How we handle your data.

Who we are (and what role we play)

Read this part carefully — it limits what we are and aren't responsible for.

For your SahlForm ACCOUNT data (email, name, password, billing) we are the data controller. We decided to collect it, we decide how to use it, you can hold us accountable for it.

For FORM SUBMISSION data — anything you typed into someone else's form — we are NOT the controller. We are a processor (GDPR Art. 4(8) / Qatar PDPL Art. 3) acting strictly on the instructions of the tenant organisation that built and published the form. The tenant decides what to ask, why, how long to keep it, and what to do with it. They are the controller (Art. 4(7)). For access, correction, or deletion requests on your form submissions, contact that tenant directly — they have the legal obligation and the operational ability to action it. We will assist them when they ask, but we will not make controller decisions on data that isn't ours to decide on.

Our registered office: [Sahl Suite, Qatar Financial Centre, Doha]. Contact: privacy@sahlform.com.

What we collect

Account data: email address, name, password hash. Submission data: whatever the form author asks you, plus your IP address, user agent, and a device classification (mobile / tablet / desktop) for abuse detection. File uploads if you attach them. Tenant data: organisation name, slug, custom branding. We do NOT collect special category data (Art. 9 — health, ethnicity, beliefs) unless a tenant explicitly designs a form that asks for it; in that case the tenant is responsible for obtaining your explicit consent.

Why we collect it (lawful basis)

Account creation, sign-in, email verification, and password reset — to perform our contract with you (Art. 6(1)(b)). Submission handling — under the legitimate interest of running the service safely (Art. 6(1)(f)), and on behalf of the tenant under their lawful basis. Error tracking and analytics — only with your consent via the cookie banner (Art. 6(1)(a)). Service improvement, fraud prevention, billing — legitimate interest (Art. 6(1)(f)).

How long we keep it

Account data: until you delete your account, plus 90 days for billing records and audit trails. Submission data: per the tenant's retention setting, default 12 months from submission date, after which we anonymise the personal-identifiable fields (IP, user agent) and retain only the response payload for the tenant. Logs: 30 days. Cookie consent record: 12 months.

Who we share it with

The small handful of service providers that run our infrastructure — see the full list at /subprocessors. In short: Neon (database, Singapore region), Resend (transactional email), Cloudflare (anti-spam check on public forms), Vercel (web hosting), and on an opt-in basis Sentry (error tracking). We don't sell data, share it for advertising, or hand it to data brokers. When data crosses a border we rely on Standard Contractual Clauses or the relevant adequacy decision.

Your rights

You have the right to access your data (Art. 15), correct it (Art. 16), erase it (Art. 17), restrict processing (Art. 18), have it ported to another service (Art. 20), object to processing (Art. 21), and withdraw any consent you gave (Art. 7(3)). Exercise any of these via /data-request — we respond within 30 days. You also have the right to complain to a supervisory authority — for EU residents, your local data protection authority; for Qatar, the National Cyber Security Agency; for Saudi Arabia, the National Data Management Office (NDMO).

Security

TLS in transit, schema-per-tenant isolation at rest (each tenant's data lives in its own Postgres schema with no cross-tenant queries possible), bcrypt password hashing via Neon Auth, mandatory email verification, rate-limited auth proxy, IP-keyed abuse limits. We do not currently hold SOC 2 or ISO 27001 certification — that work is in progress.

International transfers

Our primary infrastructure is hosted by Neon in AWS Singapore (ap-southeast-1). For EU residents, we transfer your data under Standard Contractual Clauses (SCCs). For GCC residents, your data may stay closer to home depending on the tenant's configuration — ask your tenant's admin if data residency is a contractual requirement.

Children

SahlForm is not intended for users under 16 (EU) / 13 (KSA, Qatar). We do not knowingly process data of children below those ages. If you become aware that a child has submitted data through one of our forms, contact privacy@sahlform.com and we will delete it.

Cookies

We use strictly-necessary cookies (auth session, language preference) without consent under ePrivacy Directive Art. 5(3). Optional cookies (error tracking, analytics) are only set after you accept the cookie banner. You can change your choice anytime via the "Cookie preferences" link in the footer.

Changes to this notice

We will note material changes here with a new "last updated" date and, where the change affects how we process your existing data, email you directly. Continued use of the service after a posted change constitutes acceptance.

Contact

Questions, complaints, or DSR requests: privacy@sahlform.com. For data protection officer matters: dpo@sahlform.com. Postal: [Sahl Suite, Qatar Financial Centre Tower, Doha, Qatar].