Privacy Policy

This Privacy Policy explains how Boosterpack Forms (“Boosterpack Forms”, “we”, “us”) handles personal data when you use our website, dashboard, API, and embed script (the “Service”).

If you have questions, email support@boosterpack.xyz.

The exact data we process depends on how you use the Service (dashboard vs. API vs. embedded forms). In general, we process:

• Account data (dashboard login): authentication identifiers (for example, email address and OAuth profile details) needed to sign you in.
• Form configuration: a form id, activation status, allowed host allowlist, delivery limits, and operational timestamps.
• Destination email: the address where submissions are delivered. This is stored encrypted at rest for operational needs (for example, activation and delivery).
• API key metadata: we store API keys in a non-reversible form (for example, hashed) and track minimal usage/security metadata (such as last-used timestamps).
• Usage + security data: rate-limit counters and abuse-prevention signals. For example, we may hash IP addresses to enforce rate limits and protect the Service.
• Billing data (optional): if you enable paid plans, we process billing-related identifiers (like Stripe customer/subscription IDs). Card details are handled by our payment provider, not stored by us.

• Provide the Service: create and manage forms, activate domains, and deliver submissions to the configured destination email.
• Protect the Service: prevent abuse, spam, and automated attacks using technical measures like allowlisting, proof-of-work, and rate limiting.
• Support and communications: respond to support requests and send operational messages related to your use of the Service.
• Billing (if enabled): manage subscriptions, payments, and account entitlements.

Boosterpack Forms is designed to forward submissions immediately to the destination email configured for the form.

We do not store submission payloads (the message fields your site visitors type into your form) as part of the normal delivery flow. Submission fields are processed in-memory to validate, filter obvious spam, and render the outbound email.

If you embed Boosterpack Forms on your own website, you (the website operator) decide what fields you collect from your visitors and are responsible for your own privacy disclosures and legal basis for collecting that information.

To reduce inbox spam and platform abuse, we use multiple automated checks. Depending on configuration, these can include:

• Domain/host allowlisting: submissions are only accepted from allowed origins/hosts.
• Honeypots and timing checks: hidden fields and minimum time-to-submit to detect bots.
• Proof-of-work: the embed script solves a lightweight computational challenge that the server verifies.
• Rate limiting: we may compute and store hashed identifiers (for example, from IP addresses) to limit bursts and protect your destination inbox.
• Optional LLM spam scoring: if enabled by the operator, a redacted representation of submission fields may be sent to an AI provider to score likely spam. If the AI service is unavailable, the system is designed to fail open (deliver rather than block).

We share data only as needed to run the Service. Depending on your usage and configuration, this can include:

• Database/auth: Supabase (for account authentication and Service database).
• Email delivery: Resend (to send submission emails and operational emails).
• Payments (optional): Stripe (to process subscriptions/top-ups and handle payment details).
• Hosting/infra: our hosting provider(s) (for example, the platform that runs the Service and logs requests for security/operations).
• AI provider (optional): Google Gemini (only when optional spam scoring is enabled; submission fields are redacted before scoring).

We keep personal data only as long as needed to provide the Service, comply with legal obligations, and protect the Service from abuse.

• Submission payloads: not stored as part of normal operation (they’re forwarded via email).
• Operational metadata: form configuration, encrypted destination email, activation state, rate-limit counters, and usage metrics are retained while your forms/account exist (and may persist for a period in backups).
• Billing records: retained as required for accounting and compliance.

Depending on where you live, you may have rights to access, correct, export, or delete personal data. To make a request, contact us at support@boosterpack.xyz.

If you operate a site that embeds Boosterpack Forms, requests from your end users (your visitors) should generally be directed to you as the site operator, since you control what data you collect and the destination inbox where messages are delivered.

Email: support@boosterpack.xyz

Looking for usage details? See Docs.