Privacy Policy

Effective April 30, 2026 · Motivation Labs LLC · form@motivationlabs.ai

Plain-language summary (not legally binding): Motivation Form lets developers create and host web forms. We collect what we need to run the Service: account info from form owners, the form configurations they upload, and the responses their respondents send. For respondent data, the form owner is in charge of what gets collected and why — we store and route it on their behalf. We do not sell your data and do not use response content for advertising.

1. Scope of This Policy

This Privacy Policy describes how Motivation Labs collects, uses, discloses, and protects personal information in connection with the Service. It applies to:

Form owners — customers who create accounts, deploy forms, and use the dashboard, API, CLI, or MCP server.
Respondents — individuals who submit a form hosted on the Service.
Visitors — anyone who browses our sites at form.gold, app.form.gold, or docs.form.gold.

This Policy does not govern personal information that a form owner collects through their own forms once exported from the Service, nor data practices of third-party sites that link to or from the Service.

2. Roles: Controller and Processor

Data category	Controller	Processor
Form-owner account data	Motivation Labs	—
Form configuration uploaded by an owner	The form owner	Motivation Labs
Respondent response data	The form owner	Motivation Labs
Files uploaded by respondents	The form owner	Motivation Labs
Service operations and security logs	Motivation Labs	—

For respondent data, the form owner is the data controller. If you are a respondent and want to exercise privacy rights, contact the form owner first. If you cannot identify the form owner, contact us at form@motivationlabs.ai.

3. Information We Collect

3.1 Information form owners give us

Account identifiers — email address, handler, display name.
Authentication metadata — login timestamps, OAuth tokens, session identifiers.
API credentials — bcrypt hashes only; plaintext shown once at creation and never persisted.
Form content — Markdown definitions, field schemas, branding, notification recipients.
Billing information — collected and stored by Stripe; we receive only metadata (customer ID, invoice status, payment outcome).
Communications — emails to support and feedback submitted through the dashboard.

3.2 Information collected from respondents (on behalf of the form owner)

Field responses, response timestamp (UTC), and Cloudflare Turnstile pass/fail status.
Optional, controlled by the form owner via collect: config: IP address, browser user-agent, HTTP referrer.

Motivation Labs does not control the questions or content of any form.

3.3 Files uploaded by respondents

Files are stored in Supabase Storage. The response record holds only the storage URL.

3.4 Information we collect automatically

Form-view events (form_id, IP, timestamp for completion-rate stats) and service logs from Vercel (IP, path, status, timestamps — retained for security and debugging).

3.5 What we do not collect

We do not knowingly collect biometric identifiers, precise geolocation, data from children under 13, or special-category data (unless a form owner explicitly collects it, in which case the form owner is responsible for legal basis and disclosure).

4. How We Use Information

Operate the Service — render forms, store responses, send email notifications, run the dashboard, CLI, API, and MCP server.
Authenticate and secure accounts — verify logins, prevent unauthorized access, hash API keys, run bot detection.
Bill and meter usage — count responses, apply free-tier and PAYG rates, process payments via Stripe.
Communicate with form owners — service notifications, security notices, and opted-in product updates.
Investigate abuse and enforce our terms.
Comply with law — respond to lawful requests, fulfill tax and accounting obligations.
Improve the Service — analyze aggregate, de-identified usage trends. We do not read response field content for product analytics.

We do not use respondent response content, files, or personal data for advertising, model training, profiling, or any purpose other than providing the Service to the form owner.

5. Legal Bases (GDPR / UK GDPR)

Where GDPR or UK GDPR applies and Motivation Labs is controller (account data, billing, security logs), we rely on: Contract (to provide the Service), Legitimate interests (to secure the Service, prevent abuse, improve the product), Legal obligation (tax, accounting, law enforcement), and Consent (where required, e.g., certain marketing communications).

Where Motivation Labs is processor (respondent response data), the form owner is responsible for the legal basis under Article 6 and for providing notice to respondents.

6. How We Share Information

We share personal information only: with our subprocessors (§7); with the form owner (response data is by design made available to them); with professional advisors under confidentiality; in a corporate transaction (merger, acquisition, asset sale) subject to equivalent protections; for legal reasons (valid legal process, to protect rights and safety); or with your direction or consent.

