Back to Home

Privacy Policy

Last updated: March 1, 2026
Effective Date: March 1, 2026

1. Introduction & Scope

Formatly Inc. ("we," "our," or "us") is deeply committed to safeguarding your privacy and ensuring the security of the data you entrust to us. This Comprehensive Privacy Policy details exactly how we collect, use, process, share, and protect your personal data and proprietary documents when you access our website, application programming interfaces (APIs), and AI-driven formatting platform (collectively, the "Services").

By registering an account or utilizing our Services in any capacity, you acknowledge that you have read, understood, and unreservedly agree to the terms prescribed in this Privacy Policy.

2. Exhaustive List of Information We Collect

To provide, maintain, and secure our Services, we collect specific categories of data, classified below:

2.1 Information You Provide Directly to Us

  • Account Credentials: Full name, email address, strictly encrypted passwords, and profile avatars.
  • OAuth Data: If you authenticate via Google or another third-party Single Sign-On (SSO) provider, we collect your basic profile information (name, email) as permitted by those providers and your privacy settings with them.
  • Financial Data: For paid subscriptions, we collect billing addresses and payment histories. Note: We do NOT store full credit card numbers or CVV codes within our internal databases. All financial transactions are tokenized and processed securely by our PCI-DSS compliant payment gateways (e.g., PayPal, Stripe, Paddle).
  • Direct Communications: Any inquiries to our support desk, feedback forms, feature requests, or legal correspondence.

2.2 Automatically Collected Telemetry & Usage Data

  • Device & Network Metrics: IP addresses, browser agents, operating system versions, and unique device identifiers (e.g., UUIDs).
  • Application Telemetry: Features accessed, exact timestamps of API calls, document parse durations, error logs, and stack traces resulting from application crashes.
  • Cookies & Local Storage: Cryptographic session tokens, JWTs, and tracking beacons necessary for user authentication and preserving application state across sessions.

2.3 User-Provided Content (The "Document Payload")

When utilizing our formatting engines, you upload raw text files, PDFs, or word processing documents. This payload includes your raw intellectual property, bibliographic metadata, and any embedded data within the file structure.

3. Our Strict Policy on AI Training & Document Processing

We recognize that academic and professional documents are highly sensitive. This section explicitly defines our handling of your Document Payload.

  • Ephemerality & Processing: Document Payloads are transferred over TLS 1.3 encryption directly into our secure, isolated processing pipelines. They reside in volataile memory briefly during active parsing and formatting before being outputted back to you. They are then securely stored within segregated cloud buckets utilizing strict Row-Level Security (RLS) policies.
  • Zero Foundation Model Training: Under absolutely no circumstances do we harvest, mine, scrape, or otherwise utilize your Document Payload to train, fine-tune, or calibrate our foundational Large Language Models (LLMs) or heuristics algorithms.
  • Isolation Guarantee: Your Document Payload is exclusively tied to your authenticated user identity. Our architectural design prohibits cross-tenant data spillage. No other user on the Formatly platform can query, access, or derive insight from your stored documents.

4. How We Utilize Non-Document Information

Excluding the Document Payload, we utilize Account, Financial, and Telemetry data strictly for:

  • Fulfilling the core contractual obligations of our Services.
  • Processing invoices, handling disputes, and preventing systemic payment fraud.
  • Detecting and mitigating catastrophic security threats, DDoS attacks, blocklisting malicious IP ranges, and auditing system integrity.
  • Aggregating anonymized cohort analytics to dictate future feature roadmaps (e.g., determining the percentage of users requiring Chicago Style versus APA).
  • Compliance with explicit legal subpoenas issued by courts of competent jurisdiction.

5. Third-Party Subprocessors

We lack vertical integration on all hardware stacks. Therefore, we utilize trusted third-party enterprise vendors ("Subprocessors"). We only share the minimal amount of data required for them to perform their specific function. Current subprocessors include:

  • Authentication & Database Hosting: Supabase Inc. (Stores encrypted credentials and document mappings).
  • Edge Infrastructure & CDN: Vercel Inc. (Hosts the application runtime and routes traffic securely).
  • Payment Infrastructure: PayPal Holdings, Inc. / Stripe, Inc. (Handles PCI-compliant processing of transaction tokens).
  • Transactional Email: Resend / SendGrid (For password resets, invoice deliveries, and email verification pings).

We execute binding Data Processing Agreements (DPAs) with all subprocessors ensuring their data security standards align with or exceed our own.

6. Data Security Architectures

We implement defense-in-depth strategies:

  • Encryption in Transit: 100% of data traveling to and from our domains is protected by mandatory HTTPS (TLS 1.2+ minimum, TLS 1.3 default).
  • Encryption at Rest: Database volumes and cloud storage buckets are encrypted utilizing AES-256 standard encryption before physical write to disk.
  • Access Control: Administrative access to production databases requires multi-factor authentication (MFA) and is strictly limited on a principle-of-least-privilege basis to essential DevOps personnel only.

7. International Data Transfers

Formatly operates primarily out of servers located in the United States and the European Union. By using the Services, you consent to the transfer of your data to these regions. For users originating in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) to ensure adequacy mechanisms are met during transatlantic data flows.

8. Your Absolute Data Rights (GDPR & CCPA Aligned)

Subject to verified identity and local law, you hold actionable rights concerning your data:

  • The Right to Access & Portability: You may request a machine-readable export of all metadata associated with your account.
  • The Right to Rectification: You may correct erroneous profiling data via your dashboard.
  • The Right to Erasure ("Right to be Forgotten"): Upon clicking "Delete Account," we trigger a cascading hard-delete of your profile, billing history, and entirely purge your stored Document Payloads from active storage buckets. (Note: Encrypted backups may retain this data for an additional 30 days before natural rotation overwrites them).
  • The Right to Restrict Processing: You may halt active processing scenarios under certain dispute conditions.

To trigger any of these formal actions beyond the capabilities of the automated user dashboard, email your request directly to formatlyapp@gmail.com with the subject line "Formal Data Request." We process authenticated requests within 30 calendar days.

9. Mandatory Disclosure Thresholds

We reserve the right to pierce data confidentiality and disclose information to law enforcement agencies or third-party litigants ONLY if compelled by a court order, subpoena, search warrant, or binding statutory mandate. We will, unless explicitly gagged by the issuing court, attempt to notify you prior to compliance so you may seek protective legal remedies.

10. Contact Details & Privacy Officer

For escalations, formal GDRP Article 27 inquiries, or concerns regarding systemic privacy vulnerabilities, you must contact our dedicated compliance desk:

Formatly Data Protection Officer

C/O Legal & Compliance

formatlyapp@gmail.com

If you suspect a zero-day vulnerability or security breach, do not use regular support channels. Email formatlyapp@gmail.com directly.