TypelessForm — Security, Privacy & Data Handling

TypelessForm processes voice in memory and stores no recordings on our infrastructure. Audio is transmitted over TLS 1.2+, transcribed by OpenAI Whisper, mapped to your form by GPT, and released as soon as the API returns the JSON. We are GDPR-compliant; SOC 2 is on our roadmap (not yet certified); HIPAA is out of scope. Operational logs are retained up to 30 days; billing records up to 5 years per Polish accounting law.

Who operates TypelessForm?

TypelessForm is operated by Webappski. For the full legal entity, billing entity and Data Processing Agreement, see our canonical DPA and Privacy Policy. All security, privacy and compliance enquiries: info@webappski.com.

What happens when a user speaks?

The user grants microphone permission to the page hosting the widget. The browser captures audio locally.
The browser streams audio over TLS 1.2+ to the TypelessForm API (api.typelessform.com).
The API forwards the audio to OpenAI Whisper for speech-to-text, then sends the resulting text to a GPT model that maps it to your HTML form fields.
The API returns a structured JSON object containing the field values. The widget writes those values into the corresponding DOM inputs on your page.
The API releases the memory holding the audio as soon as the JSON is returned. No persistent copy is written.

What data do we store?

Data class	Stored?	Notes
Raw voice recordings	No	Processed in memory, discarded as soon as the API returns the response.
Transcripts (text)	Operational logs only	Transcripts may appear in short-lived operational logs for service health and abuse prevention. Logs are retained up to 30 days, then deleted.
Form field values (mapped output)	No	Returned to your page in the API response; never written to our database. Once they reach your form, those values fall under your own privacy policy.
API key + usage counters + registered domains	Yes	API keys are stored as one-way SHA-256 hashes; the plaintext value is shown to the operator only once at creation. Request counts, timestamps and the per-key allow-listed domains are kept for the lifetime of the API key to enforce plan limits and detect abuse. No request bodies are retained.
Account email + display name (for API key issuance)	Yes	Stored on the Webappski portal (the issuing system that operates TypelessForm) at webappski.com/en/portal. Used solely for authentication and service notices.
Billing & invoice records	Yes — 5 years	Billing email, invoice data and subscription history are retained for 5 years per the Polish accounting and tax obligations (Ustawa o rachunkowości). Separate from operational logs.
Consent receipts	Yes — up to 24 months	Pseudonymous UUID, timestamp and a daily-rotating SHA-256(IP + date) hash — never raw IP — for GDPR Art. 7(1) proof of consent. Auto-deleted after 24 months.
Infrastructure security logs	Yes — 30 days	Timestamps, HTTP status codes, request duration, User-Agent and infrastructure IPs (logged by Google Cloud) for network security and abuse detection. Webappski acts as an independent Controller for this scope under GDPR Art. 6(1)(f) (legitimate interests). Auto-deleted after 30 days.

What does the widget refuse to send?

Personally identifiable information (PII) in high-risk fields is detected and removed before audio is sent to our API. The widget refuses voice input for the following, even when explicitly invoked:

Passwords (type="password")
Credit-card numbers (PAN, CVV, expiry)
Social-security numbers (SSN, NIN and equivalent national IDs)
One-time passwords (OTP, 2FA codes)
IBANs, passport numbers, driver-licence numbers and tax IDs
Hidden form fields (type="hidden")
File uploads (type="file")
CAPTCHA challenges
Special-category labels under GDPR Article 9 (medical records, health insurance, religious belief, political affiliation, trade-union membership) — filtered by a local denylist before any transmission to OpenAI. The denylist materially reduces but does not eliminate Art. 9 risk; Controllers must mark domain-specific sensitive fields with the opt-out attribute below and obtain explicit Art. 9(2)(a) consent where applicable (per DPA §4.4).

These fields must be typed.

Controller opt-out attribute: add data-ai-private to any additional form field to exclude it from voice capture entirely. Flagged fields are removed from the form structure before it reaches our API (per DPA §4.3).

How is data encrypted?

In transit: TLS 1.2+ on both legs — browser → TypelessForm API, and API → OpenAI. HSTS is enabled on typelessform.com and api.typelessform.com.
At rest: operational logs and account records are stored on managed infrastructure with disk-level encryption (Google Cloud Logging uses AES-256).
Audio at rest: not applicable — audio is not persisted.

Who are our sub-processors?

Sub-processors are third-party services Webappski uses to deliver TypelessForm. Each operates under a signed Data Processing Agreement (DPA) with Webappski. The canonical list lives in our Data Processing Agreement; the table below mirrors it.

Sub-processor	Purpose	Data handled	Region — transfer mechanism
OpenAI	Speech-to-text (Whisper) and field mapping (GPT)	Voice transcriptions (transient), filtered field metadata	United States — EU→US transfer covered by Standard Contractual Clauses (SCCs)
Google Cloud Platform	Widget infrastructure (Cloud Functions, Cloud Logging, Firestore)	Application logs (metadata only — no transcript text), infrastructure logs (IP, timestamps, error codes), client configs, consent receipts	European Union (europe-central2 / eur3)
Stripe, Inc.	Subscription billing for site operators	Payment method tokens, billing email, invoice data	EU / United States — SCCs + PCI DSS Level 1
Formspree	Contact form processing on webappski.com	Name, email, message content submitted via the contact form	United States — SCCs
Google Fonts (Google LLC)	Web font delivery on typelessform.com	IP address (HTTP request metadata)	Global CDN — EU-US Data Privacy Framework

OpenAI 30-day retention: while audio is dropped from our infrastructure after the response is returned, OpenAI retains audio and transcripts up to 30 days for its own abuse-monitoring under their API policy. We cannot expedite that deletion. Zero Data Retention (ZDR) with OpenAI is available on request for enterprise clients.

