WinFormBack to home

Legal

Privacy Policy

Last updated: 8 May 2026

This is the privacy policy for WinForm (winform.live), a platform that lets researchers run reward-driven survey campaigns. We've tried to write this in plain language. If anything is unclear, email us at hello@winform.live.

Who we are

WinForm is operated by an independent team based in Sri Lanka. For privacy questions, contact hello@winform.live.

What data we collect

We collect only what we need to run reward draws and notify winners.

  • Account data (creators): Your email address. That's it. We use Supabase Auth magic links - we never store passwords.
  • Campaign data (creators): The information you enter when creating a campaign - title, description, Google Form URL, reward details, response targets. Your campaign content is publicly visible at your campaign URL by design.
  • Response data (respondents): Your email address, plus your IP address and browser user-agent at the moment you submit. The IP/user-agent are kept solely for fraud forensics if a campaign is disputed - we do not use them for tracking, profiling, or advertising.
  • Cookies: A small signed cookie called sr_pending tied to your in-progress survey entry, plus standard Supabase auth cookies for creators. We do not use any third-party advertising or analytics cookies.

What we do not collect

We do not collect: your name (unless you provide it), your phone number, your physical address, your survey answers (those go directly to Google Forms - we never see them), any payment information (we don't process payments), or any data via third-party trackers, advertising pixels, or analytics scripts.

How we use your data

  • To verify your email address and tie a survey response to a real, contactable person.
  • To pre-fill your email into the Google Form (only if the campaign creator configured the pre-fill field).
  • To run the random winner draw when the campaign goal is reached.
  • To email you if you win, including the creator's contact info so they can deliver the reward. If you do not win, we do not send a follow-up email.

Who we share data with

Inside our system, the campaign creator can see the email addresses of confirmed respondents to their own campaign. This is so they can contact winners to deliver the reward. They cannot see respondents to other campaigns, and we do not give them your IP, user-agent, or any non-email data.

We use the following sub-processors to operate the service. Each holds data only to provide their function:

  • Supabase (database + authentication) - hosts your email and campaign data.
  • Resend (transactional email) - delivers verification and result emails. Sees the recipient address and the email content.
  • Cloudflare Turnstile (bot protection) - performs an invisible bot check on the email submission form.
  • Vercel (hosting) - serves the WinForm website and runs server-side code.

We do not sell, rent, license, or trade your personal data with any third party for marketing purposes.

Data retention

Active campaign data and the related responses are kept for the lifetime of the campaign. After a campaign is completed, response data is retained for up to 24 months for fraud forensics and customer support, then deleted. You can request earlier deletion at any time.

Your rights

You have the right to:

  • Request a copy of the data we hold about you.
  • Request correction or deletion of your data.
  • Withdraw consent and stop receiving emails from us.
  • Lodge a complaint with your local data protection authority if you believe we've mishandled your data.

To exercise any of these rights, email hello@winform.live. We respond within 30 days, usually within 1-2 days.

Security

Data is transmitted over HTTPS, stored on encrypted infrastructure provided by Supabase and Vercel, and access is restricted to the WinForm operators. Cookie payloads are signed with a server-side secret. We don't process payments, so we never see card details.

That said, no online service is 100% secure. If we ever experience a breach affecting your data, we will notify affected users by email within 72 hours of becoming aware.

International transfers

Our sub-processors operate globally. Your data may be stored or processed in the United States, the European Union, or other regions where these providers run their infrastructure. We rely on the standard data protection terms each provider commits to.

Children

WinForm is not intended for use by anyone under 13 (or under 16 in the EU/UK). If we learn that we've collected data from a child under these ages, we'll delete it immediately.

Changes to this policy

If we make material changes to how we handle your data, we'll update this page and revise the "Last updated" date at the top. For significant changes, we'll email registered creators.

Contact

Email hello@winform.live. We actually read these.