Privacy Policy

How AgentForms collects, uses, and protects your data.

Last updated: March 13, 2026

1. Introduction & Data Controller

AgentForms (agentforms.dev) is an API service that lets AI agents collect structured human input via web forms. The service is operated by Adriano Sanges ("we", "us", "our").

For questions about this policy or your data, contact us at [email protected].

2. Our Role: Controller vs. Processor

We act in two distinct capacities depending on the data involved:

• Data Controller — for data we collect from our API customers (account holders), such as IP addresses, API key metadata, and usage data. We determine the purposes and means of processing this data.
• Data Processor — for form response data submitted by end users (form respondents) through forms created by our customers. Our customers determine what data their forms collect; we only process it on their behalf in accordance with their instructions.

3. Data We Collect

From API customers (account holders)

• IP address — collected at registration. We enforce a limit of one account per IP address, lifetime.
• API key hash and prefix — we store a cryptographic hash of your API key along with a short prefix for identification. We never store your full API key.
• Usage data — form creation counts, response counts, webhook usage, and related operational metrics.
• Plan information — your current subscription tier and associated limits.

From form respondents

When someone fills out a form created through AgentForms, we process whatever data the form creator (our customer) has configured the form to collect. This may include names, email addresses, or any other information the customer's form fields request. We process this data solely on behalf of the customer who created the form.

From website visitors

We use Simple Analytics for website analytics. Simple Analytics does not collect personal data, does not use cookies, and does not track visitors across websites. Only aggregate page view data is collected.

Billing data

Lemon Squeezy acts as our merchant of record for all billing and payment processing. We do not collect, store, or process any payment information (credit card numbers, billing addresses, etc.) directly. We only store a Lemon Squeezy customer ID reference to associate your account with your subscription.

4. Purposes of Processing

• Service delivery — to create forms, process responses, and deliver them to the appropriate API customer.
• Billing — to manage subscriptions and enforce plan limits, in coordination with Lemon Squeezy.
• Abuse prevention — to enforce the one-account-per-IP limit and detect misuse of the service.
• Analytics — to understand how our website is used and improve our service, via privacy-friendly, cookieless analytics.

5. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contractual necessity (Art. 6(1)(b) GDPR) — processing necessary to provide the AgentForms service to our customers, including account creation, form processing, and response delivery.
• Legitimate interest (Art. 6(1)(f) GDPR) — processing for abuse prevention (IP-based registration limits) and service security. We have assessed that these interests do not override the fundamental rights of data subjects.
• Consent (Art. 6(1)(a) GDPR) — where required by applicable law for specific processing activities. You may withdraw consent at any time by contacting us.

When we act as a data processor for form response data, our customers (as data controllers) are responsible for establishing the appropriate legal basis for their collection of data from form respondents.

6. Data Retention

Form response data is retained based on your subscription plan:

• Free plan — responses are retained for 7 days
• Pro plan — responses are retained for 90 days
• Team plan — responses are retained for 365 days

After the retention period, form response data is permanently deleted.

Account data (IP address, API key hash, plan info) is retained for as long as your account remains active. If you request account deletion, we will remove your data within 30 days.

Operational logs are rotated and deleted on a regular schedule and are not retained indefinitely.

7. Third-Party Services & Sub-processors

We use the following third-party services to operate AgentForms:

• Lemon Squeezy — merchant of record for payment processing and subscription management. Their privacy policy.
• Simple Analytics — privacy-first, cookieless website analytics. Their privacy policy.
• Hosting provider — our infrastructure provider that hosts the API and form data. Data is stored securely with appropriate access controls.

8. International Data Transfers

Your data may be processed in countries outside your country of residence. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-U.S. Data Privacy Framework (DPF), where applicable
• Adequacy decisions by the European Commission, where available

9. Your Rights

Under the GDPR (EEA residents)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your personal data ("right to be forgotten").
• Data portability — receive your data in a structured, commonly used format.
• Restriction — request that we limit how we process your data.
• Objection — object to processing based on legitimate interest.

You also have the right to lodge a complaint with a supervisory authority.

Under the CCPA (California residents)

You have the right to:

• Know — request information about the personal data we collect and how we use it.
• Delete — request deletion of your personal data.
• Opt-out of sale — we do not sell personal data. We have never sold personal data and have no plans to do so.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Children's Privacy

AgentForms is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

11. Cookies and Tracking

AgentForms does not use cookies. Our analytics provider, Simple Analytics, is fully cookieless and does not track users across websites or sessions. As a result, no cookie consent banner is required.

We do not use any third-party tracking scripts, advertising pixels, or fingerprinting technologies.

12. Security Measures

We take the security of your data seriously and implement the following measures:

• Encryption in transit — all data transmitted to and from AgentForms is encrypted using TLS.
• Hashed API keys — API keys are stored as cryptographic hashes. We never store your full key in plain text.
• Access controls — strict access controls limit who and what can access stored data.

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to [email protected].

13. Customer Responsibilities

If you use AgentForms to collect data from other people (form respondents), you are the data controller for that data. You are responsible for:

• Providing your own privacy notice to form respondents, informing them of what data you collect and why.
• Ensuring you have a lawful basis for collecting the data.
• Responding to data subject requests from your form respondents.
• Complying with all applicable privacy laws in your jurisdiction.

AgentForms processes form response data on your behalf as a data processor. We will not use form response data for any purpose other than providing the service to you.

14. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of AgentForms after changes are posted constitutes your acceptance of the revised policy.

15. Contact

If you have any questions about this privacy policy or our data practices, please contact us:

Email: [email protected]