Privacy Policy
Last updated: 2026-03-23
Data controller
Forme is operated by a sole proprietor based in Finland. For all privacy inquiries, contact us at hello@formecms.com.
This Privacy Policy explains how we collect, use, and protect your personal data when you use the formecms.com website, the app.forme.build admin interface, and the Forme content management service.
Effective date: March 23, 2026
What data we collect and the legal basis
Waitlist form
When you join our waitlist, we collect:
- Email address (required)
- Current CMS tool (optional)
- Your role (optional)
- Feature interest (optional)
- Team size (optional)
Legal basis: Your consent (GDPR Article 6(1)(a)). You provide this data voluntarily when submitting the form.
CMS usage
When you use the Forme CMS service with your API keys, we store:
- Content you create (entries, content models, assets)
- API request logs (method, path, status code, duration — no request bodies)
- Activation events (workspace creation, first publish, first API fetch)
Legal basis: Contractual necessity (GDPR Article 6(1)(b)). Processing is necessary to provide the service you signed up for.
Analytics
We use Umami for website analytics. Umami is cookieless and privacy-focused — it does not use cookies, does not track users across sites, and does not collect personally identifiable information. No consent banner is required.
Data collected by Umami: page views, referrer, browser type, OS, device type, country (from anonymized IP). Your IP address is never stored.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)). We have a legitimate interest in understanding aggregate website usage to improve the service. This processing is minimal and does not involve personal data.
API logs
API request logs (method, path, status code, response time) are retained for operational purposes.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)). We have a legitimate interest in monitoring service health, diagnosing issues, and preventing abuse.
How we use your data
- Contact you about early access, product updates, and your feedback
- Improve the product based on usage patterns and feedback
- Measure activation (time from signup to first content delivery) to improve the developer experience
- Diagnose issues using API logs when you report a problem
We do not use your data for advertising, sell it to third parties, or share it with anyone outside of the service providers listed below.
Third-party services
| Service | Purpose | Data shared | Location | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud Platform (GCP) | Infrastructure — Cloud Run, Cloud SQL, Cloud Storage | All service data | europe-west1 (Belgium, EU) | N/A (EU processing) |
| Umami Cloud | Website analytics | Anonymized page views (no PII) | EU | N/A (EU processing) |
| Resend | Email notifications | Email address, email content | US | EU-US Data Privacy Framework |
Resend is certified under the EU-US Data Privacy Framework, which provides an adequate level of data protection as recognized by the European Commission. If the DPF adequacy decision is invalidated, we will implement Standard Contractual Clauses (SCCs) or cease the transfer.
Data storage and security
- All service data is stored in GCP europe-west1 (Belgium, EU)
- Database: Cloud SQL (PostgreSQL) with encryption at rest
- Files: Google Cloud Storage with encryption at rest
- API communication: TLS (HTTPS) only
- Tenant isolation: row-level security ensures workspaces cannot access each other's data
- API keys are hashed before storage — we cannot retrieve your original key
Data retention
- Waitlist data: Retained for 12 months after last contact. If you become an active user, your data is retained for the lifetime of your account. You may request deletion at any time.
- CMS content: Retained for the lifetime of your workspace
- API logs: Retained for 30 days, then deleted
- Analytics: Aggregated, non-personal, retained indefinitely
Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
Your rights (GDPR)
If you are in the European Economic Area, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Port your data to another service
- Object to processing
- Restrict processing
- Withdraw consent at any time (for consent-based processing)
To exercise any of these rights, email hello@formecms.com.
We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local data protection authority.
Cookies
We do not use cookies on formecms.com. Umami analytics is cookieless. The Admin UI (app.forme.build) uses a server-side session cookie (HttpOnly, Secure, SameSite=Strict) for authentication — this is a strictly necessary cookie and does not require consent.
Children
Forme is not intended for use by children under 16. We do not knowingly collect data from children.
Changes to this policy
We may update this policy. If we make material changes, we will notify you by email (if we have your email) or by posting a notice on the website. The "effective date" at the top will be updated.
Related documents
These terms work together with our Terms of Service, which govern your use of the Forme service.
Contact
For privacy inquiries: hello@formecms.com
Forme is operated by a sole proprietor based in Finland, EU.