Skip to main content


What is GDPR?

The General Data Protection Regulation (GDPR) is a European privacy law that went into effect on May 25, 2018. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. These data protection laws require businesses to process an individual’s personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data at any time), and ensure appropriate security protections are put in place to protect the personal data they process.

To whom does the GDPR apply?

The GDPR applies to all businesses and individuals based in the EU and to those outside the EU that process the personal data of EU individuals. Personal data, as defined by the GDPR, is any information relating to an identified or identifiable natural person. This includes personal data such as name or email address, as well as data that can be used to identify an individual indirectly, such as an IP address.

Data Controller and Data Processor definitions

Article 4 of the GDPR defines data controllers and data processors as:

Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Form-Data as Data Controller

When you create an account in Form-Data, we ask you for a valid email address and your name.

Why we collect this data and how we use it

  • Your email is also used as the primary key under which all your data is stored.
  • We use your email address and your name to communicate with you in regards to your account.
  • We use your email address to send you updates about the product. You can change your email settings and unsubscribe from these messages if you wish to do so.
  • We limit our use of your personal information to the purposes listed in our Privacy Policy. We do not share, sell, rent, or trade personal information with any third party, except for our vendors for the purpose of operating the service, as described in the section below.

NOTE: We do NOT store any credit card information or billing data. That data is stored with a 3rd party vendor as described below.

Our vendors

The following services may have access to part or all of your data, or the data of your users, for the purpose of operating the service. These services have confirmed their commitment to GDPR compliance:

  • Cloudflare - Site and service hosting, database
  • Paddle - Payments and merchant of record
  • Postmark - Email services
  • Mailgun - Email services
  • Tribe - community
  • CleanTalk - Anti spam protection
  • FaunaDB - Database
  • Firebase - User authentication and database

You as Data Controller

You determine which data is collected from your end users. It is therefore your responsibility as Form-Data account owner to limit the collection of Personally Identifiable Information and adhere to our Terms of Service, which follow GDPR requirements. We provide you with the tools needed to make adherence to GDPR requirements simple and straightforward.

  • Within your individual account settings, you are provided with all the tools needed to manage your own personal data.
  • You can contact us through the contact form on our site, or through the email and request that Form-Data change or delete all or some of your own personal data.
  • Within your individual form settings, you are provided with all the tools needed to manage the personal data of those who submit to your form, including permanently deleting it from our service.

Form-Data as Data Processor

All data stored in Form-Data's service is defined by our users. It is the responsibility of our users as data controllers to ensure that the personal information they collect through Form-Data powered forms is GDPR compliant.

Form-Data must NOT to be used for:

  • Collecting children's personal information
  • Collecting personal health information
  • Collecting personal criminal history
  • High risk processing of sensitive data

Lawful basis for data processing

All data collected by Form-Data is in the legitimate interest of our users, both the account owners and the submissions which they receive. For account owners, we require the minimal amount of Personally Identifiable Information to perform billing, ensure legitimate users, and prevent abuse. When an end user submits data to an account owner's form, we collect the data that was submitted along with the IP address from which it was submitted.

The IP address of the end user along with its email address are sent to CleanTalk in order to verify that this end-user is not a spam bot.

When a user’s submission is sent to Form-Data, it functions as expected. The account owner or other people at his choice are notified of the submission and the data is passed along.

Right of access and Right to be forgotten

Form-Data does not ask for more personal data from its users than needed to provide the service. We provide you the ability to access and delete both the data you have given us and the data your form submitters have given to you at any time.

You may ask us via email to close your Form-Data account. In this case it will automatically delete any and all associated data, including submission data for your forms. When you delete individual submissions from your forms, they are permanently removed from our storage systems and cannot be restored.

As part of our limited data retention policy, submissions are automatically deleted after 48 months. Spam and trashed submissions are deleted from time to time.

Notice of security breaches

Form-Data takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information at all times. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.

Data requests

At any time you may request Form-Data to :

  • Get all of the data that we have collected on you or on your behalf
  • Close your account and permanently delete all of your data or data that we have collected on your behalf
  • Request to rectify data that store about you
  • Request that your data will not be used for marketing purposes Please contact us via email to to exercise those rights.