Legal & Privacy.

1.1 — Acceptance of terms

By creating an account, signing in, or accessing PyForm (the "Service") at pyform.dev, you (the "User") enter a binding agreement with FormHK (the "Operator"). If you do not accept these Terms, you must stop using the Service. These Terms apply equally to free, paid, and school-licensed accounts, and supersede any prior agreement regarding the subject matter.

1.2 — Eligibility

You may use PyForm only if all of the following are true:

• You are at least 13 years old, or you are younger but have verifiable parental / legal-guardian consent.
• You have legal capacity to enter this contract in your jurisdiction.
• You are not barred from receiving our services under any applicable export-control, sanctions, or computer-misuse law.
• If you are registering on behalf of a school, college, or organisation, you warrant that you are authorised to bind that entity to these Terms.

1.3 — Your account

You are responsible for all activity that occurs under your account, including any content uploaded, code executed, or API calls made. You must:

• Provide accurate registration information and keep it current.
• Keep your password and session tokens confidential — do not share them with another person.
• Use only one account, unless you have written permission for multi-account use (e.g. teacher + student accounts).
• Notify us immediately at info@formhk.com if you suspect unauthorised access.

1.4 — Licence to use PyForm

Subject to these Terms and your compliance with them, we grant you a worldwide, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use PyForm for:

• Personal educational use (learning Python, preparing for HKDSE ICT, hobby projects).
• Authorised classroom or tutorial use within a licensed school account.
• Light commercial research use within the bounds of your tier's fair-use allowance.

1.5 — Changes to the Service

The Service evolves continuously. We may add, change, or remove features at our discretion. For material changes that reduce the functionality you have paid for, we will provide at least 30 days' advance notice via email or in-product notification, and offer a pro-rata refund option where required by law.

1.6 — Suspension and termination

We may suspend or permanently terminate your account, with or without notice, if:

• You violate these Terms or the Acceptable Use Policy (§03).
• Your activity exposes the Service, other users, or our providers to legal, security, or performance risk.
• We are required to do so by court order, subpoena, or mandatory law.
• Your payment fails and is not cured within 14 days.

You may terminate at any time by deleting your account from Account Settings. After termination, licences granted to you cease immediately; however, §§1.9, 1.10, 1.11, 05, and 08 survive.

1.7 — Third-party services

PyForm integrates with third parties (Supabase, Vercel, Google OAuth, Stripe, Zhipu AI, Moonshot AI). Your use of those integrations is additionally governed by the relevant provider's terms. We are not responsible for third-party outages, defects, or policy changes.

1.8 — Beta features

Features tagged Beta or Closed Beta are provided as-is, may change or disappear without notice, and carry no availability SLA. You agree not to publicly benchmark or disparage beta performance.

1.9 — Disclaimer of warranties

The Service is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, express, implied, or statutory, including (without limitation) warranties of merchantability, fitness for a particular purpose, non-infringement, uninterrupted operation, or accuracy of AI-generated content. AI output (FORM AI tutor hints, grading, generated tasks) may contain errors and must not be relied on as professional advice.

1.10 — Limitation of liability

To the maximum extent permitted by law, neither FormHK nor its directors, employees, contractors, or providers are liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including (without limitation) lost profits, lost data, loss of goodwill, or business interruption, even if we have been advised of the possibility. Our aggregate liability for any claim is capped at the greater of (a) HK$500 or (b) the amount you paid us in the twelve months before the event giving rise to the claim.

1.11 — Governing law and disputes

These Terms and any dispute arising out of or in connection with them are governed by the laws of the Hong Kong Special Administrative Region, without regard to conflict-of-law rules. The Hong Kong courts have exclusive jurisdiction, subject to any mandatory consumer-protection rules in your place of habitual residence.

1.12 — Entire agreement, severability

These Terms, together with the Privacy Policy (§02), Acceptable Use Policy (§03), and any order form you accept, constitute the entire agreement between you and FormHK regarding the Service. If any provision is found unenforceable, the remainder remains in full force.

2.1 — Our privacy promise

Your code is yours. We do not read it. We do not train AI on it. We do not sell it, rent it, share it with advertisers, or expose it to any third party except the minimum infrastructure we rely on to store and deliver it back to you. Privacy is not an add-on — it is the default behaviour of every system we build.

2.2 — Data we collect

2.3 — Legal bases (GDPR / equivalent)

• Contract — we process account, content, and billing data to perform the Service you signed up for.
• Legitimate interest — security, fraud prevention, diagnostic logs.
• Consent — optional features such as email updates about product launches.
• Legal obligation — tax, accounting, court orders.

