Fillout ™ Privacy Policy

Last modified: August 26, 2023

Restly, Inc., d.b.a. Fillout, together with its representatives, consultants, employees, officers, and directors (collectively “Fillout” “we,” “us,” or “our”) operates the website located at www.Fillout.com (the “Site”) and the services for building dynamic, multi-step web forms (“Forms”), and related features, content, applications, or products offered by Fillout for building  the Forms (together with the Site, the “Services”). 

Fillout respects and protects the privacy of the users that use our Services.  We maintain strict policies to ensure the privacy of those who use our Services (“End Users,” “you,” or “your”) or those who may just access our Site without otherwise using our Services (“Visitors”). This policy (“Privacy Policy”) describes the types of information we may collect from you and our practices for collecting, using, maintaining, protecting, and disclosing such information. This Privacy Policy also includes a description of certain rights that you may have over information that we may collect from you. 

By using the Services, you agree to this Privacy Policy. If you do not agree with our policies and practices, your choice is to not use our Services.

Summary of Data Collection, Disclosure and Sale

Here is a short summary of data, the categories of data we have collected, disclosed, and / or sold over the last twelve months. We do not sell data, however, and the rest of this Privacy Policy provides more in-depth information on our privacy practices.

• Identifiers, such as contact details, real name, alias, address, telephone number, unique personal identifiers, online identifiers, IP address, email address, and account name.
• Do we collect? Yes
• Will we disclose this data as part of our business? Yes
• Will we sell this data? No
• Categories of PI described in the California Consumer Privacy Act (including name, email, phone number, mailing address, birthday)
• Do we collect? Yes
• Will we disclose this data as part of our business? Yes
• Will we sell this data? No
• Commercial information: (Transaction information, purchase history, financial details, and payment information)
• Do we collect? Yes (through third-party payment processors only)
• Will we disclose this data as part of our business? Yes
• Will we sell this data? No
• Geolocation data: (device location)
• Do we collect? Yes
• Will we disclose this data as part of our business? Yes
• Will we sell this data? No
• Internet or other electronic network activity information: (Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements)
• Do we collect? No
• Will we disclose this data as part of our business? Yes
• Will we sell this data? No
• Inferences drawn from other personal information to create a profile about a consumer: (for example, an individual’s preferences and characteristics)
• Do we collect? No
• Will we disclose this data as part of our business? No
• Will we sell this data? No
• Biometric information
• Do we collect? No
• Characteristics of protected classifications under California or federal law
• Do we collect? Yes
• Audio, visual or similar information
• Do we collect? No
• Professional or employment related information
• Do we collect? Yes (work email address)
• Non-public education information (per the Family Educational Rights and Privacy Act)
• Do we collect? No

INFORMATION THAT FILLOUT COLLECTS

Types of Information Collected

Personal Data

“Personal Data” is information by which you may be personally identified.  Fillout may collect the following Personal Data from you:

• Name;
• Email;
• Financial information for payment processing; and
• Username and/or Password (Optional to log in to the Services). 

Your payment information may be collected by third-party vendors, including our payment processor, Stripe. Such identifying information is not collected or stored by Fillout. 

 In addition to the Services storing the data that is submitted by third parties through the Forms, you may choose to store such data externally from the Services. With respect to the data that you or your designated data storage provider stores, you shall be solely responsible for your own data storage practices of any such data that you collect from third parties through the Forms.

Non-Personal Data

Non-personal data includes any data that cannot be used on its own to identify, trace, or identify a person. We may collect feedback and your device information, including IP address, browser type, domain names, and access times. 

When non-Personal Data you give to us is combined with Personal Data we collect about you, it will be treated as Personal Data and we will only use it in accordance with this Privacy Policy.

How we collect information

We collect information about you in a couple of ways: 

(1) when you provide it to us directly through an interaction with us; for example

• When you register for the Services;
• When you fill out feedback forms and surveys;
• When you enter contests;
• When you participate in forums;
• When you pay for Services;
• When you contact us for service requests via email or live chat

(2) through automated collection methods like cookies or log files;

(3) when we obtain the information through a third party, including third party data verification entities, payment processors, or when you choose to login via a connected email address.

Why we collect and how we use your information.  (Legal Basis)

We collect and use your Personal Data when we have a legitimate purpose to do so, including the following reasons:

• to verify your eligibility to use the Services; 
• when it is necessary for the general functioning of the Services, including to facilitate payment or to contact you; 
• when it is necessary in connection with any contract you have entered into with us (including our terms of service) or to take steps prior to entering into a contract with us;
• when we have obtained your or a third party’s prior consent;
• when we have a legitimate interest in processing your information for the purpose of providing or improving our Services; 
• when we have a legitimate interest in using the information for the purpose of contacting you, subject to compliance with applicable law; or
• when we have a legitimate interest in using the information for the purpose of detecting, and protecting against, breaches of our policies and applicable laws.

Legal Bases for Processing European Information

If you are located in the European Economic Area or the United Kingdom (collectively, “Europe”), we only process your Personal Data when we have a valid legal basis to do so, including the following reasons:

• Consent. We may process your Personal Data where you have consented to certain processing of your Personal Data. For example, we may process your Personal Data to send you marketing communications or to use Cookies where you have consented to such use.
• Contractual Necessity. We may process your Personal Data where required to provide you with our Services. For example, we may need to process your Personal Data to respond to your inquiries or requests.
• Legal Obligation. We may process your Personal Data where we have a legal obligation to do so. For example, we may process your Personal Data to comply with tax, labor and accounting obligations. 
• Legitimate Interests. We may process your Personal Data where we or a third party have a legitimate interest in processing your Personal Data. Specifically, we have a legitimate interest in using your Personal Data for product development and internal analytics purposes, and otherwise to improve the safety, security, and performance of our Services. We only rely on our or a third party’s legitimate interests to process your Personal Data when these interests are not overridden by your rights and interests.

We may use aggregated (anonymized) information about our End Users, and information that does not identify any individual, without restriction.

Accessing and Controlling Your Information

If you would like to prevent us from collecting your information completely, you should cease use of our Services. You can also control certain data via these other methods:

Correction capabilities: You have the ability to access and correct any inaccuracies in your personally identifiable information by emailing us at our email address provided in the Questions and Comments section below to correct such inaccuracies. We may require you to provide reasonable information to verify your identity before we respond to any of your requests. 

Opt-out of non-essential electronic communications: You may opt out of receiving newsletters and other non-essential messages by using the ‘unsubscribe' function included in all such messages. However, you will continue to receive notices and essential transactional emails.

Optional information: You can always choose not to fill in non-mandatory fields when you submit any form linked to our services.

Residents of certain states in the United States have statutory data rights. We attempt to provide the same control and rights over your data no matter where you choose to live in the United States. As an End User of the Services, you have the following control over your data:

• Right to access: You have the right to access (and obtain a copy of, if required) the categories of personal information that we hold about you, including the information's source, purpose and period of processing, and the persons to whom the information is shared.

• Right to rectification: You have the right to update the information we hold about you or to rectify any inaccuracies. Based on the purpose for which we use your information, you can instruct us to add supplemental information about you in our database.

• Right to erasure: You have the right to request that we delete your personal information in certain circumstances, such as when it is no longer necessary for the purpose for which it was originally collected.

• Right to restriction of processing: You may also have the right to request to restrict the use of your information in certain circumstances, such as when you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

• Right to data portability: You have the right to transfer your information to a third party in a structured, commonly used and machine-readable format, in circumstances where the information is processed with your consent or by automated means.

• Right to object: You have the right to object to the use of your information in certain circumstances, such as the use of your personal information for direct marketing

Residents of Europe have the following additional rights described below:

•You have the right to lodge a complaint with a supervisory authority, including in your country of residence, place or work or where an incident took place.

