Google Analytics client ID, Facebook Pixel IDs — only if these cookies are already set by the embedding site)
- Files uploaded through form fields
- Analytics events: form views, step completions, form submissions, and abandonment signals
MagicForm does not control what data Users choose to collect through their forms. Users are responsible for ensuring their forms comply with applicable privacy laws and for providing appropriate privacy notices to Respondents.
3.5 Integration data
When Users connect third-party services (HubSpot, Slack, Google Sheets, webhooks), we store:
- OAuth tokens (encrypted at rest using AES-256-GCM)
- Integration configuration (connected accounts, channel selections, field mappings)
- Delivery logs (job status, timestamps, attempt history)
4. Why We Process Data
4.1 User and Visitor data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails | Performance of contract (Art. 6(1)(b)) |
| Send product updates and marketing communications | Legitimate interest (Art. 6(1)(f)) or consent where required |
| Analyze usage to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Detect and prevent fraud or abuse | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
4.2 Respondent data
We process Respondent data solely on the instructions of the User (data controller) to provide the Service. Our legal basis is Article 28 GDPR (processor obligations). We do not use Respondent data for our own purposes.
5. How We Share Data
We do not sell personal data. We share data only with the following categories of recipients, all of whom are bound by appropriate data protection agreements:
Service providers
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | Frankfurt, Germany (EU) |
| Vercel | Application hosting and edge delivery | EU (primary), global CDN |
| Resend | Transactional email delivery | US (EU SCCs in place) |
| Sentry | Error monitoring | EU |
| Upstash | Rate limiting | EU |
| Giphy | GIF search for success screen content blocks | US |
User-configured integrations
When a User configures integrations, Submission Data is transmitted to third-party services as directed by the User:
- HubSpot — contact, deal, and company data
- Slack — formatted submission notifications
- Google Sheets — submission data as spreadsheet rows
- Webhooks — submission data to User-specified URLs
These transmissions are initiated by the User's configuration. The User is responsible for ensuring compliance with the third party's terms and applicable data protection laws.
Legal requirements
We may disclose data if required by law, legal process, or governmental request, or to protect the rights, property, or safety of MagicForm, our Users, or the public.
6. Data Storage & Transfers
Storage location
All primary data (accounts, forms, submissions, files) is stored in Frankfurt, Germany (EU-West) on Supabase infrastructure.
International transfers
Some service providers process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Certification under recognized frameworks
| Provider | Location | Safeguard |
|---|---|---|
| Resend | US | Standard Contractual Clauses |
| Giphy | US | Standard Contractual Clauses |
When Users transmit Submission Data to third-party services via integrations, the data may be transferred to locations determined by the third-party service. Users are responsible for evaluating the data protection practices of services they choose to connect.
7. Data Retention
Account data
We retain your account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to retain it for legal or accounting purposes (up to 7 years for tax-related records under Dutch law).
Submission data
Submission Data is retained for as long as the User's account is active and the User chooses to keep it. Users can delete individual submissions or all form data at any time through the Service. Deleted Submission Data is permanently removed and cannot be recovered.
Analytics events
Form analytics events (views, step completions, abandonment) are retained for 7 days and then automatically deleted. Aggregated, non-personal statistics derived from these events may be retained longer.
Rate limiting data
Hashed IP addresses used for rate limiting are stored temporarily and automatically expire within 24 hours.
After account termination
Upon account termination, we make Submission Data available for export for 30 days. After this period, all User Content and Submission Data is permanently deleted.
8. Your Rights
Users (account holders)
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service (in a structured, machine-readable format)
- Object to processing based on legitimate interest
- Withdraw consent at any time (where processing is based on consent)
To exercise these rights, contact us at legal@getmagicform.com. We will respond within 30 days.
Respondents (people who filled out a form)
If you submitted data through a MagicForm, the User who created the form is the data controller for your data. Please contact the form creator directly to exercise your rights (access, correction, deletion).
If you cannot reach the form creator, contact us at legal@getmagicform.com and we will make reasonable efforts to assist you. We will forward your request to the relevant User and cooperate in fulfilling it.
9. Cookies & Tracking
Cookies we set
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| Authentication session | Keep you logged in | Session / 7 days | Strictly necessary |
Cookies we read (embed widget)
When a form is embedded on a third-party website, the MagicForm widget may read (but does not set) the following cookies if they are already present on the embedding site:
| Cookie | Source | Purpose |
|---|---|---|
_ga | Google Analytics | Client ID — used for marketing attribution in submission metadata |
_fbp | Facebook Pixel | Browser ID — used for marketing attribution in submission metadata |
_fbc | Facebook Pixel | Click cookie — used for marketing attribution in submission metadata |
These values are stored as Submission metadata to support the User's marketing attribution. The embedding site's own cookie policy governs whether these cookies are set.
Analytics
We use privacy-focused analytics to understand how the Service is used. We do not use Google Analytics or similar third-party tracking on the MagicForm application.
Opting out
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the Service. Marketing communications can be opted out of via the unsubscribe link in any email.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for sensitive data (AES-256-GCM for integration tokens)
- Row-level security on database tables
- Authentication via secure session tokens
- Rate limiting on public API endpoints
- Infrastructure hosted in SOC 2 certified data centers (Supabase/AWS)
No system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify affected Users and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.
11. Children's Data
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If a User uses MagicForm to collect data from children, the User is responsible for compliance with applicable child data protection laws (including obtaining verifiable parental consent where required).
If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify account holders by email at least 14 days before material changes take effect
- Post a notice within the Service
Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.
13. Supervisory Authority
If you are in the EU/EEA and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Phone: +31 (0)88 1805 250
We encourage you to contact us first at legal@getmagicform.com so we can address your concern directly.
14. Contact
For any questions or requests related to this Privacy Policy:
MagicForm (Always be Shipping B.V.)
Vondelstraat 19, 1901 HT Castricum, Netherlands
Email: legal@getmagicform.com