LAST UPDATED: MAY 2026
At FormNest, privacy is not a feature—it is our absolute architecture. FormNest is engineered as a Zero-Data-Retention Engine.
When a responder submits a form built via our platform, their data is piped in-memory inside serverless Route Handlers directly to your private Google Sheet and Google Drive folder. We do not store, write, analyze, or cache submission contents inside any database.
To synch submissions to your assets, FormNest requests the following OAuth authorization scopes during creator login:
FormNest securely encrypts and stores your refresh tokens in Supabase. These credentials are only used by the automated server pipeline to sync submissions, and are never shared or accessible by third parties.
We integrate official Cloudflare Turnstile CAPTCHA checks to block automated bot submissions and spam. During Turnstile verifications, standard client metadata (IP addresses and browser heuristics) are evaluated. Additionally, sliding-window rate limit counters are logged in our secure rate-limits database to protect form URLs from brute-force DDoS abuses. These logs contain only hashed IP signatures and timestamps and are scrubbed regularly.
We use standard session cookies solely to preserve your login state as a FormNest creator using our secure NextAuth framework. We do not place advertising, analytics, or behavioral tracking cookies on creator or public-facing form layouts.
FormNest compliance aligns with CCPA, GDPR, and global data confidentiality covenants. Because we never store submission data, any requests for deletion, editing, or access to form responses must be directed directly to the form's creator, as the data lives entirely under their Google Vault jurisdiction.
For questions regarding our privacy architecture, contact support at compliance@formnest.in.