Privacy Policy

Formly, Inc. ("Formly," "we," "our," or "us") operates the Formly platform, which connects Meta Instant Forms to ServiceTitan for real-time lead routing. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our website at formly.app and our SaaS platform (collectively, the "Service").

By using the Service you agree to this policy. If you do not agree, please discontinue use.

1. Information We Collect

1.1 Information You Provide

• Account information: name, email address, and password when you create an account.
• Billing information: payment card details processed by Stripe (we never store raw card numbers).
• Integration credentials: OAuth tokens for Meta and ServiceTitan that you authorize.
• Brand settings: logo, colors, and other visual assets you upload.
• Support communications: messages and attachments you send to our support team.

1.2 Lead Data Processed on Your Behalf

When you connect Meta Instant Forms, Formly receives lead data that your ad respondents submitted, including names, phone numbers, email addresses, and any custom fields you configured in your Meta form. This data is processed as a service to you (the data controller) and is governed by your own privacy notices to your customers.

1.3 Automatically Collected Data

• Log data: IP address, browser type, pages visited, and timestamps.
• Cookies: session cookies required for authentication and preferences. See Section 6.
• Usage analytics: anonymized feature-usage data to improve the platform.

2. How We Use Your Information

• Provide, maintain, and improve the Service.
• Process and route lead data from Meta to ServiceTitan per your campaign configuration.
• Send transactional emails (lead notifications, email templates) on your behalf.
• Fire Conversions API (CAPI) signals to Meta as you configure.
• Respond to support requests and communicate service updates.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not sell your personal information or your customers' lead data to third parties.

3. Sharing of Information

We share information only in these limited circumstances:

• Meta (Facebook): We send CAPI conversion events and receive lead data via the Meta Graph API under your authorization. Meta's use of this data is governed by Meta's own Privacy Policy.
• ServiceTitan: We forward lead data to your ServiceTitan tenant to create bookings or jobs per your configuration.
• Infrastructure providers: Railway (hosting), Neon (database), Resend (email delivery), and Stripe (payments) — each under data processing agreements.
• Legal requirements: If required by law, court order, or to protect the rights and safety of Formly or the public.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

4. Data Retention

• Account data: retained while your account is active and for 90 days after deletion.
• Lead data: retained for 12 months from the date the lead was received, then purged.
• CAPI events: retained for 90 days, after which only aggregated metrics are kept.
• Log data: retained for 30 days for security and debugging purposes.

You may request earlier deletion by contacting us at [email protected].

5. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your personal data (subject to legal retention obligations).
• Portability: receive your data in a machine-readable format.
• Objection/Restriction: object to or request restriction of certain processing.
• Withdraw consent: where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

California residents (CCPA): You have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information. To submit a request, email the address above.

6. Cookies

Formly uses essential cookies only:

• Session cookie (next-auth.session-token): keeps you logged in. Expires when you close your browser or after 30 days if you select "Remember me."
• CSRF cookie (next-auth.csrf-token): protects against cross-site request forgery attacks.

We do not use advertising cookies or third-party tracking cookies. You can disable cookies in your browser settings, but doing so will prevent you from signing in.

7. Security

We implement industry-standard safeguards including TLS encryption in transit, bcrypt password hashing, database-level encryption at rest, and least-privilege access controls. OAuth tokens are stored encrypted. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8. International Transfers

Formly is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US. By using the Service you consent to this transfer. Where required, we rely on Standard Contractual Clauses for transfers from the European Economic Area.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, contact us immediately.

10. Changes to This Policy

We may update this policy from time to time. When we make material changes we will notify you by email or by posting a prominent notice in the dashboard at least 14 days before the changes take effect. Continued use after the effective date constitutes acceptance.

11. Contact Us

For privacy-related questions or requests: