Privacy Policy

Last updated: 7 May 2026

This policy explains what personal information exhellforms collects, why we collect it, and what we do with it. We aim to keep this short and plain.

Who we are

exhellforms is operated by Verona AI Ltd, registered in England and Wales. You can contact us at privacy@exhellforms.com.

What data we collect

• Account data — name, email address, company name, job title, and an encrypted password hash. Provided by you when you register.
• Form and submission content — anything you or your team enters into the forms you build, including answers, photos, and signatures.
• Usage data — basic logs of which pages were visited and when, plus an IP address held briefly for rate-limiting and abuse prevention.
• Cookies — a single authentication cookie to keep you signed in, plus a small preferences cookie (theme, sidebar collapsed state). We do not use third-party analytics or advertising cookies in the beta.

Why we hold it (lawful basis)

• Contract — we need account data to provide the service you signed up for.
• Legitimate interest — basic usage logs help us keep the service reliable and secure.
• Legal obligation — we may retain certain records (audit log entries, billing) where the law requires it.

How long we keep it

Account and submission data is retained for as long as your workspace is active. If you close your workspace, we delete or fully anonymise your data within 30 days, unless we're required by law to retain it longer (e.g. financial records). Backups roll out within a further 30 days.

Who we share it with

We do not sell your data. We share it only with infrastructure providers we use to run the service:

• Hosting — our hosting provider (operates inside the UK/EEA)
• Database — managed PostgreSQL provider (UK/EEA region)
• File storage — Cloudflare R2 (EU region)
• Email delivery — Resend
• AI features — when you use the optional AI form generator, translation, or anomaly explanation, the relevant content is sent to Anthropic (via OpenRouter). Anthropic does not retain prompts for training. AI features are off by default — invoking them is your choice.

Your rights

Under UK GDPR you have the right to:

• Access a copy of the data we hold about you
• Correct inaccurate data
• Have your data deleted
• Restrict or object to certain processing
• Receive your data in a portable format
• Lodge a complaint with the ICO (ico.org.uk)

Email privacy@exhellforms.com and we'll action a request within 30 days.

Security

Data is encrypted in transit (TLS) and at rest. Passwords are hashed with bcrypt. Internal access is restricted to authorised staff and audit-logged.

Changes to this policy

We'll update the "Last updated" date at the top of this page when the policy changes, and give existing users notice via email of any material change before it takes effect.