This Privacy Policy explains how Rosevine Technology Services (“Rosevine Technology Services,” “we,” “us”) handles information in connection with Overture Forms (the “Service”). It covers both the people who administer Overture Forms workspaces and the people who submit forms built on the Service.
1. Controller and processor roles
For data our customers collect through their forms (“Submission Data”), our customer is the controller and Rosevine Technology Services acts as a processor that handles that data on the customer’s behalf. For account and billing information about our customers, we act as the controller.
2. Information we process
- Account information — name, work email, organization, and identity-provider identifiers used to authenticate administrators (for example, via Microsoft Entra ID).
- Submission Data — the field values that end users enter into a customer’s forms, along with limited technical metadata such as submission time, locale, IP address, and user agent.
- Usage and audit data — records of form configuration changes and of staff access to submissions, retained as an append-only audit trail.
- Billing data — plan, usage counts, and contact details needed to invoice paid accounts.
3. How we use information
We process information to:
- provide, secure, and maintain the Service;
- deliver form submissions to the recipients and webhooks a customer configures, and send autoresponders where enabled;
- authenticate users and enforce role-based access controls;
- meter usage, bill accounts, and provide support; and
- maintain audit logs and detect, prevent, and respond to security incidents.
4. Sub-processors
We use a small set of infrastructure providers to run the Service, including Amazon Web Services (hosting, storage, and secrets management) and SendGrid (email delivery). These providers process data only as needed to provide their services to us.
5. Sensitive and health data
The Service is built to a HIPAA-grade standard. Fields a customer marks as protected health information are masked in notification emails, and staff access to submission data is logged. Customers handling protected health information are responsible for configuring their forms appropriately and for entering into any required agreements with us.
6. Data retention
Submission Data is retained for as long as the customer’s workspace keeps it or as required to provide the Service, after which it may be deleted. Audit records are retained as an append-only log to support security and compliance.
7. Security
We use industry-standard safeguards, including encryption in transit, least-privilege access controls, and storage of delivery credentials in a dedicated secrets manager rather than in application databases. No method of transmission or storage is perfectly secure, but we work to protect your data and to limit access to it.
8. Your choices and rights
Depending on your location, you may have rights to access, correct, export, or delete personal data. Because much of the data we process is controlled by our customers, requests about Submission Data are generally directed to the relevant customer; we will assist our customers in responding to such requests.
9. Changes to this Policy
We may update this Policy from time to time. Material changes will be reflected by the “last updated” date above and, where appropriate, communicated to customers.
10. Contact
Privacy questions can be sent to privacy@overtureforms.com.
This page is provided as a general template and does not constitute legal advice. Rosevine Technology Services should have this Policy reviewed by qualified counsel before relying on it.