Privacy Policy

We're glad you're here, we appreciate your interest in privacy. In this document, we’ll explain how personal data is handled at cmdform to keep everything transparent and straightforward.

This Privacy Policy takes effect on May 15, 2025. Any capitalized terms in this document are defined in our Terms of Service. If there’s ever a conflict between this Privacy Policy and our Terms of Service, the Terms of Service will prevail.

At cmdform, we’re committed to handling your data responsibly. As a data controller, we process personal data collected directly from you or provided to us. For respondents' data or data entered into the system as part of account activities, we act as a data processor rather than a data controller.

Who we are?

cmdform is operated by Sixpoints – Jędrzej Koronowicz, a Polish company incorporated under the laws of the Republic of Poland. Our registered office is located at: Dywizji Wolynskiej 85, 80-041 Gdansk, Poland, Tax Identity Number:PL5842612410, Contact Email: [email protected]

Whenever we refer to "cmdform," "we," "us," or "our," we're talking about SixPoints as the service provider of cmdform.

What Data Do We Process and Why?

When You Give Consent

  • Purpose: We process your data to fulfill the purpose for which you gave consent.
  • Legal Basis: Art. 6(1)(a) GDPR – your consent. You can withdraw consent anytime by emailing us at [email protected]. Withdrawing consent won’t affect processing done before withdrawal.
  • Retention Period: Until consent is withdrawn or for legal purposes (e.g., defending claims).
  • Who Sees Your Data: Trusted IT, customer service, accounting, or legal partners who help us fulfill the consented purpose.

    • When You Use cmdform

  • Purpose: To create and manage your account and fulfill our agreement with you.
  • Legal Basis: Art. 6(1)(b) GDPR – contract performance.
  • Retention Period: As long as your account is active and for any legally required period afterward.
  • Who Sees Your Data: IT, customer service, accounting, or legal partners involved in providing our services.

    • When You Contact Support or File a Complaint

  • Purpose: To provide answers, assistance, and resolve your concerns.
  • Legal Basis: Art. 6(1)(f) GDPR – our legitimate interest in helping you.
  • Retention Period: 12 months from resolution or longer if needed for legal claims.
  • Who Sees Your Data: Relevant IT, customer service, accounting, or legal partners.

    • When You Participate in Forms

  • Purpose: To improve our services and understand user experience.
  • Legal Basis: Art. 6(1)(f) GDPR – our legitimate interest in service improvement.
  • Retention Period: 12 months after form completion, or longer for legal purposes.
  • Who Sees Your Data: Partners supporting IT, customer service, or form analysis.

    • When We Send Notifications or Emails

  • Purpose: To keep you informed and send notifications.
  • Legal Basis: Art. 6(1)(f) GDPR – our legitimate interest in communication.
  • Retention Period: While your account is active, with limited retention afterward for legal purposes.
  • Who Sees Your Data: Trusted IT, customer service, or legal providers.

    • When Website Visitors Use Cookies

  • Purpose: To enhance your experience, improve our website, and analyze usage.
  • Legal Basis: Consent or Art. 6(1)(f) GDPR – legitimate interest in website performance.
  • Retention Period: Until consent is withdrawn or longer if required for legal claims.
  • Who Sees Your Data: Trusted analytics and IT service providers.

    • Your Rights

    We value your rights and are here to help! Under GDPR, you can:

  • Access, correct, or delete your data.
  • Transfer your data if consent-based.
  • Restrict or object to data processing when based on legitimate interest.
  • Withdraw consent at any time.
  • Lodge a complaint with your local supervisory authority (in Poland, this is the President of the Office for Personal Data Protection).

    • Data Sharing and Transfers

    In some cases, data may be shared with third parties or transferred outside the European Economic Area (EEA). However, we only do this in line with our agreements and with a strong focus on data protection and compliance. Here’s how it works:

  • Basis for Data Transfers: Any transfer of data to third countries is conducted under agreements that we have carefully established with our service providers.
  • Purpose: Data sharing and processing are directly related to the performance of our agreement with you (e.g., to provide and improve our services).

    • Full List of Providers

    Below is a complete list of our trusted providers who may process data as part of their role in helping us deliver cmdform services:

    Subcontractor Purpose of Processing Location What Data is Shared
    AWS Hosting, storage systems provider, Transactional messaging EU Data concerning respondents and users, contact info, identification data, usage data, survey responses.
    DigitalOcean Hosting and storage systems providers EU Data concerning respondents and users, storage-related data.
    Cloudflare Content distribution, security, abuse prevention and DNS services Global IP addresses, browser data, and site performance metrics.
    OpenAI Service provider for hosting large language models and embeddings USA Text input data, interaction data, and generated responses.
    Sentry Error tracking USA Error logs, user interaction data related to bugs or issues.
    HelpScout Support services USA User support tickets, contact details, and interaction history.
    Amplitude Event logging for analytics USA Anonymized user activity data, event tracking, and engagement metrics.
    Segment Event logging for analytics USA User interaction data, behavioral analytics, and event logs.
    Postmark Transactional messaging USA Email addresses, message content, and delivery status data.
    MailerSend Transactional messaging USA Email addresses, message content, and delivery status data.
    Customer.io Transactional, broadcast, and marketing messaging USA Email addresses, marketing preferences, and interaction data.
    Google Translation API, Analytics USA User activity data, analytics, translation text input, and interaction data.
    Twilio SMS, WhatsApp and Phone functionality USA Phone numbers, message content, and delivery data.
    MailGun Transactional messaging USA Email addresses, message content, and delivery status data.
    Mixpanel Event logging for analytics USA User interaction data, anonymized event tracking, and analytics metrics.