We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising as defined under CCPA/CPRA.

7. Subprocessors

Subprocessor	Function	Data	Region
Supabase, Inc.	Database, auth, object storage	Account data, form config, response data, file uploads	United States
Vercel, Inc.	Hosting, edge rendering, CDN	Request logs, form-page traffic	Global / United States
Resend, Inc.	Transactional email delivery	Owner email; response content delivered by email	United States
Cloudflare, Inc.	Bot protection (Turnstile), DNS	Respondent IP and browser signals; Turnstile token	Global
Stripe, Inc.	Payment processing, metered billing	Form-owner billing data	United States

We will provide reasonable advance notice of any new subprocessor by updating this Policy or our subprocessor list at docs.form.gold/legal/user-agreements.

8. International Data Transfers

The Service is operated from the United States. Where required by GDPR, UK GDPR, or Swiss FADP, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK Addendum / Swiss appendices. Form owners that are EU/UK/Swiss data exporters are encouraged to execute our Data Processing Agreement.

9. Cookies

Category	Purpose	Required?
Strictly necessary (Supabase session, CSRF token)	Keep you logged in; protect against forgery	Yes — disabling breaks the Service
Functional (UI preferences)	Remember dashboard layout	No
Analytics (privacy-preserving, aggregate)	Understand traffic to form.gold and form pages	No
Bot protection (Cloudflare Turnstile token)	Verify a respondent is not a bot	Yes for form response

Public form pages do not set tracking cookies for cross-site advertising.

10. Data Retention and Deletion

Data type	Retention
Form-owner account record	While account is active; deleted within 30 days after closure.
Form configuration (Markdown / JSON)	While the form exists; deleted when form or account is closed.
Response data (paid or free tier)	Retained while account is in good standing or until owner deletes it.
Locked responses (grace buffer)	Permanently deleted 90 days after collection if not unlocked.
File uploads	Tied to parent response; deleted when response, form, or account is closed.
Service logs	Up to 90 days, then aggregated or deleted.
Billing records	Up to 7 years (U.S. tax / accounting requirements).
Backups	Rolling 30-day cycle.

Form owners can delete individual responses, forms, or their entire account from the dashboard at any time.

11. Children

The Service is not directed to children under 13. Form owners are contractually prohibited from using the Service to collect data from children without verifiable parental consent. If we learn we have collected data from a child without proper authorization, we will delete it.

12. Your Privacy Rights

Form owners

You can access, correct, export (CSV/JSON/Markdown), or delete your account data and response data from the dashboard; revoke API keys at any time; and close your account at app.form.gold/account/delete.

Respondents

Because the form owner is the controller of your response, please direct requests to them first. If you cannot reach them, email form@motivationlabs.ai.

EU / UK / Switzerland

You have rights of access, rectification, erasure, restriction, portability, and objection under GDPR Articles 15–22. You have the right to lodge a complaint with your supervisory authority.

California (CCPA/CPRA)

California residents have rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising. Contact form@motivationlabs.ai to exercise rights.

13. Security

We protect personal information with: HTTPS/TLS for all traffic; database row-level security so each form owner accesses only their own data; API keys stored as bcrypt hashes; server-side Turnstile verification before any response is written; service-role keys never exposed to client code; and vendor due diligence on subprocessors. No system is perfectly secure; we will notify you as required by law in the event of a security incident.

14. Automated Decision-Making

We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals.

15. Changes to This Policy

We may update this Policy. The “Last Updated” date at the top will reflect the change. Material changes will be notified by email to active form owners or by prominent notice in the dashboard. Continued use after the effective date constitutes acceptance.

16. Contact

Motivation Labs LLC
Email: form@motivationlabs.ai
Website: https://form.gold

For privacy-specific inquiries, write “Privacy” in the subject line. If you are not satisfied with our response, you may have the right to complain to a data protection authority in your country of residence.

This Privacy Policy was prepared for Motivation Labs LLC and is not legal advice. Reviewed by counsel before publication.