Search help articles, tutorials, features, and guides...

Help Center

Getting Started

Form Building

Form Settings

Design & Themes

Logic & Flow

Sharing & Embeds

Responses & Analytics

Integrations & Automations

Account & Plans

Resources

Kiwiform API

Between: The User of Kiwiform ("Controller")

And: Mythics Design LLP ("Processor")

  1. Scope and Role


    This DPA applies to the processing of personal data by Kiwiform on behalf of the user to provide the form-building service.


  2. Processing of Personal Data

    • Subject Matter: The personal data submitted by respondents to the Controller’s forms.

    • Duration: For the duration of the Controller’s account being active.

    • Nature/Purpose: To collect, store, and organize form responses.

    • Categories of Data: Any data the Controller chooses to collect (Names, emails, etc.).

  3. Processor's Obligations


    Mythics Design LLP (Kiwiform) agrees to:

    • Process on Instruction: Only process data according to the Controller’s instructions (creating/hosting forms).

    • Confidentiality: Ensure all staff accessing data are bound by confidentiality.

    • Security: Implement technical measures (AES-256 encryption, SSL/TLS) as required by Article 32 of the GDPR.

    • EU Hosting: Provide the option for data residency within the European Union to satisfy Chapter V requirements.


  4. Sub-processors


    The Controller grants general authorization for Kiwiform to use the following sub-processors:

    • Polar.sh: For billing and subscription data.

    • OpenAI: For form translation (Data is not used for model training).

    • AWS/DigitalOcean: For cloud hosting (with EU region options).


  5. Data Subject Rights


    If a respondent (Data Subject) contacts Kiwiform to exercise their rights (access, deletion), we will redirect them to the Controller. We will provide the tools (Export/Delete) for the Controller to fulfill these requests.


  6. Data Breach Notification


    In the event of a personal data breach, Kiwiform will notify the Controller without undue delay (within 72 hours) after becoming aware of the breach.


GDPR Compliance Statement (For your "About" or "Trust" page)

Is Kiwiform GDPR Compliant?

Yes. We have designed Kiwiform with "Privacy by Design" principles.

  • Data Residency: You can choose to store your data on our EU-based servers.

  • Minimalism: We do not track your users or sell their data.

  • Data Portability: You can export your data at any time in JSON or CSV format.

  • Right to Erasure: When you delete a form or response, it is permanently purged from our active databases.

  • No AI Training: We use OpenAI via API, ensuring your data is not swallowed into their global training sets.