Here at Cognito Forms, our goal is to empower you to easily build powerful solutions using the best online form builder in the world! We do not sell or mine your data or share it for any reason - except to safely provide these great form-building capabilities to you, our customer.
We collect the bare minimum of personal data necessary to create and administer accounts. The forms you build and the entries you collect using Cognito Forms are yours alone.
Personal Data We Collect
We collect the minimum amount of personal data required to provide form building services.
When you sign up to use Cognito Forms, you provide:
- your first and last name,
- your email address,
- the name of your organization,
- a password for your account,
- a profile image to represent you, and
- your IP address.
We also collect some of this information when you contact us for more information, such as through email, chat, or support requests. Additionally, your email address may be provided to us by someone you know when they invite you to join their organization in Cognito Forms, or when they configure notification emails for their forms.
When you upgrade your organization to a paid plan, we collect for your organization:
- the billing contact first and last name,
- the billing contact email address,
- the billing address, and
- the credit card to charge.
All of this information must be accurately provided to use Cognito Forms. If you are unable or unwilling to provide this information, you will not be able to sign up for an account or upgrade to a paid plan.
We record information about how and when you use Cognito Forms, including, for example, your IP address, time, date, browser used, and actions you have taken within the application. This information helps us to improve our services both for you and for all our users.
How We Use Personal Data
We use this personal information to provide form building services, not to mine or sell your data.
We use your personal information to provide services to you and to communicate with you:
- We show your first and last name in Cognito Forms when you log in and to identify you to other users of Cognito Forms.
- We use your email address as your username when you log in. We also use your email address to send notification emails from Cognito Forms, including announcements about new product features.
- We use your organization name throughout Cognito Forms so that you and your customers know which organization you are interacting with.
- We use your password solely to verify access to your account. We do not store your actual password, just an undecipherable representation (encrypted hash).
- We use your profile image to help you know you are logged into your account, by showing this image while logged in, and to identify you to other users of Cognito Forms.
- We use your IP address to personalize Cognito Forms based on where you are located and to help prevent fraud or abuse of our service.
We use your billing information solely to communicate with you about your paid subscription and charge your credit card for services. Cognito Forms does not capture, process, store or transmit credit card information. Stripe, a third-party PCI compliant payment processor, handles all interactions with credit card information on our behalf.
We use personal information for auditing, research and analysis to operate and improve Cognito Forms. We may use certain other information collected from you to help diagnose technical problems, administer Cognito Forms, and improve the quality and types of services delivered. We will not disclose personal information to third parties for purposes materially different from the purposes for which we originally collected it without your subsequent consent.
Reasons We Share Personal Data
We share information with authorized third parties to provide form building services, and with authorities to reduce crime and abuse.
Personal information we gather is for internal use only and we will not authorize the release of this information to anyone outside Cognito Forms, except as clearly described below.
Should you breach our Terms of Service, or if we are under a duty to disclose or share your personal data in order to comply with any legal obligations, we may disclose your information to a relevant authority. This may include exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction. Specifically, we may release the information we collect to third parties when we believe it is appropriate to comply with the law, to enforce our legal rights, to protect the rights and safety of others, or to assist with industry efforts to control fraud, spam or other undesirable conduct.
How to Access & Control Your Personal Data
You can access, download, update or remove your information at any time by logging in to your account.
You can opt out of marketing emails by clicking the link at the bottom of each email.
You can easily access or modify your personal information in Cognito Forms at any time:
- You can access and modify your personal information by logging into Cognito Forms using your email address and password and going to https://www.cognitoforms.com/myaccount. On this page you can edit your name and email address and change your password.
- If you have forgotten your password, you can reset your password by going to https://www.cognitoforms.com/forgot-password.
When you change your personal information, we make every effort to update this information in all of our systems. However, some historical data, like previous support requests you submitted, may reflect the information provided at the time the information was initially recorded. This historical data will not affect your future use of Cognito Forms or new communications with us.
You can easily opt out or remove your personal information from Cognito Forms at any time:
- You can opt out of receiving marketing emails from Cognito Forms by clicking the “unsubscribe from this list” link included in every email. This will opt you out of receiving any notifications not specifically related to your account, so you will only learn about new features, changes to our terms, etc. by logging in to Cognito Forms.
- You can also permanently delete your user account by going to https://www.cognitoforms.com/myaccount and clicking the “Delete Account” button. This will delete both your user account and all organizations for which you are the sole organization owner.
