Privacy Policy (GDPR)

1. Who is in charge?

CHEBBI Amin (individual, publisher of the Formali brand)
5 square des Bégonias, 91370 Verrières-le-Buisson, France
Contact / support: aminchebbipro@gmail.com

This policy applies to the Formali website and service (domain: formali.acdworks.com).

2. GDPR roles (important)

• Your Formali account (signup, login, billing, support): Formali acts as data controller.
• Data collected through your forms (submissions): you are generally the data controller, and Formali acts as your data processor (hosting, storing, and displaying submissions for you).

You must inform your own end users and ensure your forms are compliant (legal basis, notice, retention, rights, etc.).

3. Data Processing Agreement (B2B)

If you use Formali as a business (B2B) and collect personal data through your forms, you may need a data processing agreement (DPA). You can request it by email: aminchebbipro.com.

4. Data we process

• Account: email, password (hashed), account creation date, session data.
• Forms: name, key/identifier, optional settings.
• Submissions: content submitted through your forms, date/time received.
• Technical and security data: data needed for operation and security (e.g., session identifiers, CSRF token, anti-abuse/rate-limiting state, technical logs).
• Subscription / payment (if you choose a paid plan): subscription status, Stripe identifiers (customer/subscription), payment references.

5. Purposes and legal bases

• Provide the service: performance of a contract (Terms of Use).
• Create and manage your account: performance of a contract.
• Security and abuse prevention: legitimate interests.
• Support: legitimate interests and/or performance of a contract.
• Subscriptions and payments: performance of a contract (Sales Terms).
• Legal obligations (when applicable): legal obligation.

6. Recipients / processors

Your data is accessed only by the publisher and by service providers needed to operate the service.

• Technical providers: hosting/infrastructure (categories of providers), only to run Formali.
• Stripe: payment provider (only if you subscribe to a paid plan).

7. Transfers outside the EU/EEA

Some providers (for example Stripe) may process personal data outside the European Union / European Economic Area. When this happens, appropriate safeguards apply (for example Standard Contractual Clauses) and/or an adequacy decision.

8. Retention

• Account: kept while your account is active, then deleted upon an account deletion request.
• Forms and submissions: kept while your account is active, then deleted when your account is deleted (or when you delete them in the interface, if available).
• Support: for as long as needed to handle your request, then limited retention for follow-up (default: up to 3 years after last contact).
• Technical / security logs: limited retention (default: up to 12 months), unless a specific need requires longer (incident, fraud, etc.).
• Billing data: kept for subscription management, then retained as required by applicable laws when relevant (default: up to 10 years for accounting records).

These periods may vary depending on legal obligations and service configuration.

9. Cookies

Formali uses cookies/trackers strictly necessary for operation (for example session cookies and security mechanisms). At this stage, we do not deploy advertising cookies or third-party tracking cookies.

A simple notice may be shown. For details, see the Cookies page in the footer.

10. Your rights

If you are in the EU/EEA, you have rights including access, rectification, deletion, restriction, objection, and data portability.

To exercise your rights: aminchebbipro@gmail.com (please include your account email and your request).

You can also lodge a complaint with your supervisory authority (in France: the CNIL).

11. Security

We implement reasonable measures to protect data (access control, secure sessions, CSRF protections, etc.).

12. Changes

We may update this policy. The “Last updated” date reflects the latest version.