Skip to main content
Fillo

Legal

Privacy Policy

Last updated 15 June 2026

This policy explains how Fillo, operated by [Legal entity name] (“Fillo”, “we”, “us”), handles personal data. Fillo is form infrastructure: you build forms and render them inside your own product, and we store the responses for you.

Two roles

For your account (you, the person who signs up and builds forms) we are the data controller. For the responses your forms collect from your end users, we act as a data processor on your behalf — you are the controller of that data. Our processor commitments are set out in the Data Processing Agreement.

What we collect about account holders

  • Account details: your name, email address, and a hashed password (passwords are never stored in plain text).
  • Workspace data: organisation name, members, and the forms you create.
  • If you sign in with Google: your Google account identifier and email (scope openid email).
  • Operational logs needed to run and secure the service (e.g. request timestamps, IP address, error logs).

What we process on your behalf

  • Form responses: the answers your end users submit, plus metadata such as the source route, timestamps, and review status.
  • Email addresses your forms collect, if any.
  • Uploaded files do not pass through or get stored by us. They go browser-direct to your own connected storage (Google Drive or an S3-compatible bucket). We only keep a reference to where the file lives.

Why we process data, and our legal bases

  • To provide the service you signed up for (performance of a contract).
  • To keep the service secure and prevent abuse — rate limiting, spam protection, logs (legitimate interests).
  • Optional features you switch on, such as email notifications and AI form drafting (consent / contract).

Who we share data with

We do not sell personal data. We share it only with the sub-processors that help us run Fillo — hosting, transactional email, and optional AI drafting. The full list, with purpose and location, is on our Sub-processors page.

Where data is stored, and international transfers

Fillo is hosted in the European Union, and your account data and responses are stored on EU-based infrastructure. Two of our sub-processors (email and optional AI drafting) are US-based, so limited data — recipient addresses and email content for notifications, and the prompt text you type when drafting a form with AI — may be transferred to the United States under Standard Contractual Clauses and the providers’ own data-processing terms.

How long we keep it

  • Account data: for as long as your account is active, then deleted within a reasonable period after closure.
  • Responses: until you delete them or close the workspace. You can export and delete responses at any time.
  • Logs: kept only as long as needed for security and debugging.

How we protect it

  • Encryption in transit (TLS) on every request, and encryption at rest for the database.
  • Stored storage credentials (e.g. S3 keys) are encrypted with AES-256-GCM.
  • Every form, response, and file reference is scoped to its workspace.
  • Signed webhooks, plus rate limiting and honeypot protection on submissions.

Your rights

Under the GDPR you can request access, correction, deletion, a portable copy, or restriction of your personal data, and you can object to certain processing. Email [privacy contact email] and we’ll respond within the legal time limits. You can also complain to your local supervisory authority ([lead supervisory authority]). For responses your forms collected, contact the business that ran the form — they are the controller of that data.

Cookies

We use only the essential cookies needed to keep you signed in. We do not use advertising or third-party analytics cookies.

Contact

[Legal entity name], [registered address]. Privacy questions: [privacy contact email].

Changes

If we change this policy we’ll update the date above and, for material changes, let account holders know before the change takes effect.