scroll_theoryforms
How it works Pricing Sign in Start free

Legal

Privacy Policy

Last updated June 30, 2026

Scroll Theory Forms is a form backend operated by Scroll Theory Media in Ohio, USA. This policy explains what we collect, why, and who we share it with. It covers the marketing site, the dashboard, and the form receiving endpoints.

The two roles we play

We handle two different kinds of data, and our responsibility differs for each.

  • Your account data. For the information you give us to run your account, we are the controller. We decide how it is used, within this policy.
  • Your form submissions. For the data your website visitors send through your forms, you are the controller and we are your processor. You decide what to collect and why. We store and deliver it on your behalf, following your settings. You are responsible for telling your visitors how their data is used and for having a lawful basis to collect it.

What we collect

Account information

When you sign up we store your email address, a securely hashed version of your password, your plan, and basic account timestamps. We never store your password in readable form.

Google sign-in (optional)

If you choose to sign in with Google, we receive your email address and basic profile identifier from Google so we can create or match your account. We do not receive your Google password.

Form submissions

When someone submits one of your forms, we store the fields they sent, along with a timestamp and a spam classification. The contents are determined entirely by the form you built. Avoid collecting sensitive categories of data through your forms unless you have a clear lawful basis and have told your visitors.

Technical and anti-abuse data

To stop spam and abuse, we process limited technical signals on submission, including the sender IP address, request timing for rate limiting, and the result of bot checks such as a hidden honeypot field and, where enabled, Cloudflare Turnstile. This is used to classify submissions, not to track individuals across the web.

Payment information

Paid plans are billed through Stripe. Stripe collects and processes your card details directly. We do not see or store your full card number. We keep a Stripe customer reference and your subscription status so we can apply the right plan.

How we use data

  • To operate your account and deliver the service you signed up for.
  • To receive, store, classify, and forward your form submissions to your verified notification addresses.
  • To detect and reduce spam and abuse.
  • To process payments and manage subscriptions on paid plans.
  • To send you essential service messages, such as email verification and billing notices.

We do not sell your data. We do not run third-party advertising trackers on this service.

Cookies

We use a single first-party session cookie to keep you signed in to the dashboard. It is not used for advertising. The public marketing pages do not set tracking cookies.

Who we share data with

We rely on a small set of processors to run the service. Each handles only what it needs to:

  • Cloudflare hosts the service, stores data in its D1 database, and provides bot protection (Turnstile).
  • Stripe processes payments and subscriptions.
  • Resend delivers notification and verification emails.
  • Google provides optional sign-in if you use it.

We may also disclose data if required by law, or to protect the rights, safety, and security of the service and its users.

How long we keep it

We keep account data for as long as your account is active. We keep form submissions until you delete them, delete the form they belong to, or close your account. Deleting a project does not delete its forms or their submissions; the forms move to a default project so nothing is lost. When you close your account, we delete or anonymize associated data within a reasonable period, except where we must retain records to meet legal or accounting obligations.

Security

Connections use HTTPS. Passwords are hashed with a salted, iterated algorithm (PBKDF2). Access to submission data in the dashboard is scoped to your account. No system is perfectly secure, but we take reasonable measures to protect the data we hold.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can manage much of this directly in the dashboard. For anything else, contact us at chad@scrolltheory.media and we will respond within a reasonable time. If your request concerns data submitted through a customer's form, we will refer you to that customer, who controls it.

Data location

The service runs on Cloudflare's global network and is operated from the United States. By using it, you understand your data may be processed in the United States and other countries where our processors operate.

Children

This service is for businesses and is not directed at children. We do not knowingly collect personal data from children. If you build a form that collects data from children, you are responsible for meeting the applicable rules.

Changes to this policy

We may update this policy as the service evolves. When we make material changes, we will update the date above and, where appropriate, notify you. Continued use after a change means you accept the updated policy.

Contact

Questions about this policy or your data can go to chad@scrolltheory.media.

Crafted by scroll_theory
Docs Guides Sign in Privacy Terms