FormGPT

Privacy policy

Last updated: June 3, 2026

Introduction

This policy describes how FormGPT (“we”, “us”) collects, uses, and protects information when you use our website and services. By using FormGPT, you agree to this policy.

Information we collect

We may collect:

  • Account information when you sign in with Google, such as your Google profile identifier, name, email address, and profile image URL.
  • Form drafts and content you create or edit in the product, including titles, descriptions, and structured form JSON (questions, options, and related fields).
  • Files you upload for generation are processed to extract text for the AI step; we do not use uploads as a general-purpose file storage product. Treat uploads as sent for processing in line with our product documentation.
  • Google Forms integration — if you connect Google Forms, OAuth tokens and metadata needed to create or update forms on your behalf (see Google Forms integration).
  • Technical and usage data such as IP address, browser type, pages viewed, and in-app events we log to operate and improve the service and security.

How we use information

We use information strictly to operate, maintain, and provide the core features of FormGPT. Specifically, we use your information to:

  • Provide, maintain, and improve FormGPT features, including executing user-initiated AI-assisted generation, draft editing, and the direct export or appending of generated content to your Google Forms account.
  • Authenticate your identity, securely associate your account with your form drafts, and protect accounts from unauthorized access.
  • Send service-related messages, such as security notices, form export status reports, or material policy updates.
  • Process paid subscriptions securely through our third-party billing processor when you choose a paid plan.
  • Comply with applicable legal obligations and enforce our Terms of Service.

Google API Data Disclosure (Limited Use Compliance)

FormGPT’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • No Advertising: We strictly do not use Google user data for serving advertisements, retargeting, or any other marketing purposes.
  • No AI Model Training: We do not use, sell, or transfer your Google user data to train external machine learning or large language models (LLMs).
  • Human Review Restrictions: We do not allow humans to read your Google user data unless you grant explicit permission for troubleshooting, it is required for security purposes, or it is necessary to comply with legal obligations.

Sharing and disclosure of Google user data

We do not sell Google user data. We share, transfer, or disclose Google user data only as described below, and only as needed to run the service you use:

  • Google (Google LLC) — When you connect Google Forms and use export or append features, we call Google’s APIs under your account to create or update forms and related Drive files. We send form structure and content derived from your drafts (for example question text, options, and grading settings). Google processes that data under Google’s Privacy Policy. OAuth tokens are stored securely on our servers and used only to perform these API calls on your behalf.
  • OpenAI (third-party AI) — When you request AI generation, we send your written instructions and source text (including text extracted from files you upload) to OpenAI’s API to produce form drafts. If you use append-to-form, we may also send limited form context read from Google Forms via the API (for example existing title and question text) so the model can add new questions you asked for. We do not send your Google OAuth tokens, Google account password, or Google Forms refresh tokens to OpenAI. OpenAI processes requests under its own terms and safeguards; see OpenAI’s Privacy Policy.
  • Stripe, Inc. — If you subscribe to a paid plan, we use Stripe for checkout and billing. Stripe may receive your email address and payment-related information you provide at checkout. We do not send Google OAuth tokens to Stripe.
  • Hosting and database providers — We store account and application data (including Google profile fields, drafts, and encrypted OAuth tokens) on infrastructure we use to run FormGPT (for example cloud hosting and managed databases). These providers act as processors and access data only to host and operate the service.
  • Legal and safety — We may disclose information if required by law, court order, or to protect rights, safety, and security of users or the service.

We do not share Google user data with data brokers, ad networks, or parties for purposes unrelated to providing FormGPT.

AI processing

FormGPT does not operate its own large language model. We use a third-party AI service: OpenAI (API at api.openai.com). When you request generation, we send your instructions and source text (including text extracted from files you choose to upload) to OpenAI to produce structured form content (typically using the gpt-4o-mini model or a successor we configure for the same purpose). OpenAI processes that content under its own terms and safeguards.

AI processing is limited to building and improving form drafts inside FormGPT. Google account identifiers and Google Forms OAuth credentials are not included in AI requests. Do not submit sensitive personal data you are not comfortable having processed for this purpose.

Google Forms integration

Connecting Google Forms is optional and uses a separate Google permission flow from signing in to FormGPT with Google.

If you start the connection, you authorize us to call Google APIs under your Google account to create and update Google Forms and related Drive files when you export or publish. This is activated when you explicitly connect and use export features in the product.

OAuth scopes (as implemented):

  • Google Forms (https://www.googleapis.com/auth/forms.body) — create and edit form structure and content when you export or append questions.
  • Google Drive (https://www.googleapis.com/auth/drive.file) — create and manage Drive files for forms our application creates or accesses for those features (not full Drive access).

Who receives Google user data from us: see Sharing and disclosure of Google user data above (Google, OpenAI when you run AI features, infrastructure hosts, Stripe for billing, and legal disclosures when required).

What we store: credentials needed to perform exports on your behalf (for example a refresh token associated with your account), plus records that link your drafts to Google Form identifiers and export status.

What we send to Google: data derived from your draft (questions, options, grading-related fields where applicable) so a Google Form can be created or updated. Google processes that information under Google’s terms and privacy policy.

Disconnecting: Use the disconnect controls we provide. Revoking access in your Google Account permissions also stops our ability to call Google on your behalf. Forms already created in your Google account remain there unless you delete them in Google Drive or Google Forms.

Chrome extension

FormGPT offers an optional Chrome extension (“FormGPT AI Google Form Builder”) that works alongside our website. This section describes privacy when you install and use that extension. Unless stated otherwise below, the rest of this policy (account data, Google Forms integration, AI processing, and sharing) applies the same way when you use FormGPT through the extension as when you use formgpt.co in a browser tab.

What the extension does

  • Runs on Google Docs, Google Slides, and Google Forms pages you open, and opens a side panel that loads FormGPT web pages (for example create, append, sign-in, and onboarding) from formgpt.co (or our development host when applicable).
  • Lets you start AI form creation or append flows from the page you are editing, using the same FormGPT account and Google Forms connection as on the website.
  • Does not replace Google’s own terms or privacy policy for Docs, Slides, Forms, or your Google account.

Information the extension may access or store

  • Page context — The extension may read limited information from the active Google tab (such as whether you are on Docs, Slides, or Forms, and when you are on Forms, a form identifier from the URL) so it can open the correct FormGPT workflow. It does not read the full text of your documents in the background for unrelated purposes.
  • Local storage on your device — The extension uses Chrome’s storage permission for small, local preferences (for example panel state or onboarding hints). This data stays on your device unless you clear extension data or uninstall the extension.
  • Website session — When the side panel loads formgpt.co, our site may set cookies and session data as described in the Cookies and sessions section of this policy, so you can stay signed in. In some browser configurations, third-party or embedded contexts may limit cookies; you can always sign in on formgpt.co in a normal tab.
  • Account and form data — Prompts, uploads, drafts, exports, and Google API calls are handled by our web application servers, not stored separately by the extension package. See Google Forms integration and Sharing and disclosure of Google user data for how that data is used and shared.

Chrome permissions we request

  • Host accessdocs.google.com, slides.google.com, forms.google.com, and formgpt.co (plus local development hosts where listed in the extension manifest) so the side panel and in-page controls can run.
  • sidePanel, tabs, scripting — To show the FormGPT side panel and connect it to the Google page you have open.
  • storage — For local extension preferences on your device, as described above.

We do not use the extension to sell your data, show third-party ads in the extension UI, or collect browsing history outside the Google product pages and FormGPT URLs needed for the features above.

Removing the extension: Uninstalling the extension from Chrome removes its local storage on your device. It does not delete your FormGPT account or forms already in Google Drive; manage those on formgpt.co or in Google as usual. Revoking Google access is described under Google Forms integration.

Questions about the extension: [email protected]

Google API Services User Data Policy

FormGPT’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In summary: we use Google user data only to provide or improve user-facing features of FormGPT (sign-in, drafts, and optional Google Forms export/append), we do not transfer Google user data to third parties except as needed to provide those features (as described in Sharing and disclosure of Google user data), and we do not use Google user data for advertising, selling data, or unrelated purposes.

Other third-party services

We rely on service providers such as:

  • Google (sign-in and, when you connect, Google Forms and Google Drive APIs)
  • OpenAI (AI-assisted form generation)
  • Stripe (paid subscriptions, when you subscribe)
  • Hosting, database, and infrastructure partners that store and run the application

Cookies and sessions

We use cookies and similar technologies to keep you signed in, protect against abuse, and remember preferences. You can control cookies through your browser settings; disabling cookies may limit sign-in or certain features.

Data retention and security

We retain information as long as needed to provide the service and meet legal obligations. We use administrative, technical, and organizational measures designed to protect your information; no method of transmission or storage is completely secure.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or export personal data, or to object to certain processing. To exercise these rights, contact us at the email below. We may need to verify your request.

Contact

Questions about this policy: [email protected]

Changes

We may update this policy from time to time. We will post the revised policy on this page and update the “Last updated” date. Material changes may be communicated through the product or by email where appropriate.