•You may withdraw any consent you previously provided to us regarding the processing of your Personal Data at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before you withdrew your consent. 

Exercise Your Data Rights

We acknowledge your right to request access, amendment, or deletion of your data. We also recognize that you have the right to prohibit sale of your data, but we do not sell data. 

You can exercise the rights described above, by sending an email or mail to the addresses listed in the Questions and Comments section below. Only you, or an agent authorized to make a request on your behalf, may make a request related to your personal information. 

We cannot respond to your request if, (i) we cannot verify your identity; or (ii) your request lacks sufficient details to help us handle the request. We will make best efforts to respond to your request within forty-five (45) days of its receipt. If we cannot respond in forty-five (45) days, we will inform you, in writing, the reason for the delay and will respond to your request within ninety (90) days. Any information we provide will only cover the twelve (12) month period preceding the request's receipt. 

We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. We are not obligated to provide responses to your data requests more than twice in a twelve (12) -month period. 

Automated Data Collection Methods

Cookies

A cookie is a small file placed on the hard drive of your computer. Cookies are used to help us manage and report on your interaction with the Site. Through cookies, we are able to collect information that we use to improve the Services, keep track of username/password, authenticate your login credentials and tailor your experience on the Services. If you turn off cookies, your experience on the Services will be significantly impaired or prevented. 

Log Files

We use means through the Services to collect IP addresses, browser types, domain names, and access times. We use this information to optimize our platform, verify location, and maintain system security. 

How Long do we Store Personal Data?

We will only retain your Personal Data for as long as is necessary to fulfill the purposes for which it is collected, or to comply with our legal obligations. This length of time may vary according to the nature of your relationship with us and mandatory retention periods provided by law. 

Not Directed to Persons Under 18

Our Services are not intended for anyone under the age of 18, and we do not knowingly collect Personal Data from persons under 13. If we learn that we have collected or received Personal Data from a child under 13 without verification or parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at the email address listed below. 

Do Not Track Settings

We do not track our Users over time and across third party websites to provide targeted advertising and do not specifically respond to Do Not Track (“DNT”) signals. 

WHO WE SHARE DATA WITH

We may use aggregated (anonymized) information about our End Users and Visitors, and information that does not identify any individual, without restriction.

We do not sell or otherwise disclose Personal Data specific personal or transactional information to anyone except as described below.

Other Users 

We may share your Personal Data collected through the Services with other End Users (such as other End Users within your organization) or their authorized agents when you authorize us to do so, or when you complete a Form requested by such End Users through our Services. 

Affiliates and Subsidiaries

We may, for our legitimate interests, share your information with entities under common ownership or control with us who will process your information in a manner consistent with this Privacy Policy and subject to appropriate safeguards. Such parent companies, affiliates, or subsidiaries may be located in the United States.

Successors in Interest

We may, for our legitimate interests, share your information with a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, in which Personal Data about our End Users is among the assets transferred. You will be notified of any such change by a prominent notice displayed on our Services or by email. Any successor in interest to this Privacy Policy will be bound to the Privacy Policy at the time of transfer.

Law enforcement and other governmental agencies

We may share your information when we believe in good faith that such sharing is reasonably necessary to investigate, prevent, or take action regarding possible illegal activities or to comply with legal process. This may involve the sharing of your information with law enforcement, government agencies, courts, and other organizations.

Service Providers

We may, for our legitimate interests, share certain information with contractors, service providers, third party authenticators, and other third parties we use to support our business and who are bound by contractual obligations to keep Personal Data confidential and use it only for the purposes for which we disclose it to them. Some of the functions that our service providers provide are as follows: 

• Host server infrastructure and storage;
• Including Amazon Web Services (AWS) and the Google Cloud Platform (GCP), via render.com
• Business analytics services;
• User and identity verification management; 
• Payment processing;
• Site log analytics service for activity, performance, and troubleshooting;
• Marketing, sales, and service management; and 
• Email management services.

