Privacy Policy
Who We Are
HexaForms is an AI-powered form builder developed and operated by Ereace S.L., a company incorporated in Spain (EU).
Data controller: Ereace S.L., Spain
Contact: info@ereace.es
What Data We Collect and Why
| Data | Purpose | Legal basis |
|---|---|---|
| Account data (name, email, password hash) | Create and manage your HexaForms account | Contract performance |
| Form submissions you receive from your users | Core service — store and deliver form responses to you | Contract performance |
| Partial session data (fields filled before abandonment) | Revenue-recovery feature — allows you to follow up on incomplete forms | Legitimate interest (yours, as form owner) |
| Form analytics (field interactions, time-on-field, exit points) | Show you funnel metrics and conversion data | Legitimate interest |
| AI analysis results (spam score, lead score, email validation) | Filter spam and score lead quality on your behalf | Contract performance |
| Billing data (handled by Stripe — we do not store card numbers) | Process subscription payments | Contract performance |
| Usage data (API calls, submissions count, features used) | Enforce plan limits and improve the product | Legitimate interest |
| Support communications (emails you send us) | Respond to your questions | Legitimate interest |
We do not collect: precise geolocation, device fingerprints, or any data beyond what is needed to provide the service.
Your Users' Data (You Are the Controller)
When your visitors fill in forms you have created with HexaForms, you are the data controller for that data. Ereace S.L. acts as a data processor on your behalf.
You are responsible for: having a lawful basis to collect that data, providing your own privacy notice to your users, and responding to their data rights requests. Our processing of that data is governed by a Data Processing Agreement (DPA) — contact us at info@ereace.es if you need a signed copy.
Where Data Is Stored
All data is stored on AWS infrastructure in the EU (region: eu-west-1, Ireland). We do not transfer personal data outside the European Economic Area (EEA) as part of standard operations.
Third-party sub-processors we use:
- Amazon Web Services (AWS) — infrastructure, storage, compute (EU region)
- Stripe — payment processing (they are an independent controller for billing data)
- AI providers (DeepSeek, OpenAI, Anthropic) — submission analysis only; data is not retained by providers for training under our enterprise agreements
- Google Fonts — font delivery (IP address, standard CDN request)
Data Retention
- Account data: kept while your account is active, deleted within 30 days of account closure on request.
- Form submissions: kept according to your plan limits. You can delete submissions at any time from your dashboard.
- Partial session data: auto-deleted after 90 days if not converted to a full submission.
- Billing records: retained for 7 years as required by Spanish tax law.
- Support emails: kept for 2 years.
Cookies and Tracking
HexaForms uses minimal cookies:
- Session cookies — keep you logged into the dashboard. Essential, not optional.
- sessionStorage (widget) — stores a temporary session ID while a visitor fills in a form. Cleared when the browser tab closes.
We do not use advertising cookies, third-party tracking pixels, or Google Analytics on the HexaForms platform or this landing page.
Your Rights Under GDPR
As an EU/EEA resident, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten"), subject to legal retention obligations.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — ask us to limit processing while a dispute is resolved.
- Withdraw consent — at any time, where processing is consent-based.
To exercise any right, email info@ereace.es. We will respond within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD): www.aepd.es.
Changes to This Policy
We will notify registered users by email of any material changes to this policy at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.