1
OneTap

Privacy Policy

PRIVACY POLICY FOR ONETAPFORMS BY CREATELEX LLC

Last updated: January 30, 2026

1. INTRODUCTION

1.1. CREATELEX LLC ("Company", "we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy ("Policy") describes how we collect, use, disclose, and protect personal data in connection with OneTapForms, our biometric-authenticated form completion service (the "Service").

1.2. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with this Policy, please do not use the Service.

1.3. We process personal data in accordance with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and other relevant privacy regulations.

2. INFORMATION WE COLLECT

2.1. We may collect the following types of personal data:

  1. Account information, including name, email address, and authentication credentials;
  2. Device information, including device identifiers, device names, and public keys for biometric authentication;
  3. Profile data that you choose to store securely on your device, including name, contact information, identity documents, and other data bundles you configure;
  4. Transaction data, including subscription information, payment details (processed securely through Stripe), and usage statistics;
  5. Request and approval data, including form completion requests, approval decisions, and data sharing history;
  6. Technical information, including IP address, browser type, operating system, and device identifiers;
  7. Information contained in communications sent to us through the Service;
  8. Any other personal data you choose to provide to us.

2.2. Important: Your profile data (name, contact information, documents, etc.) is stored locally on your registered devices and encrypted using device-specific keys. We do not have access to your encrypted profile data unless you explicitly approve a data sharing request.

2.3. If you provide personal data of another person, you must obtain that person's consent to both the disclosure and the processing of their personal data in accordance with this Policy.

3. PURPOSE OF DATA COLLECTION

3.1. We collect personal data for the following purposes:

  1. To provide and maintain the Service, including user account management, device registration, and subscription processing;
  2. To facilitate secure form completion requests and approvals using biometric authentication;
  3. To process payments and manage subscriptions;
  4. To send email notifications about your account, subscription status, and important service updates;
  5. To maintain the security of the Service, including fraud prevention and abuse detection;
  6. To comply with legal obligations and respond to legal requests;
  7. To improve and optimize the Service based on aggregated usage patterns;
  8. To provide customer support and respond to inquiries.

3.2. We will only collect personal data that is necessary for the purposes outlined above.

3.3. You may opt out of receiving marketing communications at any time by following the unsubscribe instructions in our emails or contacting us directly.

4. DATA STORAGE AND ENCRYPTION

4.1. Local Storage: Your profile data (name, contact information, documents, etc.) is stored locally on your registered iOS devices using secure keychain storage. This data is encrypted using device-specific cryptographic keys that we do not have access to.

4.2. Server Storage: We store account information, subscription data, device registrations, and request/approval metadata on secure servers. We do not store your encrypted profile data on our servers unless you explicitly approve a data sharing request, in which case it is transmitted securely using one-time tokens.

4.3. Biometric Data: We do not store biometric data (Face ID/Touch ID templates). Biometric authentication is handled entirely by your device's secure enclave and is never transmitted to our servers.

4.4. Data Sharing: When you approve a form completion request, your profile data is encrypted and transmitted to the requesting party using a one-time token. The token expires after use, ensuring data is only shared once per request.

5. DATA SHARING AND DISCLOSURE

5.1. We may disclose personal data to the following categories of recipients:

  1. Registered Clients: When you approve a form completion request, your profile data is securely transmitted to the registered client (website or application) that initiated the request. This sharing only occurs with your explicit biometric approval.
  2. Service Providers: Third-party service providers who facilitate our business operations, including but not limited to:
    • Supabase (authentication and database services)
    • Stripe (payment processing)
    • Cloudflare, Inc. (network security and content delivery)
    • Google LLC (infrastructure hosting and analytics)
    • Microsoft Corporation (infrastructure hosting)
  3. Legal and Regulatory Authorities: Where required by applicable law or regulation, or when necessary to establish, exercise, or defend our legal rights or protect the vital interests of any person;
  4. Business Transfers: Third parties in connection with a prospective or actual merger, acquisition, or sale of any part of our business assets, provided that the recipient agrees to handle the personal data in accordance with standards comparable to this Policy;
  5. Internal Operations: Our employees, officers, insurers, professional advisers, agents, suppliers, or subcontractors, insofar as reasonably necessary for the purposes articulated in this Policy.

