Static Contact Privacy Policy

This privacy policy explains what personal information Static Contact collects, why we collect it, who we share it with, and the rights you have over it. It applies to all information collected by or submitted to Static Contact.

Static Contact is operated by Sanderson Howe Limited (NZBN 9429049408096), a company incorporated in New Zealand. You can contact us about anything in this policy at team@staticcontact.com.

Our two roles

Two kinds of people interact with Static Contact, and our responsibilities differ for each:

  1. Account holders — if you sign up and add forms to your website, we decide how your account information is processed. In data protection terms, we are the controller of your account data.
  2. Form visitors — if you fill in a form on a website that uses Static Contact, the owner of that website decides what is collected and why. We process your submission on their behalf and on their instructions. In data protection terms, the website owner is the controller and we are a processor.

If you are a form visitor and want your data accessed, corrected or deleted, the quickest route is to contact the owner of the website whose form you used. You can also contact us directly and we will help.

Collection of your Personal Information

Account holders. We collect your name, email address and password when you create an account. If you subscribe to a paid plan, payment card details are collected and processed by our payment provider, Stripe — we do not store full card numbers. We automatically record technical data such as IP addresses and browser types to prevent fraud, maintain security, and understand aggregate usage of the service.

Form visitors. When a form submission is sent to us we process the contents of the submission (whatever fields the website owner chose to collect), the visitor's IP address, and technical anti-spam metadata such as spam-check scores, captcha verification results, the browser's User-Agent string, and the website domain the submission came from. We use the IP address and metadata solely for spam and abuse prevention and for delivering the submission to the website owner.

You agree not to use the Static Contact Service to collect sensitive personal data (such as health, biometric or financial account information) through your forms.

Form submission retention — privacy by design

Privacy by design: by default we delete the contents of successfully delivered form submissions shortly after they reach your inbox, so we hold your visitors' data no longer than we need to. This deletion by default, retention by choice approach is a deliberate GDPR advantage — we minimise the personal data we store on your behalf. If you'd rather keep submissions, you can opt in to archiving on a per-form basis, in which case delivered submissions are retained for a limited period that depends on your plan, and can be exported as CSV or deleted at any time. Turning archiving off returns the form to delete-on-delivery. Spam submissions may be retained temporarily to improve our spam filters.

How we use your Personal information

We use personal information to:

  • provide the Services, Site and customer support;
  • verify your identity for security purposes;
  • resolve disputes and troubleshoot problems;
  • prevent, detect and investigate spam, fraud, abuse and other prohibited or illegal activities, and enforce our User Terms;
  • send you service-related messages such as delivery notifications, billing receipts and legal notices;
  • with your consent, tell you about product updates and improvements (you can unsubscribe at any time); and
  • produce anonymised, aggregated statistics about how the service is used.

Static Contact does not sell, rent or lease personal information to anyone. We do not run advertising, do not share data with advertising networks, and do not build marketing profiles of you or your form visitors.

Contract - to provide the Services, Site and customer support; verify your identity for security purposes; resolve disputes and troubleshoot problems; and enforce our User Terms, the processing is necessary for the contract we have with you.

Consent - if we tell you about product updates and improvements, you have given us clear consent to process your personal data for that specific purpose, and you can withdraw it at any time.

Legal obligation - to prevent, detect and investigate potentially prohibited or illegal activities, the processing is necessary for us to comply with the law.

Legitimate interests - to keep the service secure, prevent spam and abuse, and improve our Services, the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.

Spam prevention and blocklists

To protect our customers' inboxes and our email-sending reputation, every form submission passes through anti-spam checks. As part of this we maintain a blocklist of IP addresses and email addresses associated with spam or abuse. Entries added automatically by our systems expire after at most 60 days; entries added manually by our team are reviewed and removed when no longer needed. This processing relies on our legitimate interest in preventing fraud and abuse.

Third parties

We share personal information only with the service providers below, and only to the extent needed to run Static Contact:

  • Amazon Web Services (AWS) — hosting of our infrastructure and delivery of email notifications (Amazon SES). Our infrastructure runs in the United States.
  • Stripe — payment processing for paid plans. Your card details go directly to Stripe and are governed by Stripe's privacy policy.
  • Captcha providers — if a website owner enables a captcha on their form, the visitor's captcha token is sent to the chosen provider for verification: Google reCAPTCHA, hCaptcha or Cloudflare Turnstile. For Google reCAPTCHA and Cloudflare Turnstile the visitor's IP address is also sent as part of verification. Captchas are configured by the website owner — forms without a captcha send nothing to these providers.
  • Webhook and chat destinations — website owners can choose to have their submissions delivered to services such as Slack, Discord, Telegram or their own webhook URLs. Where a website owner configures this, we deliver the submission data to the destination they chose; that destination's own terms and privacy policy then apply.
  • Analytics — we use Google Analytics in a cookieless configuration: consent is denied by default and never granted, so it sets no cookies and cannot track you across sites. Visit counts reach Google as anonymous, aggregate pings; like any web request these include an IP address and browser type. We use the resulting aggregate statistics only to understand visits to our own website.

We may disclose personal information in response to subpoenas, court orders, or other legal requirements; to exercise our legal rights or defend against legal claims; to investigate, prevent, or take action regarding illegal activities, suspected fraud or abuse, or violations of our policies; or to protect our rights and property.

In the future, we may sell to, buy, merge with, or partner with other businesses. In such transactions, user information may be among the transferred assets.

This policy applies only to Static Contact. Websites that use our forms, and services that submissions are delivered to, have their own privacy practices that we do not control.

Cookies

Static Contact uses only essential cookies: a session cookie and a security (CSRF) cookie that are required for logging in and submitting forms safely, and an optional "remember me" cookie if you choose it at login. We set no advertising, tracking or cross-site cookies, and our analytics is cookieless. Because every cookie we set is essential to the service working, there is no cookie banner to click through.

You can block cookies in your browser settings, but the dashboard login will not work without the essential ones.

Where your data is stored

Our infrastructure runs on Amazon Web Services in the United States (us-east-1). Sanderson Howe Limited operates from New Zealand — one of the small number of countries holding a European Commission adequacy decision, meaning personal data can lawfully flow from the EEA to us without additional safeguards. For the onward hosting of data with AWS in the United States, AWS provides GDPR-compliant data processing terms and is certified under the EU–U.S. Data Privacy Framework.

Security of your Personal Information

All traffic to and from Static Contact is encrypted in transit using TLS. Access to personal information is restricted to those who need it to operate the service. Payment card numbers never touch our servers — they are handled by Stripe. No service can guarantee absolute security, but we design for holding as little personal data as possible, for as short a time as possible.

Retention

We retain account data for as long as you have an account with us, plus any period required for accounting, tax or legal obligations. When you delete your account, your data is removed from our live systems immediately and disappears from backup copies within 30 days. Form submissions follow the retention rules described above; spam-prevention blocklist entries added automatically expire after at most 60 days.

Your information additional rights

Depending on your location, you may have additional rights regarding your information, including:

  1. Access and portability: You can request a copy of your personal data provided to Static Contact by contacting us.
  2. Correction: You can update your personal data.
  3. Deletion: You can request Static Contact to delete your personal information, except where retention is required by law, by contacting us.
  4. Withdrawal of consent or objection to processing: You can request Static Contact to stop processing your personal data in certain situations by contacting us.

New Zealand Privacy Act 2020

As a New Zealand company we comply with the Privacy Act 2020 and its Information Privacy Principles. You have the right to access and correct personal information we hold about you. Our privacy officer can be reached at team@staticcontact.com. If you are not satisfied with our response to a privacy concern, you can complain to the Office of the Privacy Commissioner at privacy.org.nz.

GDPR

If you are a resident of the EEA, you have the right to access the Personal Information we hold about you, to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information below.

CCPA

If you are a resident of California, you have the right to access the Personal Information we hold about you (also known as the ‘Right to Know'), to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information below.

If you would like to designate an authorised agent to submit these requests on your behalf, please contact us at the address below.

How to Exercise Your Rights

To make such a request, contact Static Contact at team@staticcontact.com. All such requests are subject to verification of the identity of the requestor and the legitimacy of the request. We respond to all legitimate CCPA data requests within 45 days. We take steps to determine whether the request is legitimate, but this does not extend the 45 days. The time period to provide the information may be extended once by an additional 45 days when reasonably necessary, and in this case, we will notify you and keep you updated.

To the extent we act as the website's service provider (for example, when we process your submissions on their behalf), you can exercise your CCPA rights directly with the website(s) you use.

Your responsibilities as a form owner

If you use Static Contact to collect submissions from your visitors, you are the controller of that data. You are responsible for collecting it lawfully, for publishing your own privacy policy describing what you collect and why, and for honouring your visitors' requests for access, correction and deletion. Only use submission data for the purpose your visitors provided it; do not use it to send unsolicited messages.

You can withdraw your consent for processing of your information and use of the Services at any time. For instance, to stop email marketing, use the unsubscribe link found at the bottom of our marketing emails. To permanently delete your account, please email team@staticcontact.com requesting the closure of your account and deletion of your data. This deletion is permanent and your account cannot be reinstated. We will only keep information that we are required to by law.

Opt-Out & Unsubscribe

Static Contact sends both required service-related messages (such as transactional or legal notices) and optional newsletters. You can opt out of marketing communications by clicking the “unsubscribe” link in the messages you receive.

Children and minors

Static Contact does not knowingly collect personally identifiable information from children under the age of thirteen. If you are under the age of thirteen, you must ask your parent or guardian for permission to use this website.

Governing Law

Your information is provided to us in accordance with the laws of New Zealand.

Changes to this Statement

Static Contact updates this policy when our practices change, and we note material updates on our changelog. We encourage you to review it to stay informed about how we protect your information.

Contact Information

For inquiries regarding Static Contact's privacy practices, please contact Static Contact at team@staticcontact.com.

Last updated: June 7, 2026

© 2026 Static Contact. All rights reserved.