Privacy Policy

1. Who we are

FormVillage is a product operated by GoBurley ("we", "us", "our"), a web design and IT services business based in the South West of England. Our contact email is george@goburley.com.

This privacy policy explains how we collect, use, store, and protect personal data when you use FormVillage at formvillage.co.uk (the "Service").

2. What data we collect and why

2.1 Account holders (event organisers)

When you create a FormVillage account, we collect:

• Email address — to create and authenticate your account, and to send you service-related notifications.
• Password — stored as a secure cryptographic hash. We never store plaintext passwords.
• Display name — if you choose to set one, used to personalise the interface.
• Payment information — if you purchase credits or a subscription, your payment is processed by Stripe. We store only the Stripe customer ID and subscription ID, not your card details. Stripe's privacy policy applies to payment processing: stripe.com/gb/privacy.
• Credit and subscription records — purchase history, credit balance, and subscription tier, for billing and account management purposes.

2.2 Event attendees (form submitters)

When an attendee submits a booking form created by an organiser, we collect the information requested on that form, which may include:

• Name and email address
• Phone number (if requested by the organiser)
• Session or ticket selections
• Dietary requirements, medical notes, or emergency contact details (if requested by the organiser)
• Agreement to the organiser's event terms

This data is collected on behalf of the event organiser. The organiser is the data controller for attendee data. FormVillage acts as the data processor.

2.3 Technical data

We may collect standard server log data including IP addresses and browser type for security monitoring and debugging purposes. This data is not used for tracking or advertising.

3. Legal basis for processing

We process personal data under the following legal bases:

• Contract performance — to provide the Service you have signed up for.
• Legitimate interests — to maintain security, prevent fraud, and improve the Service.
• Consent — where you have explicitly provided it (e.g. marketing communications, if applicable).
• Legal obligation — where we are required to do so by law.

4. How we use your data

We use organiser data to:

• Create and authenticate your account
• Process credit purchases and subscription payments via Stripe
• Send transactional emails (booking confirmations, expiry warnings, account notifications) via Resend
• Provide customer support when you contact us

We use attendee data to:

• Record the booking on behalf of the event organiser
• Send the attendee a booking confirmation email
• Allow the event organiser to manage registrations and mark attendance

5. Data retention and automatic deletion

We operate a strict automatic data deletion policy:

• Attendee booking data is retained for 14 days after the form's expiry date, giving organisers time to export records.
• Forms expire 30 days after publication, meaning attendee data is permanently deleted 44 days after the form is published.
• Organisers receive email warnings at day 35 and day 42 before deletion occurs.
• Deletion is automatic and irreversible. We do not retain backups of deleted booking data.
• Organiser account data (email, credit records, subscription history) is retained for as long as the account remains active and for a reasonable period thereafter for legal and accounting purposes.

6. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with the following trusted sub-processors as necessary to provide the Service:

• Supabase — database and authentication provider (EU-hosted). supabase.com/privacy
• Stripe — payment processing. stripe.com/gb/privacy
• Resend — transactional email delivery. resend.com/privacy
• Vercel — application hosting. vercel.com/legal/privacy-policy

We may also disclose data where required by law, regulation, or a lawful request from a competent authority.

7. Payment processing

FormVillage does not process attendee payments. When an attendee books a ticket, they are directed to pay the event organiser directly via the payment method the organiser has configured (e.g. PayPal, bank transfer, Stripe Payment Link). FormVillage is not a party to those transactions and accepts no liability for payment disputes between organisers and attendees.

FormVillage does process payments from organisers for credits and subscriptions. These payments are handled entirely by Stripe. We never store card details.

8. Cookies

FormVillage uses the following cookies:

• sb-access-token / sb-refresh-token — session authentication cookies set by Supabase. These are strictly necessary for the Service to function. They are HTTP-only and are deleted when you log out.

We do not use advertising, analytics, or third-party tracking cookies.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may correct inaccurate data via your account settings or by contacting us.
• Right to erasure — you may delete your account at any time from the Account page. This will permanently delete your account, all forms, and all associated data.
• Right to restriction — you may ask us to restrict processing of your data in certain circumstances.
• Right to data portability — you may export your booking data as a CSV file from your admin panel at any time.
• Right to object — you may object to processing based on legitimate interests.

To exercise any of these rights, contact us at george@goburley.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk

10. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• All data transmitted over HTTPS (TLS encryption)
• Database access restricted by Row Level Security policies
• Passwords stored as bcrypt hashes (via Supabase Auth)
• API keys and secrets stored as environment variables, not in source code
• Automatic data deletion to minimise retention risk

No system is completely secure. In the unlikely event of a data breach affecting your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay.

11. Children's data

FormVillage is not directed at children under 16. If an event organiser collects data about children (e.g. for a children's activity), they are responsible for ensuring appropriate consent is obtained from parents or guardians.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by email. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or requests, contact us at: george@goburley.com