Privacy Policy

Prodactive Software ("we," "us," or "our") operates the website at https://prodactive-software.com and provides software products distributed through the monday.com marketplace, including Item to Form. This Privacy Policy describes how we collect, use, disclose, and protect information when you visit our website or use our products and services.

This policy applies to all users of our services, including monday.com account administrators who install our applications, team members who interact with our applications within monday.com, and end users who submit data through forms generated by Item to Form.

By accessing or using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use our services. Our services are also subject to the monday.com Developer Terms and monday.com Privacy Policy.

We use the information we collect to:

• Provide, maintain, and improve our products and services, including generating forms from monday.com board data and processing form submissions.
• Respond to your inquiries, support requests, and feedback.
• Send you important notices, such as service updates, security alerts, and changes to our terms or policies.
• Analyze usage patterns to improve user experience, fix bugs, and develop new features.
• Detect, prevent, and address fraud, abuse, and technical issues.
• Comply with legal obligations and enforce our terms of service.

We do not sell your personal information. We may share your information only in the following circumstances:

• monday.com platform: Our products operate within the monday.com ecosystem. Form submissions and item data are transmitted between our services and monday.com's API to provide the core functionality of Item to Form. monday.com's own privacy policy governs data stored on their platform.
• Service providers (subprocessors): We work with trusted third-party providers who process data on our behalf. These subprocessors are contractually obligated to protect your data and may only use it to perform services on our behalf. Our current subprocessors include SendGrid (by Twilio) for email and SMS delivery, cloud hosting providers for infrastructure, and analytics services for anonymous usage data.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

Our applications interact with and depend on the following third-party services. This information is provided in accordance with monday.com's marketplace transparency requirements:

• monday.com API (api.monday.com) — Core platform integration for reading board data and writing form submissions.
• SendGrid by Twilio (sendgrid.com) — Email and SMS delivery service, used as a subprocessor. SendGrid processes recipient email addresses, phone numbers, and message content only when you choose to enable email or SMS notifications in your form configuration. No data is sent to SendGrid unless you explicitly activate this feature. SendGrid's privacy practices are governed by the Twilio Privacy Policy.
• Cloud hosting provider — Application infrastructure and data storage.
• Analytics services — Anonymous usage analytics to improve our products. No personally identifiable information is shared with analytics providers.

These third-party services act as subprocessors under applicable data protection laws (including GDPR). Each is governed by its own terms of service and privacy policy, and each is contractually bound to process your data only as instructed by us and to maintain appropriate technical and organizational security measures. We carefully vet all subprocessors before engagement.

We use the following types of cookies:

• Essential cookies (HttpOnly): Required for core functionality such as authentication, session management, and security. These cookies are HttpOnly and are not accessible to client-side scripts. They cannot be disabled without affecting core service functionality.
• Analytics cookies: Help us understand how visitors interact with our website by collecting and reporting information anonymously. These cookies are only set with your consent.
• Preference cookies: Remember your settings and preferences to provide a more personalized experience. These cookies are only set with your consent.

We do not use tracking cookies or similar technologies that track users outside the scope of our applications. Any non-essential cookies require your explicit consent before being set, in compliance with applicable cookie legislation including the ePrivacy Directive (EU) and similar regulations.

You can control cookies through your browser settings or through our cookie consent mechanism. Disabling essential cookies may affect the functionality of our services.

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of personally identifiable information (PII) at rest using industry-standard encryption algorithms.
• Encrypted storage of all monday.com access tokens and application secrets. Secrets are never stored in code repositories.
• HSTS (HTTP Strict Transport Security) enabled on all domains.
• Input validation and sanitization on all user-supplied data to protect against injection attacks.
• Regular security assessments, vulnerability testing, and Burp security scans on all application domains.
• Access controls that limit employee access to personal data on a need-to-know basis.
• Secure OAuth 2.0 authentication for monday.com API integrations, with JWT verification using the application signing secret.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practicable standards.

We retain your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

• Account data: Retained for the duration of your active use of our services and for a reasonable period thereafter to allow for reactivation.
• Form submission data: Processed in real time and transmitted to monday.com. We do not retain form submission content beyond the time needed to complete the submission.
• Usage and analytics data: Retained in aggregated or anonymized form for up to 24 months for product improvement purposes.
• Support communications: Retained for up to 36 months after the last interaction to provide continuity of service.

When you uninstall, deauthorize, or otherwise terminate our application from monday.com, we will permanently delete all end-user data and metadata collected, transmitted, created, or received by the application within 10 days, in accordance with monday.com's marketplace developer requirements. This includes your account data, configuration settings, and any associated metadata. Data required for legal compliance (such as billing records) may be retained longer as required by applicable law.

Depending on your location, you may have the following rights regarding your personal information:

To exercise any of these rights, please contact us through our contact page. We will respond to your request within 30 days.

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us immediately.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction. When we transfer your data internationally, we implement appropriate safeguards, including standard contractual clauses approved by relevant authorities, to ensure your information is protected in accordance with this policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, providing additional notice (such as an in-app notification or email).

We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes your acceptance of the updated policy.