2.4 — How we secure your data

• Row-Level Security (RLS). Every table in our Supabase PostgreSQL database enforces RLS policies that restrict every row to the authenticated owner. Even a compromised API key cannot read another user's data.
• TLS 1.3 everywhere. All traffic between your browser, our edge, and our database is encrypted with modern ciphers.
• At-rest encryption. Supabase storage is AES-256 encrypted; backups are encrypted with rotating keys.
• Bcrypt password hashing. We never store raw passwords. Even our on-call engineers cannot read them.
• Browser-local execution. Pyodide runs Python in your browser via WebAssembly. Code executes on your machine; only what you save or submit touches our servers.
• Session-token storage. Auth tokens are stored in browser localStorage under a dedicated key, never in cookies reachable by third-party scripts.
• SharedArrayBuffer isolation. Our COEP/COOP headers ensure third-party scripts cannot inspect our Python runtime.

2.5 — AI tutor data flow

When you chat with FORM AI Sensei, your prompt and any attached code snippet travel as follows:

You → pyform.dev edge → Supabase Edge Function (ai-proxy) → Zhipu AI (primary) or Moonshot Kimi (fallback) → back to you

The proxy is authenticated with your JWT. Prompts are retained for up to 30 days in rate-limiting logs for abuse prevention, then deleted. The AI providers we use have contractually agreed that PyForm traffic is never used for model training.

2.6 — Who we share data with

• Supabase — primary database + authentication. EU & US regions, SOC 2 Type 2 certified.
• Vercel — static-site hosting and edge functions. SOC 2 Type 2 certified.
• Stripe — payment processing. PCI-DSS Level 1.
• Google — OAuth identity (only if you sign in with Google).
• Zhipu AI (China) and Moonshot Kimi (China) — AI tutor inference. Zero-retention contract for PyForm traffic.

We never share data with advertising networks, data brokers, or analytics vendors. We have no paid partnerships that involve your data.

2.7 — International transfers

As a globally distributed service we process data in Hong Kong, the European Union, the United States, and Asia-Pacific. Transfers out of the EU / UK rely on the EU Commission's Standard Contractual Clauses (2021). Transfers from Hong Kong rely on the PCPD cross-border transfer rules.

2.8 — Retention

2.9 — Your rights

Under the Personal Data (Privacy) Ordinance (Hong Kong), GDPR (EU), UK GDPR, CCPA (California), and similar laws, you have the right to:

• Access — request a machine-readable export of your data.
• Rectify — correct inaccurate information.
• Delete — erase your account and data ("right to be forgotten").
• Restrict — limit certain processing activities.
• Object — opt out of processing based on legitimate interest.
• Portability — receive your data in a portable format.
• Withdraw consent — revoke consent without affecting prior processing.
• Lodge a complaint — with the HK Privacy Commissioner (PCPD), Information Commissioner (UK/EU), or your local authority.

Most rights can be exercised directly in Account Settings. For everything else, email info@formhk.com — we respond within 30 days.

2.10 — Children & students under 13

PyForm is not directed at children under 13. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account, email info@formhk.com and we will delete the account within 72 hours.

2.11 — Changes to this policy

We will post material changes on this page with a new "last updated" date and, for significant updates, notify active users by email at least 14 days before the change takes effect.

You agree not to use PyForm — whether through code, AI prompts, or support channels — to do any of the following:

3.1 — Security & infrastructure abuse

• Probe, scan, or attack any network, system, or user — yours, ours, or third parties.
• Attempt to bypass authentication, Row-Level Security, rate limits, or tier restrictions.
• Exploit the Pyodide sandbox to escape the browser tab.
• Submit code to our grading endpoint that attempts to read environment variables, exfiltrate data, or interact with the Edge Function runtime beyond providing an answer.

3.2 — Resource abuse

• Mine cryptocurrency or run any workload designed primarily to consume compute.
• Operate a server, relay, proxy, VPN, scraping pipeline, or always-on background job.
• Exceed the fair-use allowances documented on the pricing page, or circumvent rate limits via multiple accounts.
• Use automation to generate tasks, ai-proxy calls, or account sign-ups at scale.

3.3 — Content

• Upload, store, execute, or transmit content that is unlawful, defamatory, harassing, obscene, or infringes any intellectual-property right.
• Generate content that sexualises minors, incites violence, or facilitates self-harm.
• Impersonate any person or entity or misrepresent your affiliation with anyone.
• Post malware, phishing kits, or exploit code. Teaching about security is fine — weaponising it is not.

3.4 — AI & academic integrity

• Do not use FORM AI output as a finished answer for any assessment, unless your instructor explicitly permits AI assistance.
• Do not attempt to manipulate the AI grader with prompt injection, invisible tokens, or jailbreak-style payloads.
• Do not use PyForm to generate content you pass off as human-authored in contexts where that matters (journalism, peer-reviewed research, etc.).

3.5 — Community & harassment

• Do not target other users with hate speech, bullying, sexual advances, or doxxing.
• Respect teachers and classmates in shared-classroom contexts.

3.6 — Enforcement

We may, with or without notice, remove infringing content, rate-limit or suspend your account, revoke AI access, or terminate your subscription. Severe violations may be reported to law enforcement. Fair-use disputes are handled human-to-human — email us to appeal.