Opting out of receiving marketing emails will not affect your ability to use Cognito Forms. Conversely, deleting your account will not affect your ability to receive marketing emails and become aware of future product features you may be interested in.
When you delete your account, we make every effort to remove your personal information from all of our systems. However, some historical data, like previous support requests you submitted, will be retained for customer support purposes. After deleting your account, your organization, forms and entries will no longer be accessible or recoverable, and you will no longer receive notifications from Cognito Forms about your account.
Authorized organization users can export all entry data and uploaded files from Cognito Forms at any time for any reason. Our JSON webhooks, Zapier and Microsoft Power Automate integrations also allow you to transfer entry data and uploaded files to other cloud services in real time as changes occur.
Data Collected by You
You are responsible for obtaining consent and maintaining any personal information you collect with your forms.
Please let us know if your personal information was improperly collected by our users.
While Cognito Forms only collects the personal information necessary to provide form building services, you may collect a wide variety of information from your customers using the forms you create with our service.
We have no direct relationship with your customers, so you are responsible for making sure you have obtained the appropriate permission for us to collect and process information about these individuals. We may share information you collect via Cognito Forms for the same reasons we share personal data, such as with third parties to provide services on your behalf or with legal authorities when obligated to assist in criminal investigations.
If one of our users has collected your information using a Cognito Form, please contact the form owner directly to assist with obtaining, correcting, or removing this information. If you feel the form has collected information about you in a way that violates our Terms of Service, please report the abusive form.
Authorized Third Parties
We use a number of authorized third-parties to provide form building services. They are not permitted to use information we share with them for any other purpose.
Secure hosting of Cognito Forms is essential to both us and our customers. That is why we entrust Microsoft, an industry leader in secure cloud hosting, to protect all of our customer data.
All customer data, and the servers that process this data, are securely managed by Microsoft Azure, geo-replicated in real time to multiple datacenters in the US. Microsoft Azure has more security certifications than any other cloud provider. You can learn about these security measures in the Microsoft Azure Trust Center.
Cognito Forms uses three third-party user identity providers to provide an alternate means of signing up or logging into your account. When you sign up using these providers, you authorize us to obtain your name, email address, and profile image to set up your account. When you log in using these providers, you are simply verifying your identity, not sharing information or granting permissions. We do not share information with these providers, except the knowledge that you are using them to authenticate with our services. Sign up and log in via these third-party identity providers is optional and opt-in only.
Google is an optional identity provider that may be used to sign up or log into your account. We do not share your personal information with Google or grant them access to your account.
Facebook is an optional identity provider that may be used to sign up or log into your account. We do not share your personal information with Facebook or grant them access to your account.
Microsoft is an optional identity provider that may be used to sign up or log into your account. We do not share your personal information with Microsoft or grant them access to your account.
Cognito Forms uses three industry leading payment processors for secure PCI-compliant handling of credit card information for both our subscription plan payments and our payment forms.
Cognito Forms sends millions of emails each month, both to our customers and to your customers when they fill out your forms. We use multiple email providers to ensure secure and reliable email delivery.
Cognito Forms supports integrations with hundreds of other cloud services through our Zapier, Microsoft Power Automate and Make connectors. You must establish accounts directly with Zapier, Microsoft Power Automate and Make to use these connectors. Cognito Forms will only share information with these providers when you authorize them by securely connecting your organization to their services.
Microsoft Power Automate
Cognito Forms provides direct one-on-one support to all our customers, not a public forum free-for-all. We leverage Zendesk to provide email, chat and social media support for our customers. We use Pendo for user onboarding, in-app messaging and activity-related emails.
You may disable cookies within your browser to block this tracking by Google, understanding that doing so may affect your ability to use the full functionality of the Cognito Forms. For certain browsers, you can also prevent Google from collecting information (including your IP address) via cookies and processing this information by downloading and installing this browser plug-in: http://tools.google.com/dlpage/gaoptout.
Cognito Forms does not include Google Analytics on your public or embedded forms, and does not track usage by your customers. However, if your organization is on paid plan, you may connect your own Google Analytics account to track form usage by your customers.
Microsoft Application Insights
Cognito Forms uses Microsoft Application Insights to monitor and assess the health of the services we provide in real time. App Insights logs tons of useful information, like requests to our servers, connections to third-party dependencies, and any errors that may occur during processing. This data includes information like the IP address, browser version, internal user id and organization id for each request—information typically found in web server logs. We actively monitor and review reports from App Insights to proactively address any issues as they occur. App Insights is a Microsoft Azure product and is governed by the same security measures as our production hosting environment.
