Privacy Policy
ProxForm is built so there is almost nothing to write a privacy policy about — patient data never reaches us. This page states exactly what is and isn't collected, where it lives, and your rights. Plain language, no dark patterns.
Last updated: 16 May 2026. This is a factual description of how the software behaves; it is not legal advice.
Who we are
ProxForm is operated by Artivicolab (the "data controller" for the limited data described below). To reach us, . Website: artivicolab.com.
- For patient data, we are not the controller. Patient answers never reach Artivicolab. The clinician (or business) who builds and sends a form is the data controller for whatever they collect and choose to keep on their own device. ProxForm is the tool, not the holder.
What the app and patient pages collect
Nothing reaches a server. The form builder, the clinician dashboard, and the patient form page (app.html, fill.html) have no backend. There is no ProxForm server, database, log, or API that receives patient data.
- No accounts. No registration, no login, no identifier we could tie to a person.
- No cookies on the app or patient pages. No tracking pixels, no third-party scripts, no analytics, no telemetry.
- Answers travel peer-to-peer. A patient's answers go directly from their browser to the clinician's browser over an end-to-end-encrypted WebRTC channel (PBKDF2 + AES-256-GCM on the handshake, DTLS 1.3 on the channel). They are never uploaded to, relayed through, or stored by Artivicolab — because there is nothing on our side to store them on.
- The only network call the app makes off the peer connection is a WebRTC STUN request (to discover a network path). No data content is sent in it.
What is stored on your own device
ProxForm uses your browser's local storage on your device only. None of it is transmitted to us.
- IndexedDB (clinician's device): saved form templates, in-progress drafts, received submissions, and dormant-session metadata. This sits in the clinician's browser like a paper file in their own cabinet. Clearing browser data deletes it. The clinician controls retention; the in-app End shift button wipes patient data on demand.
- IndexedDB (patient's device): a partially-filled answer draft so a refresh doesn't lose input. It is cleared automatically on successful submission.
- localStorage keys:
proxform_theme(light/dark), the privacy-shield timeout, the ticket counter, and — set only on the public landing page —proxform_ga_consent(your "granted" or "denied" choice for analytics). No personal data, no tracking IDs.
Analytics on the landing page only
The public marketing landing page (/) offers Google Analytics 4 solely to count visits. It is opt-in.
- Nothing loads until you click "Accept" on the consent banner. Click "Decline" and Google Analytics is never loaded — no Google cookie, no Google network request.
- Scope: this analytics runs only on the landing page. It does not run on the app, the patient form page, or the GDPR/HIPAA pages. Patient data is never in scope.
- If you accept: Google LLC acts as a processor for aggregate visit measurement. IP anonymization is enabled and Google advertising/ad-personalization signals are disabled. Google then sets its own cookies on the landing page; Google's handling is governed by Google's privacy policy.
- Changing your mind: clear the
proxform_ga_consentkey in your browser (or your site data for this origin) and the consent banner returns on your next landing-page visit.
Legal basis (GDPR)
- Landing-page analytics: your explicit consent (Article 6(1)(a)), captured by the banner and withdrawable at any time.
- Local device storage (theme, drafts, forms, submissions): not a processing activity by Artivicolab — the data never leaves your device and we never receive it. Where a clinician keeps submissions locally, that clinician is the controller under their own legal basis (e.g. provision of care / their own consent and contracts).
- No profiling, no automated decision-making, no selling of data. We don't have the data to do any of that.
Your rights
Under the GDPR and similar laws you have rights of access, rectification, erasure, restriction, portability, and objection.
- For data on your device: you already hold and control it directly. Clear your browser storage (or use End shift in the app) to erase it instantly — no request to us needed, because we don't have a copy.
- For landing-page analytics consent: withdraw consent any time as described above; aggregate analytics data holds no identifier we can tie back to you.
- To ask a question or make a request to Artivicolab: . You also have the right to lodge a complaint with your local data-protection authority.
Third parties & transfers
- Patient data: no third parties, no transfers. It goes browser-to-browser between the two participants and nowhere else.
- Landing page only: Google Analytics (Google LLC) — only after consent. The site is hosted as static files on GitHub Pages, which serves the public marketing pages; static hosting does not give the host access to patient data because no patient data passes through the site's pages.
- No advertising networks, no data brokers, no CRM, no email marketing platform.
Children, retention, changes
- Children: ProxForm is a tool for professionals; it is not directed at children. Any form a clinician creates for or about a minor is the clinician's responsibility under their own legal basis.
- Retention: we retain no patient data (we never receive it). Aggregate landing-page analytics follow Google's GA4 retention settings. Local device data persists until the user clears it.
- Changes: if this policy changes materially, the "Last updated" date above changes and the consent banner is re-shown if the analytics terms change.
Questions?
If your DPO or compliance team needs a written statement, . For the full architectural detail behind these claims, see the GDPR page and the HIPAA page.