PyForm does not use third-party tracking cookies. We do use a small number of first-party cookies and localStorage items strictly to deliver the Service:

We do not use Google Analytics, Meta Pixel, Mixpanel, Amplitude, or any other third-party tracker. Because we rely only on strictly-necessary and functional storage, no cookie banner is legally required under ePrivacy/PDPO rules.

4.1 — Disabling storage

You can disable localStorage in your browser settings, but doing so will prevent you from staying signed in and will reset UI preferences on every visit.

5.1 — PyForm's content

The PyForm website, branding, trade marks, logos, course modules, generated AI prompts, fallback task library, marketing copy, and software are © 2026 FormHK. All rights reserved except as expressly granted in §1.4 and below.

5.2 — Your content

You retain full copyright in any code, scripts, comments, quiz answers, or other material you create in PyForm. By saving content to your account you grant FormHK a limited, worldwide, royalty-free, non-exclusive licence to store, reproduce, back up, and display that content back to you, and (where you explicitly enable sharing) to the recipients you designate. This licence exists only to operate the Service on your behalf and terminates when you delete the content.

5.3 — Feedback

If you send us suggestions or feedback, you grant us a perpetual, worldwide, royalty-free, sublicensable licence to use it without obligation. We will not attribute feedback to you publicly without your consent.

5.4 — Open-source components

PyForm stands on the shoulders of the open-source community. We use the following components under their respective licences:

Full licence texts are reproduced in our /NOTICES bundle, distributed with every deployment.

5.5 — DMCA / copyright-complaint procedure

We respect the intellectual-property rights of others and respond to clear notices of alleged copyright infringement. Submit notices to info@formhk.com with subject line "DMCA Notice" containing:

1. An identification of the copyrighted work claimed to be infringed.
2. The URL or a sufficiently specific location of the allegedly infringing material.
3. Your name, mailing address, phone number, and email.
4. A statement that you have a good-faith belief that use of the material in the manner complained of is not authorised by the copyright owner, its agent, or the law.
5. A statement, made under penalty of perjury, that the information in the notice is accurate and that you are the copyright owner or authorised to act on the owner's behalf.
6. Your physical or electronic signature.

We respond to complete notices within 10 business days, remove or disable access to the material, and notify the affected user, who may submit a counter-notice. Repeat infringers will have their accounts terminated.

5.6 — Trade marks

PyForm, the PyForm hexagon mark, FORM AI, FORM AI Sensei, and FormHK are unregistered trade marks of FormHK. Do not use our marks in ways that suggest endorsement or affiliation without written permission.

6.1 — Tiers

6.2 — Payment

Paid subscriptions are processed by Stripe. Prices are shown in HKD and exclude taxes where applicable. By subscribing you authorise us (via Stripe) to charge your payment method at the start of each billing cycle until you cancel.

6.3 — Cancellation

Cancel any time from Account Settings or by emailing info@formhk.com. Cancellation takes effect at the end of the then-current billing period. You retain access until the period ends.

6.4 — Refund policy

• 14-day money-back guarantee on first-time personal subscriptions. Email us within 14 days of the first charge.
• Pro-rata refund if we materially reduce the functionality of a paid tier (see §1.5).
• No refund for partial months after the first 14 days, except where required by local consumer-protection law.
• School licences — refund terms follow the signed order form.

6.5 — Price changes

We may change subscription prices with at least 30 days' notice, effective from the next renewal. You can cancel before renewal to avoid the new price.

6.6 — Promotional codes & redeem codes

Promotional codes are non-transferable, valid only for the period stated, not exchangeable for cash, and may be revoked for abuse.

This addendum applies to accounts provisioned under a school licence or to teachers using PyForm in a classroom context. It supplements — and in the event of conflict, modifies — §§01–06 for school use.

7.1 — Authorised users

A school licence covers students, teachers, and administrative staff of the licensed institution. Licences are per-seat and cannot be shared across institutions.

7.2 — Student data

• Students' personal data belongs to the student, not the school.
• Teachers can see class-wide progress summaries but not raw student code unless the student has shared it.
• Deleting a school licence does not delete individual student accounts, which revert to free tier.

7.3 — Classroom monitoring

We do not build surveillance features. Teachers cannot live-watch a student's keystrokes. Aggregated, anonymised usage metrics are available for pedagogical improvement.

7.4 — Data-processing agreement

Schools acting as data controllers in GDPR-covered jurisdictions can request our standard Data Processing Agreement (DPA) by emailing info@formhk.com.

For any legal, privacy, copyright, billing, or general inquiry:

For faster routing, prefix your email subject with one of:

• Legal — for contract or liability questions
• Privacy — for data-rights requests
• DMCA Notice for copyright complaints (see §5.5)
• Security for responsible-disclosure reports
• Schools — for licensing and DPA requests