Sub-processor changes: 30 days' prior notice to B2B customers, with a 14-day objection window per DPA §5.4. Request the signed DPA at info@webappski.com, or read it directly at webappski.com/en/legal/dpa.

What compliance certifications does TypelessForm hold?

Current status:

GDPR: compliant. The widget is designed around data minimisation; voice is processed transiently, no recordings are stored, and deletion and access controls are documented below.
Personal-data breach notification: we send B2B customers (Controllers) a preliminary notice within 24 hours of becoming aware of a confirmed personal-data breach, followed by detailed incident information within 48 hours (per DPA §5.6). Under GDPR Article 33, the Controller (you) is responsible for notifying the relevant supervisory authority within 72 hours; we provide the technical details required for that filing.
SOC 2:not yet certified. SOC 2 is on our roadmap; certification timing depends on audit-readiness milestones. Request our current security questionnaire at info@webappski.com. The report will be linked from this page when issued.
HIPAA:not in scope. TypelessForm is not marketed for protected-health-information (PHI) use cases and is not configured as a HIPAA Business Associate.
PCI-DSS:not in scope. The widget never captures card numbers (see PII exclusions above).

How do users and operators delete data?

End users: if you submitted form data to a site that uses TypelessForm and want it deleted, contact the operator of that site. We do not retain the form values; they live with the site that runs the widget.
Site operators: account, API-key and operational-log deletion can be requested from info@webappski.com. We complete deletion requests within 30 days.
Data Subject Access Request (DSAR): a DSAR lets data subjects request access to or deletion of personal data we hold. Portal account holders email info@webappski.com; we respond within the GDPR Art. 12(3) 30-day window. For DSARs forwarded by B2B Controllers, we provide processor assistance within 7 business days per DPA §5.5.

How do I report a security vulnerability?

Responsible disclosure is welcome. Email info@webappski.com with a clear reproduction path. We acknowledge within 7 business days (matching our DPA §5.5 inquiry response window) and will not pursue good-faith research that follows the OWASP Vulnerability Disclosure Cheat Sheet .

Frequently asked questions

Does TypelessForm store raw voice recordings?

On Webappski infrastructure: No. Audio exists only in memory during transcription (typically 1–5 seconds) and is never written to disk or logs. On OpenAI (our speech-to-text sub-processor): up to 30 days for abuse monitoring per OpenAI API policy. Zero Data Retention (ZDR) with OpenAI is available on request for enterprise clients.

Is TypelessForm GDPR compliant?

Yes. TypelessForm is designed around GDPR data minimisation: voice is processed transiently on Webappski infrastructure (no recordings stored), DSAR access and deletion controls are provided, and infrastructure logs are kept 30 days. For personal-data breaches we send B2B Controllers a preliminary notice within 24 hours and detailed incident information within 48 hours (per DPA §5.6). Under GDPR Article 33, the Controller is responsible for notifying the supervisory authority within 72 hours; we provide the technical details required.

What encryption does TypelessForm use?

TLS 1.2+ on both legs: browser → TypelessForm API, and API → OpenAI. HSTS is enabled on typelessform.com and api.typelessform.com. Operational logs and account records use disk-level encryption at rest (Google Cloud Logging uses AES-256). API keys are stored as one-way SHA-256 hashes.

Is TypelessForm SOC 2 certified?

Not yet. SOC 2 is on our roadmap; certification timing depends on audit-readiness milestones. Request our current security questionnaire at info@webappski.com. The report will be linked from this page when issued.

Can TypelessForm be used for HIPAA or protected-health-information workloads?

No. TypelessForm is not marketed for PHI use cases and is not configured as a HIPAA Business Associate.

What PII does the TypelessForm widget refuse to capture by voice?

Passwords, credit-card numbers (PAN, CVV, expiry), social-security numbers and equivalent national IDs, one-time passwords and 2FA codes, IBANs, passport numbers, driver-licence numbers, tax IDs, hidden form fields, file uploads, CAPTCHA challenges, and GDPR Article 9 special-category labels (medical records, health insurance, religious belief, political affiliation, trade-union membership). The Article 9 denylist is not exhaustive; Controllers can mark any additional field with the data-ai-private HTML attribute to exclude it from voice capture entirely (per DPA §4.3).

Who are TypelessForm sub-processors?

OpenAI (Whisper speech-to-text and GPT field mapping; US, EU→US transfer covered by Standard Contractual Clauses); Google Cloud Platform (widget infrastructure — Cloud Functions, Cloud Logging, Firestore; EU regions europe-central2 / eur3); Stripe, Inc. (subscription billing; EU/US, SCCs and PCI DSS Level 1); Formspree (contact form on webappski.com; US, SCCs); Google Fonts (web font delivery; global CDN under EU-US Data Privacy Framework). Canonical list at https://webappski.com/en/legal/dpa.

How do I request data deletion from TypelessForm?

Portal account holders email info@webappski.com from the address tied to their API key; we respond within the GDPR Art. 12(3) 30-day window. For DSARs forwarded by B2B Controllers, we provide processor assistance within 7 business days per DPA §5.5. Billing/invoice records may be retained 5 years per Polish accounting law (separate from operational logs).

How do I report a security vulnerability in TypelessForm?

Email info@webappski.com with a clear reproduction path. We acknowledge within 7 business days (matching our DPA §5.5 inquiry response window) and follow the OWASP Vulnerability Disclosure Cheat Sheet.