THIRD-PARTY SERVICES AND WEBSITES

Our Services may contain links to, or you may optionally integrate or connect our Services with, other websites, products, or services that we do not own or operate (“Third-Party Services”). Additionally, you may optionally self-host (on End-User premises) an agent software on your preferred cloud infrastructure provider to prevent any of your customer data collected from your use of our Services from being transferred to, or stored or processed by, Fillout.

Fillout is not responsible for the privacy policies or other practices employed by these Third-Party Services linked to, or from, our Site nor the information or content contained therein, and we encourage you to read the privacy statements of any linked third party. If you have any questions about how these Third-Party Services use your personal information, you should contact them directly.

DATA STORAGE AND HOW FILLOUT PROTECTS YOUR INFORMATION

Fillout stores basic End User data on our servers including name and email. Payments are not always required by End Users. If an End User makes a purchase and a payment is required, then payment information is processed and stored by our partners or service providers. 

Personal Data about End Users and Visitors is stored within the United States. For End Users that pay for our enterprise-level Services, Personal Data about End Users and Visitors can be stored in the European Union (EU) pursuant to European Commission-approved Standard Contractual Clauses as needed to perform our Services that you have requested from us, or with your consent. The Services are only intended to be used inside the United States by residents of the United States who are 18 years of age or older. If you are using the Services from other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your Personal Data to the United States or to the EU (if applicable) in connection with storage and processing of data, fulfilling your requests, and use of our Services. By providing your Personal Data, you consent to such transfer, storage and processing in accordance with this Privacy Policy. 

Fillout employs physical, electronic, and managerial control procedures to safeguard and help prevent unauthorized access to your information. We choose these safeguards based on the sensitivity of the information that we collect, process and store and the current state of technology. Our outsourced service providers who support our operations are also vetted to ensure that they too have the appropriate organizational and technical measures in place to protect your information.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Data, we cannot guarantee the security of your information transmitted to the Services. Any transmission of information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Services. In the event that there is breach in the information that we hold, we shall notify of such breach via email or via notice on the Services.

CHANGES TO THE PRIVACY POLICY

It is our policy to post any changes we make to our Privacy Policy on this page of the Site. If we make material changes to how we treat our End Users’ or Visitors’ Personal Data, we will notify you by email to the primary email address specified in your account or through a prominent notice on the Site. Such changes will be effective when posted. The date the Privacy Policy was last revised is identified at the top of the page. Your continued use of our Services following the posting of any modification to this Privacy Policy shall constitute your acceptance of the amendments to this Privacy Policy. You can choose to discontinue use of the Service if you do not accept any modified version of this Privacy Policy.

QUESTIONS AND COMMENTS

If you have any questions or comments about this Privacy Policy, or if you would like to file a request about the data we hold or file a deletion request, please contact our Privacy team by email at privacy@fillout.com or by mail at:

Restly, Inc., d.b.a. Fillout

Attn: Privacy Team

1210 S Indiana Ave. Unit 1817

Chicago, IL 60605. 

REPRESENTATION FOR DATA SUBJECTS IN THE EU

We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact in the EU.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit https://prighter.com/q/11880772674

Accessing and Deleting Your Data

If you would like to access a copy of your data, you may submit a request via email at privacy@fillout.com We will provide you with the requested information within a reasonable time frame, in compliance with applicable laws.

Should you wish to delete your account data, please send an email to privacy@fillout.com.

Fillout™ Google APIs Limited Use Disclosure

Effective Date: Sep 4th, 2023

Fillout's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Fillout™ Google Workspace APIs Limited Use of User Data

Effective Date: March 31, 2024

Fillout's use and transfer to any other app of information received from Google Workspace APIs will adhere to Google Workspace APIs User Data and Developer Policy. User data obtained through Google Workspace APIs will not be used to develop, improve, or train generalized AI and/or machine learning models.