Version 2026-03-23
This Privacy Policy explains how staticq ("we", "us", "our") collects, uses, and protects personal data when you use our hosted form backend service ("Service").
staticq is the data controller for your account data. For form submission data, you (our customer) are the data controller and staticq acts as the data processor. See our Data Processing Agreement for details.
Contact: [email protected]
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account identification, transactional emails | Contractual necessity |
| Password hash (PBKDF2-SHA256) | Authentication | Contractual necessity |
| Session token | Maintaining login state | Contractual necessity |
| ToS acceptance timestamp | Legal compliance record | Contractual necessity |
| Data | Purpose | Legal basis |
|---|---|---|
| Form field data (varies by form) | Processing and delivering submissions to you | Contractual necessity (processing on your behalf) |
| IP hash (SHA-256, daily-rotating salt) | Abuse prevention and rate limiting | Legitimate interest |
| User agent string | Abuse prevention, debugging | Legitimate interest |
| Referer header | Identifying submission source | Legitimate interest |
IP addresses are hashed with a daily-rotating salt and are not reversible. We do not store raw IP addresses.
Payment processing is handled entirely by Stripe. We store a Stripe customer ID and subscription ID to link your account to your billing record. We do not store credit card numbers, billing addresses, or other payment details.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, CDN, D1 database, Workers compute | Global (edge network) |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
We will notify you before adding new subprocessors that handle personal data.
| Data type | Retention period |
|---|---|
| Account data | Until account deletion |
| Submissions (Free plan) | 90 days |
| Submissions (Pro plan) | 365 days |
| Submissions (Business plan) | Unlimited |
| Sessions | 7 days |
| Verification codes | 15 minutes (purged nightly) |
| Password reset tokens | 1 hour (purged nightly) |
Your data may be processed in the United States and other countries where our subprocessors operate. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission. Cloudflare, Stripe, and Resend each maintain SCCs for international data transfers.
Under GDPR and similar privacy laws, you have the right to:
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection supervisory authority.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay.
staticq uses only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
session |
Authentication (httpOnly, Secure, SameSite=Lax) | 7 days |
__stripe_mid |
Stripe fraud detection (set on billing page) | 1 year |
__stripe_sid |
Stripe session fraud detection | 30 minutes |
All cookies are strictly necessary for the provision of the Service and are exempt from consent requirements under the ePrivacy Directive. No cookie consent banner is needed.
staticq is not directed at children. We do not knowingly collect personal data from children under 13 (COPPA) or under 16 (GDPR). If you believe we have collected data from a child, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice in the Service.
For privacy-related inquiries: [email protected]