Privacy Policy

⚠ This is a v0 draft. Final version is pending review by an Indian privacy lawyer before public launch. Bracketed placeholders [LIKE THIS] need to be filled by the legal entity before publication.

1. Who we are

FormReady is operated by [LEGAL ENTITY NAME — e.g., FormReady Technologies Pvt Ltd] (referred to as "FormReady", "we", "us", or "our"), a company registered in India with its principal office at [REGISTERED ADDRESS]. Our domain is formready.in.

For questions about this policy or any privacy matter, contact our Grievance Officer: grievance@formready.in ([GRIEVANCE OFFICER NAME], available Monday–Friday, 10:00–18:00 IST).

2. The architecture-first promise

FormReady is designed so that personal data minimisation is structural, not optional. The compression engine runs entirely in your browser via WebAssembly and Canvas APIs. The file you upload to a tool never leaves your device. There is no server endpoint that receives file content. You can verify this by opening your browser's DevTools → Network tab while compressing — zero outbound file requests will be visible. We provide a live demonstration at /privacy/verify.

3. What we collect — and don't

We deliberately collect as little as possible. Here is the complete list:

3.1 What we collect from everyone (free + Pro)

• Anonymous usage counters. When you complete a compression, your browser sends a small "event" ping with the operation type (e.g., "pdf-compress") and a timestamp. We use this for aggregate analytics, abuse detection, and product improvement. The ping does not include your file, file name, file hash, or any user identifier.
• Page-view analytics. We use Plausible for cookieless, privacy-respecting analytics. It tracks visit counts and the country of origin only.
• Standard server logs. Like all websites, our hosting provider (Vercel) records IP addresses and user-agents for short-term abuse and performance debugging. These logs are kept for 30 days and are not associated with any account.
• Cloudflare Turnstile. On heavy-use endpoints we run an invisible captcha (Cloudflare Turnstile). It uses no cookies and collects no personal information.

3.2 What we additionally collect from Pro users

• Email address (from Google OAuth) and the display name and profile picture URL Google sends with it.
• Subscription state (active / cancelled / trial), next billing date, plan tier.
• Razorpay payment ID (a token; not your card number).
• API key metadata (name, scopes, last-used timestamp) — keys are stored hashed.

3.3 What we never collect

• The content of any file you compress.
• The filename of any file you compress.
• Any cryptographic hash of the file (we don't fingerprint files).
• Any details about the persons or entities depicted in your files.
• Your card number, CVV, or banking credentials (those go to Razorpay; we never see them).

4. Cookies

We use a minimal set of first-party cookies — none for behavioural advertising. See the full Cookie Policy.

5. Third parties we share data with

We only share data with services strictly necessary to operate FormReady. Each is contractually bound to use the data only for the purpose listed:

• Google Identity — to authenticate Pro users via OAuth. Only your email, display name, and profile photo URL are received.
• Razorpay — to process payments. Razorpay receives your billing details directly; we receive only a payment ID.
• Resend — to send transactional emails (welcome, password reset, receipts) for Pro users.
• Plausible — cookieless visit analytics (no personal data).
• Sentry — JavaScript error tracking for the site itself. No file content is ever sent.
• Google AdSense — serves ads on tool and content pages. AdSense uses its own cookies governed by Google's privacy policy. You can opt out at adssettings.google.com.
• Cloudflare Turnstile — invisible captcha to deter abuse.
• Vercel — our hosting provider; sees only what any HTTPS endpoint sees (IPs, user-agents, request paths).

We do not sell, rent, or trade your personal information to anyone.

6. Where data is stored

Pro account data is stored in PostgreSQL on infrastructure located in [REGION — typically AWS Mumbai (ap-south-1) for Indian users]. Logs and analytics are stored on the respective providers' infrastructure as listed above. File content is never stored anywhere because it is never received.

7. How long we keep data

• Anonymous usage counters: retained for 13 months for trend analysis, then aggregated.
• Pro account data: retained for the lifetime of the account, then deleted within 30 days of account closure (with a 30-day grace window during which the deletion is reversible).
• GST invoices: retained for 8 years per Indian tax law, in anonymised form (only the legal minimum identifying information).
• Server logs: 30 days.

8. Your rights under the DPDP Act 2023

If you are an Indian resident, the Digital Personal Data Protection Act, 2023 grants you the following rights regarding any personal data we hold about you:

• Right to access a summary of the personal data we hold about you.
• Right to correct or update inaccurate or outdated information.
• Right to erasure — request deletion of your data, subject to legal retention requirements (e.g., GST invoices).
• Right to grievance redressal — escalate concerns through our Grievance Officer.
• Right to nominate — designate someone to exercise your rights in case of incapacity or death.

Pro users can exercise the access, correction, and deletion rights directly from /account/profile. Free users — since we hold no identifying information about you — these rights are mostly moot, but you can still email us with any concern.

9. Your rights under GDPR (if applicable)

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have analogous rights under the GDPR — including the right to object to processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority.

10. Children

Our services are intended for users 13 years of age or older. If you are under the age of majority in your jurisdiction, you may use FormReady only with the consent and supervision of a parent or guardian. We do not knowingly collect personal data from children under 13.

11. International transfers

Some of our service providers (e.g., Sentry, Plausible) operate from regions outside India. Data shared with them is limited to the minimum necessary for the service to function (no file content) and is governed by the standard contractual clauses each provider uses for cross-border transfer compliance.

12. Security

We follow industry-standard security practices including TLS encryption for all data in transit, encrypted storage at rest, hashed storage of API keys and secrets, two-factor authentication for our internal admin access, and quarterly third-party security review. The most important security control on our side is structural: we don't hold what we don't collect.

13. Data breach notification

In the unlikely event of a personal data breach affecting Pro account data, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware of the breach, in accordance with DPDP Act §8(6).

14. Changes to this policy

We may update this policy occasionally to reflect new features, regulatory requirements, or operational changes. The "Last updated" date at the top of this page reflects the most recent change. Material changes (those that materially affect your rights) will be communicated to Pro users via email and a banner on the site requesting re-acceptance of terms.

15. Contact

For privacy-related queries:

• Email: privacy@formready.in — general privacy questions
• Grievance Officer: grievance@formready.in — formal grievance under the DPDP Act
• Data Protection Officer: dpo@formready.in — GDPR matters

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India (dpb.gov.in) or, for EU/UK residents, with your local supervisory authority.