5.2. We shall not disclose your personal data to any third party for their independent marketing purposes without your explicit prior consent.

5.3. We do not sell your personal data to third parties.

6. DATA RETENTION

6.1. We will retain personal data for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements.

6.2. For paid subscriptions, we are required under tax law to retain basic personal data (name, address, contact details) for a minimum of 7 years.

6.3. Account data will be retained until you delete your account or request deletion, subject to legal retention requirements.

6.4. Request and approval metadata may be retained for audit and security purposes, but your actual profile data shared in approvals is not retained on our servers after the one-time token exchange.

6.5. Personal data used for marketing purposes will be retained until you notify us that you no longer wish to receive such information.

7. YOUR RIGHTS

7.1. You have the following rights regarding your personal data:

  1. The right to access, rectify, erase, restrict processing, object to processing, and data portability;
  2. The right to withdraw consent at any time (where processing is based on consent);
  3. The right to delete your account and associated data (subject to legal retention requirements);
  4. The right to revoke device registrations and manage your registered devices;
  5. The right to lodge a complaint with a supervisory authority.

7.2. To exercise your rights, please contact us using the information provided in Section 11.

7.3. You can manage your account, devices, and subscription settings through the OneTapForms dashboard.

7.4. If you are not satisfied with our response or believe we are processing your personal data unlawfully, you may lodge a complaint with the appropriate data protection authority.

8. COOKIES AND TRACKING

8.1. Cookies: We employ cookies and similar tracking technologies to operate, personalize, and enhance the Service. Cookies are small text files stored on your computing device.

  1. Essential Cookies: Certain cookies are strictly necessary for the technical operation of the Service (e.g., session management, authentication). The deployment of these cookies does not require prior consent due to their essential nature for service delivery.
  2. Analytics Cookies: Subject to your explicit consent, we may deploy cookies to gather information regarding your interaction with the Service for analytics and performance monitoring purposes.

8.2. Consent: For the deployment of non-essential cookies, we shall solicit your explicit consent prior to such activities. You retain the right to manage your cookie preferences and withdraw consent at any time via browser settings.

8.3. Analytics Services: We utilize analytics capabilities provided by third-party services, including Google Analytics, to gain insights into usage patterns. The use and sharing of information collected by these services are governed by their respective privacy policies.

9. SECURITY

9.1. We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

9.2. Security measures include:

  • End-to-end encryption for data transmission
  • Device-specific cryptographic keys for local data storage
  • One-time tokens for secure data sharing
  • Biometric authentication requirements for approvals
  • Regular security audits and updates
  • Secure server infrastructure with access controls

9.3. However, no method of transmission over the Internet or electronic storage is completely secure. Therefore, we cannot guarantee absolute security of personal data. You are also responsible for maintaining the security of your account credentials and registered devices.

10. CHANGES TO THIS POLICY

10.1. We may update this Policy from time to time. Any changes will be posted on this page with an updated revision date.

10.2. We encourage you to review this Policy periodically to stay informed about how we collect, use, and protect personal data. Significant changes may also be communicated via email or through the Service.

10.3. Your continued use of the Service after any changes to this Policy constitutes acceptance of those changes.

11. CONTACT INFORMATION

11.1. The data controller is CREATELEX LLC, with its registered office at 13273 Fiji Way Unit 02-106, Marina Del Rey, CA, United States of America.

11.2. If you have any questions, concerns, or requests regarding this Policy or the processing of your personal data, please contact us at:

  • Email: [email protected]
  • Phone: 213-538-2918
  • Address: 13273 Fiji Way Unit 02-106, Marina Del Rey, CA, United States of America
View our Terms of Service