Privacy Policy

LAST UPDATED: JUNE 2026

1. Our Zero-Data-Retention Compliance

At FormNest, privacy is not a feature—it is our absolute architecture. FormNest is engineered as a Zero-Data-Retention Engine.

When a responder submits a form built via our platform, their data is piped in-memory inside serverless Route Handlers directly to your private Google Sheet and Google Drive folder. We do not store, write, analyze, or cache submission contents inside any database.

2. Google Integration, Scopes & Data Security

To sync submissions to your assets, FormNest requests the following OAuth authorization scope during creator login:

  • drive.file: drive.file: Grants access *only* to folders and files created by FormNest. This is a highly restrictive scope designed to prevent FormNest from reading or modifying any other files in your drive. We use this scope to programmatically create spreadsheets and folders for your forms, and to read, write, and append form responses to them. No other Google files are accessed.

FormNest securely encrypts and stores your refresh tokens in Supabase. These credentials are only used by the automated server pipeline to sync submissions, and are never shared or accessible by third parties.

For responder verification and preventing duplicate submissions, FormNest checks the active Google Session of responders when enabled by form creators. This validation is done statelessly in-memory without caching responder identities, credentials, or profiles in our database.

3. Data Sharing, Transfer, and Disclosure

FormNest does not share, sell, transfer, or disclose Google user data (including refresh tokens, spreadsheet contents, or file upload payloads) to any third parties under any circumstances, other than as strictly required to process and write the form submissions to your Google Sheets, or as mandated by law. We do not use Google user data for advertisements, analytics, or behavioral targeting. Your data belongs 100% to you.

4. Security & Data Protection Mechanisms

We implement robust security controls to safeguard all Google user data and credentials. All communications between FormNest servers, user browsers, and Google API endpoints are encrypted in transit using industry-standard Transport Layer Security (TLS/HTTPS) protocols. Refresh tokens stored in our secure database are encrypted at rest using AES-256 (Advanced Encryption Standard) encryption to protect against unauthorized access.

5. CAPTCHA & Security Logs

We integrate official Cloudflare Turnstile CAPTCHA checks to block automated bot submissions and spam. During Turnstile verifications, standard client metadata (IP addresses and browser heuristics) are evaluated. Additionally, sliding-window rate limit counters are logged in our secure rate-limits database to protect form URLs from brute-force DDoS abuses. These logs contain only hashed IP signatures and timestamps and are scrubbed regularly.

6. Cookies

We use standard session cookies solely to preserve your login state as a FormNest creator using our secure NextAuth framework. We do not place advertising, analytics, or behavioral tracking cookies on creator or public-facing form layouts.

7. Legal Compliance & Contacts

FormNest compliance aligns with CCPA, GDPR, and global data confidentiality covenants. Because we never store submission data, any requests for deletion, editing, or access to form responses must be directed directly to the form's creator, as the data lives entirely under their Google Vault jurisdiction.

For questions regarding our privacy architecture, contact support at compliance@formnest.in.

© 2026 FormNest. Privacy Protected.