Privacy Policy
Last updated: February 22, 2026
🔒 Plain-English Summary
We collect your email and usage data to run the platform. We don't sell your personal data. We use aggregated/anonymized usage data to improve the product. You can export or delete your data anytime. We send product emails — you can unsubscribe from marketing ones.
The full policy below governs.
1. Who We Are
LaunchQ ("we," "us," "our") operates the FormBox platform at formbox.gibby-workspace.com. We are the data controller for account and platform data. For data collected through your forms, you are the data controller and we act as your processor.
Questions? privacy@formbox.io
2. What Data We Collect
A. Account Data (you provide directly)
| Data | Why We Collect It |
|---|---|
| Email address | Login, notifications, transactional emails, and product updates |
| Hashed password | Account authentication — we never store plain text passwords |
| Name (optional) | Personalization |
| Billing info | Processed and stored by Stripe — we never see or store card numbers |
| Account creation date | Service records |
B. Usage Data (collected automatically)
| Data | Why We Collect It |
|---|---|
| Pages visited, features used, click patterns | Improving the product; understanding what's working |
| IP address | Security, fraud prevention, and spam detection |
| Browser / device type | Compatibility testing and debugging |
| Referrer URL | Understanding where users come from |
| Session duration and frequency | Product analytics and engagement metrics |
C. Form Submission Data (collected on your behalf)
When your end users submit your forms, we store:
- All fields submitted (defined by you)
- Submission timestamp, IP address, user agent, and referrer
- Spam score and classification data
You are the controller of this data. We process it only on your behalf, per your configuration, and per these Terms.
🚫 What We Don't Do
- We do not sell your personal data or your subscribers' personal data to advertisers or data brokers
- We do not use tracking pixels or third-party ad networks
- We do not use fingerprinting techniques
- We do not share individually identifiable data with third parties except as described in this policy
3. How We Use Your Data
We use the data we collect to:
- Provide and operate the Service — hosting, authentication, email delivery, form processing
- Send transactional emails — signup confirmations, form submission alerts, billing receipts, password resets (required for the Service; cannot be opted out)
- Send product and marketing emails — new features, tips, case studies, offers (you can unsubscribe at any time)
- Prevent fraud and abuse — spam detection, rate limiting, account security
- Improve the Service — analyzing aggregated usage patterns to build better features and fix bugs
- Customer support — investigating issues and responding to requests
- Legal compliance — responding to lawful requests from authorities or enforcing our Terms
- Business operations — billing, accounting, and business analytics
4. Aggregated & Anonymized Data
We may create and use aggregated, anonymized, or de-identified datasets derived from your use of the Service (for example: "X% of waitlists have over 100 subscribers," "the average conversion rate for hosted waitlist pages is Y%"). This data cannot reasonably be used to identify you or any individual.
We use this data freely for any business purpose, including product development, benchmarking, public reports, marketing content, and investor materials. We will never attribute this data to you individually without your express consent.
5. How Long We Keep Your Data
| Data Type | Retention |
|---|---|
| Account data | For the life of your account, plus up to 30 days after deletion for backup purge |
| Form submissions | Until you delete them, your account, or your configured retention period expires |
| Billing records | 7 years (required by law) |
| Security logs (IP, access logs) | Up to 90 days |
| Aggregated/anonymized analytics | Indefinitely — this data cannot identify you |
You may configure custom data retention periods for each form in your dashboard (e.g., auto-delete submissions after 30, 60, or 90 days).
6. Who We Share Data With
We share data only in the following circumstances:
Service Providers (Processors)
We use trusted third-party service providers who process data on our behalf:
- Stripe — payment processing (they store payment data; we don't)
- Amazon Web Services — cloud hosting and infrastructure
- Email delivery providers — sending transactional and notification emails
All service providers are contractually bound to use your data only as directed by us and to maintain appropriate security measures.
Legal Requirements
We may disclose your data when required by law, court order, subpoena, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers
If LaunchQ is involved in a merger, acquisition, asset sale, or other business transaction, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your data becomes subject to a different privacy policy.
With Your Consent
We may share your data for any other purpose with your explicit consent.
7. Cookies & Tracking
We use only essential cookies necessary to operate the Service:
| Cookie | Purpose | Duration |
|---|---|---|
| session_token | Keeps you logged in (HTTP-only, Secure) | Session / 30 days |
| csrf_token | Prevents cross-site request forgery attacks | Session |
We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies. You cannot opt out of essential cookies because the Service cannot function without them.
8. Data Security
We implement industry-standard security measures including:
- TLS/HTTPS encryption for all data in transit
- Bcrypt password hashing — we never store plain text passwords
- Cryptographically secure session tokens
- Fail2ban intrusion prevention and SSH hardening
- Daily encrypted database backups with 14-day retention
- Regular security audits and patch management
⚠️ No Absolute Security Guarantee
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable security measures, we cannot guarantee absolute security of your data. In the event of a data breach affecting your rights, we will notify you as required by applicable law.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
📥 Right to Access & Export
You can download all your account data, forms, and submissions at any time via your dashboard settings (Settings → Export Data) or via GET /api/account/export. Exports are provided in JSON format.
🗑️ Right to Deletion ("Right to Be Forgotten")
You can permanently delete your account and all associated data via Settings → Delete Account. This removes your account, all forms, and all submissions. Deletion is processed within 30 days. Note: billing records required by law (7 years) and aggregated/anonymized data cannot be deleted.
✏️ Right to Correction
Update your account information anytime in your dashboard. Contact support to correct any data you cannot update yourself.
🚫 Right to Object / Restrict Processing
You may object to or request restriction of certain processing activities. Note that restricting certain processing may limit your ability to use the Service. Contact privacy@formbox.io.
📧 Marketing Opt-Out
You can unsubscribe from marketing emails at any time via the unsubscribe link in any email. You cannot opt out of transactional emails (receipts, security alerts, service notices) while your account is active.
To exercise your rights, contact privacy@formbox.io. We will respond within 30 days. We may require identity verification before processing requests. We will fulfill requests to the extent required by applicable law.
10. Your Subscribers' Data (You Are the Controller)
When people submit data through forms you've created in LaunchQ, you are the data controller for that data. You are solely responsible for:
- Having a lawful basis to collect and process that data
- Providing a privacy notice to your form submitters
- Responding to your subscribers' data requests (access, deletion, correction)
- Complying with GDPR, CCPA, and any other applicable laws
LaunchQ processes that data only as your processor, per your configuration and our Terms. If a subscriber of yours contacts us directly about their data, we will refer them to you as the controller.
11. Children's Privacy
The Service is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will delete it immediately. If you believe we have data from a child, contact privacy@formbox.io.
12. International Data Transfers
LaunchQ is operated from the United States. If you are accessing the Service from outside the US, your data will be transferred to and processed in the US. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as the legal basis for cross-border data transfers where required.
13. Changes to This Policy
We may update this Privacy Policy at any time. For material changes, we will provide at least 14 days' advance notice by posting the revised policy on our website and sending an email to your registered address. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.
We encourage you to review this policy periodically. The "Last updated" date at the top reflects when the most recent changes were made.
14. Contact Us
For privacy questions, requests, or concerns:
- Email: privacy@formbox.io
- General support: support@formbox.io
We aim to respond to all privacy requests within 30 days.
✅ TL;DR
We collect what we need to run the platform. We don't sell your data. You can export or delete everything anytime. We use anonymized aggregate data to improve the product. We send product emails — unsubscribe anytime. Security is taken seriously, but no system is 100% secure.
Questions? privacy@formbox.io