joliform

Privacy Policy

Last updated: March 6, 2026

1. Introduction

This Privacy Policy explains how Joliform ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and service at joliform.com. Joliform is a web application that applies visual themes to Google Forms.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Joliform is operated as a solo-developer project. For any privacy-related inquiries, you can contact us at:

3. What Data We Collect

3.1 Account Data (via Google OAuth)

When you sign in with Google, we receive and store the following information:

  • Your name
  • Your email address
  • Your profile picture URL
  • Your Google account ID
  • A Google OAuth access token and refresh token (used to read your Google Forms)

This data is stored in our database and associated with your Joliform account.

3.2 Application Data

When you use Joliform, we store:

  • Which Google Forms you have connected to Joliform (Google Form IDs)
  • Your selected theme for each form
  • Your custom form slugs (e.g., joliform.com/f/my-form)
  • Your publishing status (draft or active) for each form
  • Your subscription plan (Free or Pro)
  • Timestamps of account creation and last update

3.3 Waitlist Data

If you sign up for our Pro waitlist, we collect:

  • Your email address (pre-filled from your Google account if you are logged in)
  • The source of your signup (e.g., landing page, dashboard)
  • A timestamp

3.4 Server Logs and Analytics

Our infrastructure (Cloudflare and Hetzner) may collect standard server logs including IP addresses, browser user agent strings, page URLs visited, and request timestamps. Cloudflare provides basic, privacy-respecting analytics on our behalf.

We do not use Google Analytics or any third-party behavioral tracking tools.

4. What Data We Do NOT Collect

This is important: Joliform does not collect, store, process, or have access to the responses submitted to your Google Forms. All form submissions are handled entirely by Google and delivered to your Google Sheets. Joliform only reads the structure of your form (questions, sections, field types) via the Google Forms API using the forms.body.readonly scope — never the responses.

5. How We Use Your Data

We use your personal data for the following purposes:

  • Authentication: To sign you in and maintain your session via Google OAuth.
  • Service delivery: To read your Google Forms structure, apply themes, and serve your published forms at your custom Joliform URLs.
  • Account management: To manage your profile, subscription tier, and form configurations.
  • Communication: To notify you about service changes, and to contact waitlist subscribers when the Pro tier launches.
  • Security and abuse prevention: To protect the service from unauthorized access and enforce our Terms of Service.

6. Legal Basis for Processing (GDPR)

We process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): Processing your account data and application data is necessary to provide the Joliform service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): Server logs and basic analytics are processed in our legitimate interest to maintain security, monitor service health, and prevent abuse.
  • Consent (Art. 6(1)(a) GDPR): Waitlist signups are based on your explicit consent. You can withdraw at any time by contacting us.

7. Data Storage and Hosting

Your data is stored in a PostgreSQL database hosted on a Hetzner VPS located in an EU datacenter (Germany). Backups are stored on Cloudflare R2 (with data residency options within the EU).

Our infrastructure providers are:

  • Hetzner Online GmbH (Germany) — Server hosting and block storage
  • Cloudflare, Inc. (USA, with EU data processing) — DNS, CDN, DDoS protection, and backup storage

Both providers are GDPR-compliant. Cloudflare processes traffic data under Standard Contractual Clauses (SCCs) for any transfers outside the EU.

8. Data Retention

  • Account data: Retained for as long as your account is active. Deleted when you delete your account.
  • Application data (forms, themes, slugs): Retained for as long as your account is active. Deleted when you delete your account.
  • Waitlist data: Retained until the Pro tier launches and you are notified, or until you request removal.
  • Server logs: Retained for up to 30 days, then automatically purged.
  • Database backups: Retained for 7 days on a rolling basis.

9. Data Sharing

We do not sell, rent, or trade your personal data to third parties.

We share data only with the following categories of service providers, strictly for the purpose of operating the service:

  • Hetzner — Hosts our server and database.
  • Cloudflare — Provides DNS, CDN, and security services. Processes traffic metadata.
  • Google — We use Google OAuth and the Google Forms API for read-only access to the form structure of forms you choose to connect. Google's privacy policy governs how Google handles your data on their end.

We may also disclose your data if required by law, court order, or governmental authority.

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your personal data (you can also do this directly by deleting your account in the dashboard Settings).
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: For consent-based processing (e.g., waitlist), you may withdraw at any time.

To exercise any of these rights, please email us at privacy@joliform.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.

11. Security Measures

We take reasonable technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all traffic between your browser and our servers.
  • Database access restricted to internal Docker networks only — not exposed to the public internet.
  • SSH key-only server access with password authentication disabled.
  • Firewall rules limiting open ports to only those necessary (HTTP, HTTPS, SSH).
  • Secrets and credentials stored in environment variables, never committed to source code.
  • Automated daily database backups with 7-day retention.

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

12. Cookies and Tracking

Joliform uses only strictly necessary cookies to maintain your authentication session (managed by Better Auth). These are functional session cookies and do not track your behavior across websites.

We do not use advertising cookies, analytics cookies, or third-party tracking pixels.

Cloudflare may set a __cf_bm cookie for bot management purposes. This is a functional security cookie and does not track users for advertising.

13. Children's Privacy

Joliform is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@joliform.com.

14. Third-Party Links

Our service or blog may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policies of any third-party service you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where possible, notify you via email.

Your continued use of Joliform after changes take effect constitutes acceptance of the updated policy.

16. Google API Services User Data Policy

Joliform's use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

16.1 What Google data we access

When you connect your Google account to Joliform, we access:

  • Profile data (via Google OAuth): your name, email address, and profile picture, used to create and identify your Joliform account.
  • Google Forms structure (via forms.body.readonly scope): the titles, sections, questions, and field types of the forms you choose to connect to Joliform. We read this to render a custom-themed version of your form.

16.2 How we use this data

Google user data is used solely to provide the Joliform service:

  • Profile data is used for authentication and to display your identity in the dashboard.
  • Form structure data is used exclusively to render your forms with your chosen visual theme at your Joliform URL.

We do not use Google user data to:

  • Serve advertising or track users for advertising purposes.
  • Sell or share data with third parties for their own use.
  • Build user profiles beyond what is necessary to operate Joliform.
  • Train machine learning models.

16.3 How this data is stored

All data is stored in a PostgreSQL database hosted on Hetzner (Germany, EU). The database is encrypted at rest and is not accessible from the public internet. Access tokens (OAuth credentials) are stored encrypted and used only to fetch form structure on your behalf.

16.4 Data deletion

You can delete all data associated with your Google account at any time by deleting your Joliform account from the Settings page in your dashboard (/dashboard/settings). You may also revoke Joliform's access to your Google account at any time via myaccount.google.com/permissions, independently of deleting your Joliform account.

17. Contact

For any privacy-related questions, concerns, or requests, please reach out to: