Privacy Policy

Prodactive Software ("we," "us," or "our") operates the website at https://prodactive-software.com and provides software products distributed through the monday.com marketplace, including Item to Form. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website or use our products and services.

This policy applies to all users of our services, including monday.com account administrators who install our applications, team members who interact with our applications within monday.com, and end users who submit data through forms generated by Item to Form.

By accessing or using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use our services. Our services are also subject to the monday.com Developer Terms and monday.com Privacy Policy.

We use the information we collect to:

• Provide, maintain, and improve our products and services, including generating forms from monday.com board data and processing form submissions.
• Respond to your inquiries, support requests, and feedback.
• Send you important notices, such as service updates, security alerts, and changes to our terms or policies.
• Analyze usage patterns to improve user experience, fix bugs, and develop new features.
• Detect, prevent, and address fraud, abuse, and technical issues.
• Comply with legal obligations and enforce our terms of service.

We do not sell your personal information. We may share your information only in the following circumstances:

• monday.com platform: Our products operate within the monday.com ecosystem. Form submissions and item data are transmitted between our services and monday.com's API to provide the core functionality of Item to Form. monday.com's own privacy policy governs data stored on their platform.
• Service providers (subprocessors): We work with trusted third-party providers who process data on our behalf. These subprocessors are contractually obligated to protect your data and may only use it to perform services on our behalf. Our current subprocessors include cloud hosting providers for infrastructure and Cloudflare for content delivery and reverse-proxying of the public form domain.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

Our applications interact with and depend on the following third-party services. This information is provided in accordance with monday.com's marketplace transparency requirements:

• monday.com API (api.monday.com) — Core platform integration for reading board data and writing form submissions.
• Cloud hosting provider — Application infrastructure and data storage.
• Cloudflare — Content delivery and reverse proxy for the public form domain (i2f.prodactive-software.com).

These third-party services act as subprocessors under applicable data protection laws (including GDPR). Each is governed by its own terms of service and privacy policy, and each is contractually bound to process your data only as instructed by us and to maintain appropriate technical and organizational security measures. We carefully vet all subprocessors before engagement.

The application authenticates requests using tokens passed in request headers, not browser cookies, and does not set authentication or session cookies. We do not use analytics, advertising, or cross-site tracking cookies or similar technologies.

Where strictly necessary, essential cookies may be used to support core website functionality. Any non-essential cookies would require your explicit consent before being set, in compliance with applicable cookie legislation including the ePrivacy Directive (EU) and similar regulations.

You can control cookies through your browser settings.

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of personally identifiable information (PII) at rest using industry-standard encryption algorithms.
• Encrypted storage of all monday.com access tokens and application secrets. Secrets are never stored in code repositories.
• HSTS (HTTP Strict Transport Security) enabled on all domains.
• Input validation and sanitization on all user-supplied data to protect against injection attacks.
• Regular security assessments, vulnerability testing, and Burp security scans on all application domains.
• Access controls that limit employee access to personal data on a need-to-know basis.
• Secure OAuth 2.0 authentication for monday.com API integrations, with JWT verification using the application signing secret.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practicable standards.

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

• Account data: Retained for the duration of your active use of our services and for a reasonable period thereafter to allow for reactivation.
• Form submission data: Processed in real time and transmitted to monday.com. We retain submitted content only as needed to provide Item to Form workflows, completion review, and auditability, and we delete it under the form-completion and account-deletion controls described in this policy.
• Operational and diagnostic logs:Retained for a limited period for security, auditability, and troubleshooting, then rotated or deleted by the platform logging system.
• Support communications: Retained for up to 36 months after the last interaction to provide continuity of service.

When you uninstall or remove our application from monday.com and we receive the supported monday.com lifecycle event, we place the account in a 7-day soft-delete recovery window after recording the deletion request. During that window, the application rejects account-scoped requests for the affected account with HTTP 410 Gone and stops accepting new submissions, emails, automations, and API calls. In-flight writes during the transition are included in the hard-delete purge.

After the recovery window, an idempotent purge worker permanently deletes end-user data and metadata collected, transmitted, created, or received by the application from primary application stores within 10 days of the uninstall or removal event. This includes account data, form configuration, submissions, queued files, access tokens, service tokens, usage counters, and associated metadata. Data required for legal compliance (such as billing records) may be retained longer as required by applicable law.

Encrypted MongoDB backup snapshots are managed by monday.code's platform backup service per its platform retention policy. Application code has no access to backup contents, and backup-resident data automatically expires according to that platform policy. We do not maintain any third-party off-platform backups containing end-user data.

Application audit logs emitted after deletion reference deleted accounts only through a one-way HMAC-SHA256 hash of the account identifier. Raw account or user identifiers do not appear in post-deletion audit logs.

Depending on your location, you may have the following rights regarding your personal information:

To exercise any of these rights, please contact us through our contact page. We will respond to your request within 30 days.

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction. When we transfer your data internationally, we implement appropriate safeguards, including standard contractual clauses approved by relevant authorities, to ensure your information is protected in accordance with this policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, providing additional notice (such as an in-app notification or email).

We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes your acceptance of the updated policy.