Skip to main content

Privacy Policy

Last updated: May 12, 2026

What we collect

When you use Sansform, we collect information you provide directly:

  • Account information — first name, last name, email address, password, and workspace details (workspace name, URL slug, your role) when you sign up and configure your workspace.
  • Form content (blank templates) — the PDFs, photos, Word documents, or natural-language prompts you provide when creating a new form. Used to generate the digital form template.
  • Form scans (filled-out forms) — when you upload a filled-out paper form to extract its answers as a submission, the entire image (including any handwritten names, addresses, financial details, signatures, or other personal data your end user wrote on it) is processed by our AI extraction pipeline. Use the “sensitive” field designation in the form editor on fields that collect this kind of data so that the resulting submission values are encrypted and purged on the 24-hour schedule described below.
  • Submissions and bookings — data submitted through your published forms, including signatures, file attachments, and booked appointment details (time slot, attendee info, time zone).
  • Payment information — billing details for your Sansform subscription are processed securely by Stripe; we never store full card numbers. When you collect payments through your forms via Stripe Connect, end-user card details are handled entirely by Stripe. Sansform only retains payment intent IDs, amounts, currencies, and statuses for audit and display.
  • Connected service credentials — OAuth tokens, webhook URLs, and API keys you provide when integrating Sansform with Google Calendar, Airtable, Notion, or custom webhook endpoints. Stored encrypted and used only to push data to the destinations you configure.
  • Usage data — pages visited, features used, and performance metrics to improve the product.

Legal basis for processing

We process your data under the following lawful bases:

  • Contract performance — to provide the Service you signed up for (account creation, form generation, submission processing).
  • Consent — when you agree to our Terms and Privacy Policy at signup, and for optional features like marketing communications.
  • Legitimate interest — to improve the Service, prevent abuse, and ensure security, where these interests don't override your rights.
  • Legal obligation — to comply with applicable laws, such as retaining billing records.

How we use it

  • Provide, maintain, and improve Sansform.
  • Process uploaded documents through our AI extraction pipeline to generate digital forms.
  • Send transactional emails — account verification, submission notifications, booking confirmations, and routing alerts.
  • Process payments and manage your Sansform subscription.
  • Facilitate payments you collect through your forms via Stripe Connect. Sansform never touches the funds — Stripe disburses directly to the bank account you connect.
  • Schedule booked appointments and, when you connect your calendar, sync them to Google Calendar on your behalf.
  • Push submission data to integrations you configure (Airtable, Notion, custom webhooks).
  • Monitor for abuse, fraud, and technical issues.

Third-party services

We use trusted third parties to operate Sansform. Your data may be processed by:

  • Supabase — database, authentication, and file storage.
  • Vercel — hosting and edge delivery.
  • Anthropic (Claude API)— AI-powered form extraction from uploaded documents and filled-out form scans. Document and image payloads are sent to the API for processing. Per Anthropic's commercial API terms, Anthropic does not train its models on customer inputs or outputs, and retains them for up to 30 days for trust and safety review before deletion.
  • CloudConvert— when you upload a Word (.docx) document, the file is sent to CloudConvert's API for conversion to PDF before our extraction pipeline rasterizes it. CloudConvert stores the file only for the duration of the conversion job and deletes it afterwards per their retention policy.
  • Stripe — payment processing for Sansform subscriptions, and Stripe Connect for payments you collect through your forms.
  • Resend — transactional email delivery.
  • PostHog— product analytics. When you are signed in, we identify you to PostHog by your user ID and email address so we can understand which features paying customers actually use. Pageviews, session replays of in-app interactions, and feature events are collected. PostHog sets cookies on its `*.posthog.com` and our first-party `/ingest/` proxy. You can opt out of analytics via your browser's “Do Not Track” signal or via our cookie banner.
  • Sentry— error and performance monitoring. When an error happens in the app or on a server route, Sentry receives the stack trace, URL, browser metadata, and your user ID so we can debug it. We don't intentionally send submission data or form content to Sentry; if any leaks into an error breadcrumb, it's subject to Sentry's standard retention (90 days by default).
  • Google Calendar — only when you connect it, to create and update events for bookings made through your forms.
  • Airtable, Notion, and custom webhooks — only when you configure them as integration destinations, to push submission data from your forms.

We do not sell your data to anyone. We do not use your form content or submissions to train AI models, and our AI providers do not either (under our current commercial agreements).