In addition to tracking server-based metrics about our services, App Insights also tracks errors that occur in the browser when you or your customers use Cognito Forms to build forms, submit entries, etc. We only track errors that occur in the browser while on our website, www.cognitoforms.com, not any browser errors that may occur when you embed your forms on your own website. This ensures that we are only tracking issues specifically related to Cognito Forms and not accidentally collecting information that is unrelated to the delivery of our services to you.
Notice of Breach of Security
We will notify you if there was a breach of your personal information.
If a security breach causes an unauthorized intrusion into our system that materially affects you or your organization’s information, then we will notify you as soon as possible and later report the action we took in response.
Safeguarding Your Information
We work hard to keep your information safe and secure. Please do your part and protect your account password.
We take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal information. We rely on Microsoft Azure to safeguard the physical and technical security of your information, and we have documented and enforced organizational controls to limit access to, and to protect your information and the information you collect via your forms. You can learn more about our commitment to the security of your personal information.
Cognito Forms accounts require an email address and password to log in. You must keep your email address and password secure, and never disclose it to a third party. If you feel like the security of your account has been compromised, you must inform us immediately so we can take protective measures to safeguard your information.
We Operate in the United States
Our servers and data are securely stored in geo-redundant datacenters in the United States.
Our servers and offices are located in the United States, so your information may be transferred, stored, or processed in the United States. While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, we take many steps to protect your privacy, including offering a data processing addendum. By using Cognito Forms, you understand and consent to the collection, storage, processing, and transfer of your information to our facilities in the United States and to those third parties with whom we share it as described in this policy.
Data Transfers from the EU, the UK and Switzerland to the United States
We participate in the EU-U.S. & Swiss-U.S Data Privacy Frameworks to meet the privacy adequacy provisions of the GDPR.
Cognito Forms participates in and has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. We are committed to subjecting all personal information received from European Union (EU) member countries, the United Kingdom and Switzerland, respectively, in reliance on each Data Privacy Framework, to the Framework’s applicable Principles. To learn more about the Data Privacy Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Data Privacy Framework website: https://www.https://www.dataprivacyframework.gov/s/. A list of Data Privacy Framework participants is maintained by the Department of Commerce and is available at: https://www.dataprivacyframework.gov/s/participant-search.
Cognito Forms is responsible for the processing of personal information it receives under each Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, the United Kingdom, and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have a privacy or data use concern related to Cognito Forms, please first email us at email@example.com so we can promptly address the issue. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider JAMS (free of charge to you) at https://www.jamsadr.com/eu-us-data-privacy-framework.
Under certain conditions, Data Privacy Framework provides the right to invoke binding arbitration when other dispute resolution procedures have not provided resolution. This is described in Annex I to the Data Privacy Framework.
If you’re collecting personal information about anyone in the European Economic Area (EEA), you must sign our Data Processing Addendum to be compliant with the General Data Protection Regulations.
US State-Specific Privacy Regulations
We comply with US state-specific data privacy regulations.
Cognito Forms complies with the provisions within state specific data privacy regulations, such as the California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act.
If you have a privacy or data use concern related to Cognito Forms, please email us at firstname.lastname@example.org so we can promptly address the issue.
Accuracy and Retention of Data
You can easily update your information at any time by logging into your account.
Deleted information may be retained in backups, but if you delete your organization, all of your forms and entries will be permanently deleted.
We do our best to keep your data accurate and up to date, to the extent that you provide us with the information we need to do so. If your data changes (for example, if you have a new email address), then you are responsible for logging into your account and updating this information, as this is the only way we can verify your identity given the limited amount of personal information we collect.
We will retain your information for as long as your account is active or as long as your information is necessary to provide you with our services. We may also retain and use your information to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements.
Organization information you delete during your use of Cognito Forms, such as entries, may be retained in secure backups. However, if you delete your organization, all of the organization’s forms and entries will be permanently deleted and will not be recoverable.
Questions & Concerns
If you have a question or complaint about this Privacy Statement or our information collection practices, please contact us at email@example.com or write to us at the address listed below. We will investigate the matter and are committed to resolving any privacy concerns that you may have.
929 Gervais Street, Suite D
Columbia, SC 29201
Modified on October 10, 2023