    In the case of the above-mentioned providers, some data is transferred to countries outside the European Economic Area, including the United States. Please note that the USA does not currently have an adequacy decision from the European Commission, meaning European data protection regulations do not directly apply there.

    We want to be transparent and let you know that transferring data to the US carries a potential risk of access by US authorities under their applicable laws. However, we’ve taken steps to protect your data by entering into robust data processing agreements with all these providers, ensuring your data is handled securely and in compliance with applicable standards. If you have any concerns or questions, feel free to reach out to us – we’re here to help!

    We ensure that any data transfer outside the EEA complies with applicable legal requirements, including the use of Standard Contractual Clauses (SCCs) or other safeguards where necessary.

    If you have any questions about data sharing or need more details about specific providers, feel free to reach out to us at [email protected].

    Categories of Third Parties Engaged by cmdform

    We work with different types of third parties to provide and improve our services. Here's a breakdown of how we engage with them and your options for managing your preferences:

    1. Third Parties Requiring Your Consent

    For certain tools, like those involving cookies or tracking technologies, we ask for your explicit consent. You'll see a cookie banner on the login page of the cmdform App where you can choose to accept or reject these cookies. You can also update your preferences anytime through our Help Articles, giving you full control over your consent choices.

    2. Third Parties Engaged Based on Legitimate Interests

    We also partner with third parties to integrate services that are based on our legitimate interest. These partnerships aim to enhance our service or add valuable features. If you’re uncomfortable with this, you have the right to object to your data being processed by these parties. You can easily submit your objections via our Help Articles.

    3. Essential Service Providers

    Some third parties are critical to the functioning of cmdform. These providers are essential to delivering our services, such as DigitalOcean and AWS, which powers the infrastructure of cmdform. By using our services, you agree to the involvement of these third parties. Unfortunately, opting out of these services isn’t possible unless you discontinue using cmdform.

    Consent and Your Choices

    We prioritize your privacy and provide you with clear options to manage your data-sharing preferences:

  • At Entry: When you log in, you'll see a cookie banner where you can accept or reject the use of tools that require your consent.
  • Help Articles: For ongoing consent management, visit our Help Articles. Here, you can change your preferences or object to data processing based on legitimate interests at any time.

    • Your choices are respected, and we aim to give you full control over your data. Please note that rejecting certain third parties might limit the functionality of our services.

    If you have any questions or concerns about how your data is shared, feel free to reach out to our team at [email protected]. We're here to help!

    Use of Google API’s

    cmdform utilizes Google APIs to enhance our platform. This includes secure login access and seamless OAuth-based integrations for our services. We are committed to handling all data sourced from Google APIs responsibly, especially prioritizing the security of authentication data.

    Adherence to Google API Services User Data Policy

    cmdform strictly adheres to the Google API Services User Data Policy, ensuring compliance with Limited Use requirements. This guarantees that any data obtained through Google APIs is processed with the utmost respect for your privacy and aligned with policy guidelines.

    Limited Application of Google API Data

    The data we access or send via Google APIs is exclusively used for the intended purposes of specific APIs, within the context of providing our services. We ensure that:

  • The data is never used for advertising purposes.
  • We do not share this data with third parties, except where necessary for delivering our services.
  • All data is securely stored and accessible only by authorized personnel.
  • We do not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence (AI) and/or machine learning (ML) models.

    • Your Rights and Choices

    You have control over the data shared with cmdform through Google APIs. Adjust your preferences and settings as needed. If you have further questions, feel free to reach out to us.

    Data Processing and Responsibility

    cmdform acts as a data processor under GDPR when a Data Processing Agreement (DPA) is in place. Users control the data processed via our platform. For questions about data processing, please contact the survey creator.

    Data Related to Respondents

  • Visitor ID
  • Visitor attributes (from survey URLs or passed traits)
  • IP address
  • Browser language
  • Email address (for link surveys)
  • Operating system version, device type, and device

    • cmdform does not use cookies to target respondents, but we may offer features for survey delivery based on existing visitor cookies. Respondents' IP addresses may be processed for live service delivery or firewall purposes, but we do not store precise geographic data.

    System Notifications

    We provide notifications to keep you informed:

  • Service purchase confirmations
  • Subscription renewal reminders
  • Product updates and new features
  • Service interruptions or maintenance
  • Changes to Terms of Service or pricing

    • Anonymous Reports

    cmdform may generate anonymous, statistical reports for development or promotional purposes. These reports are entirely quantitative and do not include any personal data.

    Security Practices

    We prioritize your privacy and security:

  • Encrypted connections to our website - always look for HTTPS in the URL or lock icon 🔒
  • We never ask for sensitive data over email
  • Verification steps may require account logins or organizational confirmation
  • Use safe devices and networks when accessing our services

    • Cookies

    Cookies enhance your experience by storing data on your device. Learn how to adjust cookies in your browser:

  • Mozilla Firefox
  • Safari
  • Google Chrome
  • Microsoft Edge

    • Contact Us

    If you have any questions or need assistance, feel free to reach out to us at [email protected]. We're here to help!