Forma360

Privacy Policy

Last updated: 17 June 2026

Forma360 (“we”, “us”, “our”) operates the Forma360 operational-excellence platform at https://forma360.io, including its AI assistant on the web and over WhatsApp. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have. We are the data controller for the personal data described below.

If you have any questions about this policy or how we handle your data, contact us at privacy@forma360.io.

1. Who this policy covers

This policy applies to people who create or use a Forma360 account, members of organisations (“tenants”) that use Forma360, and anyone who contacts our AI assistant — including over WhatsApp.

2. Data we collect

We collect the following categories of personal data:

  • Account data: your name, email address, and (optionally) phone number, plus your role and permissions within your organisation.
  • Operational data you enter: inspections, issues, corrective actions, assets, documents, schedules and related content created within your organisation’s workspace.
  • AI assistant conversations: the messages you send to the assistant and the responses it generates, stored so you can review your conversation history.
  • WhatsApp data: if you message our assistant on WhatsApp, we receive your WhatsApp phone number, your message content, and basic metadata (such as timestamps) from the WhatsApp Business Platform, in order to identify your account and reply to you.
  • Technical data: log data, request identifiers, and error diagnostics used to operate, secure and debug the service.

3. How we use your data

We use personal data to:

  • Provide, maintain and secure the Forma360 platform and your organisation’s workspace.
  • Operate the AI assistant: match your WhatsApp number to your Forma360 account, scope requests to your organisation’s data, generate answers, and send replies.
  • Authenticate you (passwordless email one-time codes) and manage permissions.
  • Send service communications, such as verification codes and notifications you have configured.
  • Diagnose problems, prevent abuse, and improve the service.
  • Comply with legal obligations.

4. Legal bases (UK/EU GDPR)

We rely on the following legal bases: performance of a contract (to provide the service to you and your organisation); our legitimate interests (to secure, operate and improve the service); your consent where required; and compliance with legal obligations. Where our legitimate interests apply, we have assessed that they are not overridden by your rights.

5. The AI assistant and third-party AI processing

To generate answers, the assistant sends the relevant conversation and a scoped, read-only summary of your organisation’s data to our AI model provider, Anthropic, which processes it to produce a response. We do not use your data to train third-party models. The assistant only retrieves data belonging to your own organisation.

6. WhatsApp messaging

Our WhatsApp assistant is provided through the WhatsApp Business Platform operated by Meta. When you message us on WhatsApp, Meta processes your message to deliver it to us and to deliver our replies to you, in accordance with Meta’s and WhatsApp’s own terms and privacy policies. We use your WhatsApp number solely to identify your Forma360 account and to respond to you. You can stop messaging the assistant at any time, and you can ask us to unlink your number (see “Your rights” and our Data Deletion page).

7. Sharing and sub-processors

We do not sell your personal data. We share it only with service providers (“sub-processors”) that help us run the platform, under contracts that require them to protect it:

  • Anthropic — AI model processing for the assistant.
  • Meta Platforms / WhatsApp — delivery of WhatsApp messages.
  • Cloud infrastructure and database hosting providers — to run the application and store data.
  • Object storage and email delivery providers — for file attachments and transactional email.
  • Error-monitoring and logging providers — to keep the service reliable and secure.
  • We may also disclose data where required by law, or to protect our rights, users or the public.

8. International transfers

Some of our providers process data outside the UK/EEA. Where that happens, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision.

9. Retention

We keep personal data for as long as your account or your organisation’s workspace is active, and as needed to provide the service. Conversation history is retained until you or your organisation delete it. When data is no longer needed, we delete or anonymise it. We may retain limited records where required for legal, security or accounting purposes.

10. Security

We use technical and organisational measures to protect personal data, including encryption in transit, strict tenant isolation, role-based access controls, and signed, verified webhooks for WhatsApp traffic. No system is perfectly secure, but we work continuously to protect your data.

11. Your rights

Subject to applicable law, you have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights — including unlinking your WhatsApp number or deleting your data — contact us at privacy@forma360.io or see our Data Deletion page. You also have the right to complain to your data protection authority (in the UK, the Information Commissioner’s Office).

12. Children

Forma360 is a workplace tool and is not directed to children. We do not knowingly collect data from anyone under 16.

13. Changes to this policy

We may update this policy from time to time. We will change the “last updated” date above and, where appropriate, notify you. Continued use of the service after an update means you accept the revised policy.

14. Contact us

Forma360, Milton Avenue 23, London, N6 5QF, United Kingdom. Email: privacy@forma360.io.