International data transfers

Our third-party service providers operate in the United States and other countries. By using Sansform, your data may be transferred to and processed in countries outside your own, including the US. These providers maintain appropriate safeguards (such as Standard Contractual Clauses) to protect your data in compliance with applicable data protection laws.

Data controller and processor

Sansform acts as a data controller for your account information, usage data, and billing data — we decide how and why this data is processed.

When you use Sansform to collect submissions from your end users, Sansform acts as a data processor on your behalf. You are the data controller for the submission data collected through your forms. You are responsible for ensuring you have a lawful basis to collect that data, providing appropriate privacy notices to your end users, and complying with applicable data protection laws. We process submission data only as instructed by you through your use of the Service.

Children

Sansform accounts are not intended for anyone under the age of 18. We do not knowingly allow children under 18 to create their own Sansform account. If you believe a child has created a Sansform account, please contact us at support@sansform.ai.

Workspace owners may publish forms that legitimately collect data about minors — for example, a school using a student enrollment form, or a clinic using a pediatric intake form. In those cases, the workspace owner is the data controller and is responsible for complying with COPPA (US), age-appropriate design codes, and any local children's privacy regulations. Sansform processes that data only as a processor on their behalf.

Data retention

  • Your forms, submissions, and bookings are retained as long as your account is active.
  • When you delete a form, its submissions are permanently deleted.
  • Fields marked “sensitive”in the form editor are encrypted at rest with AES-256-GCM using a fresh data encryption key (DEK) generated for each individual submission and wrapped by AWS KMS. After 24 hours, the ciphertext is purged from live storage AND the submission's DEK is destroyed in the same database update — the key and the value die together. Because every submission has its own DEK, nulling it destroys the only key that could decrypt that submission's ciphertext anywhere. Any copies of the ciphertext that existed in infrastructure backups become cryptographically unrecoverable: the value cannot be decrypted, by us or by anyone with access to those backups. Only fields you explicitly designate as sensitive are subject to this purge and key destruction; fields left unmarked are stored like any other submission value. It is the workspace owner's responsibility to mark each field collecting sensitive data as sensitive in the form editor. Sansform is not liable for data collected through an unmarked field.
  • Payment records (Stripe intent IDs, amounts, currencies, statuses) may be retained for up to 7 years after deletion to comply with tax and audit obligations.
  • Connected service credentials (Google Calendar OAuth tokens, Airtable tokens, Notion OAuth tokens, webhook URLs) are retained until you disconnect the integration or delete your account.
  • When you delete your account, all associated data — forms, submissions, uploads, workspace data, and credentials — is permanently deleted within 30 days (except the payment records noted above).
  • AI extraction logs (tokens used, cost, confidence scores) are retained for billing and quality purposes but do not contain your document content.

Cookies and analytics

Essential cookies. Supabase Auth sets cookies on sansform.ai to keep you signed in and to identify your active workspace. These cannot be disabled without breaking the Service.

Analytics cookies (PostHog). We use PostHog to understand how the product is used. When you are signed in, PostHog is given your user ID and email so we can correlate feature usage with paying customers. PostHog sets cookies on its own domain and on our first-party `/ingest/` proxy. We do not use PostHog to advertise to you and we do not share PostHog data with advertising networks.

You can opt out of analytics by enabling a tracking-blocker, sending the “Do Not Track” signal, or disabling cookies for sansform.ai in your browser. Essential cookies will still be set so you can stay signed in.

Your rights

You can:

  • Access your data at any time through your account dashboard.
  • Export your forms and submissions.
  • Delete your account and all associated data.
  • Correct inaccurate information in your account settings.

If you're in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us to exercise them.

Security

All data is encrypted in transit (TLS) and at rest. We use row-level security on all database tables, scoped by workspace. Access is restricted to authenticated workspace members with appropriate roles.

Changes

We may update this policy from time to time. If we make significant changes, we'll notify you by email or through the app. Continued use of Sansform after changes constitutes acceptance of the updated policy.

Contact and Privacy Officer

General privacy questions: support@sansform.ai.

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Sansform has designated a Privacy Officer who is accountable for our compliance with this policy. The Privacy Officer can be reached at privacy@sansform.ai or by mail at: Sansform Technologies, Inc., Attn: Privacy Officer, 302-540 Lawrence Avenue, Kelowna, British Columbia V1Y 6L7, Canada. EU/UK users have the right to lodge a complaint with their local data protection authority; California residents can additionally invoke their CCPA rights by contacting either address.