Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Airtable is a US cloud platform combining spreadsheet and relational database features, with collaborative bases, automations and embedded Forms. Airtable Forms can be published on third party websites to collect respondent data, which is transferred to Airtable, Inc. in the United States.
Airtable is a US SaaS platform that mixes spreadsheet flexibility with relational database features. Customers create bases to manage projects, CRM, content calendars, HR pipelines and many other use cases. Airtable also offers Forms, Interfaces, Automations and an AI assistant. Personal data can enter Airtable in two distinct ways: as records typed or imported by authenticated users (employees, contractors), or as respondent data submitted through an embedded Airtable Form on a public website. Each path has different legal implications under GDPR.
The airtable.com web app sets first party session cookies such as brw, AWSALB and _airtable_session, plus product analytics cookies through Segment, Mixpanel, Google Analytics and Hotjar. Embedded Airtable Forms loaded through an iframe will set first party airtable.com cookies in a third party context when the form is displayed on a publisher site. From an ePrivacy perspective these non essential cookies require prior, freely given, specific, informed and unambiguous consent before being read or written on the visitor terminal.
Airtable, Inc. processes data primarily in AWS US regions. Even when employees in the EU collaborate on a base, the underlying storage and most platform telemetry flow through US infrastructure. Airtable self certifies under the EU US Data Privacy Framework and also signs the EU Standard Contractual Clauses through its Data Processing Addendum. Controllers must perform a Transfer Impact Assessment for routine transfers, particularly when categories of data include sensitive information or large numbers of EU data subjects. EU data residency on AWS Frankfurt is available only on the Enterprise Scale plan.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
When a publisher embeds an Airtable Form, the iframe loads airtable.com and sets cookies before the visitor interacts. Under Art. 5(3) ePrivacy Directive transposed into national law (TTDSG in Germany, article 82 of the Loi Informatique et Libertés in France, article 22.2 of the LSSI in Spain) the publisher must obtain prior consent for non essential cookies and disclose the third party recipient. The cleanest implementation is to defer iframe injection until consent is granted, or to replace the form with a self hosted alternative when the visitor refuses consent.
Sign the Airtable Data Processing Addendum and store it with your processor inventory. Map which bases hold personal data and classify the categories of data subjects. Enable single sign on, two factor authentication and granular base permissions. For Airtable Forms embedded on EU facing properties, defer loading until consent, name Airtable in your cookie banner and privacy policy, and link to the Airtable privacy notice. Disable Airtable AI features on bases containing personal data unless you have assessed the additional processing. Review subprocessor changes regularly.
Websites using Airtable must obtain user consent under GDPR regulations.
DPIA considerations
Airtable is a general purpose SaaS and most bases process internal business data, but publishing Airtable Forms to collect respondent data from website visitors changes the risk profile. A DPIA is recommended when forms collect special category data (Art. 9 GDPR), when bases are used as a CRM or HR system at scale, or when Airtable AI features process personal data. Identify Airtable as a processor in the record of processing activities, sign the Airtable Data Processing Addendum, document the EU US transfer mechanism (DPF self certification and Standard Contractual Clauses) and assess the transfer impact in light of US surveillance laws (FISA 702, EO 14086).
Sample consent text
This page embeds an Airtable Form provided by Airtable, Inc. (United States). When you submit the form, your responses, IP address and technical metadata are transferred to Airtable on our behalf. Click Accept to load and submit the form.
Third-party domains contacted
airtable.comairtableusercontent.comapi.segment.ioapi.mixpanel.comstatic.hotjar.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| brw | First party (airtable.com browser identifier) | Persistent (1 year) | Identifies the browser across visits to the Airtable web app, used to fingerprint sessions and bind to authenticated users |
| AWSALB | Strictly necessary (AWS load balancer) | Persistent (7 days) | Routes the visitor to a consistent AWS Application Load Balancer target for the Airtable web app |
| _airtable_session | Strictly necessary (authentication) | Session | Maintains the authenticated user session in the Airtable web app and embedded forms |
| ajs_anonymous_id | Analytics (Segment) | Persistent (1 year) | Anonymous identifier set by Segment to stitch product telemetry events across pageviews |
| mp_* | Analytics (Mixpanel) | Persistent (1 year) | Mixpanel distinct id used to attribute product analytics events to a recurring browser |
Airtable collects user analytics data — you legally need a consent banner. Try FlowConsent free.
When you embed an Airtable Form, the iframe loads airtable.com and sets first party cookies on that domain, including brw, AWSALB and _airtable_session. The Airtable web app on airtable.com also loads Segment, Mixpanel, Google Analytics and Hotjar, which set their own analytics cookies. These cookies appear in a third party context from the publisher perspective and require disclosure.
Yes. Embedded Airtable Forms set non essential cookies and load third party scripts before the visitor interacts, so prior consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR is required. Defer the iframe until consent is granted, and present a clear placeholder explaining the third party transfer.
For the form submission itself, the legal basis is typically Art. 6(1)(b) GDPR (performance of a contract or pre contractual measure) when the form is part of a service request, or Art. 6(1)(a) GDPR (consent) when the form gathers marketing or research data. Analytics and product telemetry cookies always rely on Art. 6(1)(a) consent.
Airtable, Inc. self certifies under the EU US Data Privacy Framework and signs the EU Standard Contractual Clauses in its Data Processing Addendum. EU controllers must perform a Transfer Impact Assessment and document supplementary measures such as encryption in transit and at rest. EU data residency on AWS Frankfurt is gated to the Enterprise Scale plan.
A DPIA is recommended when Airtable bases hold special category data (Art. 9 GDPR), function as a CRM or HR system with large numbers of subjects, when Airtable AI features process personal data, or when forms are used for sensitive intake. Document Airtable as a processor, the DPF and SCC transfer mechanisms, retention periods and the rights workflow.
Sign the Airtable Data Processing Addendum, map bases that contain personal data, enable SSO, two factor authentication and granular permissions. For embedded forms, defer iframe loading until consent and disclose the US transfer in the cookie banner and privacy policy. Disable Airtable AI on sensitive bases and review subprocessor updates regularly.
For form collection alone you can consider EU hosted alternatives such as Tally (Belgium), Formbricks (Germany, self hosted), Framaforms (France) or NoCoDB self hosted on EU infrastructure. These options reduce or eliminate transfers to the United States, but lack the broader Airtable base and automation ecosystem.
In your cookie policy list the airtable.com cookies that the embedded form sets, plus the analytics cookies loaded by airtable.com (Segment, Mixpanel, Hotjar). In your record of processing activities, add Airtable as a processor for the relevant base or form, name Airtable, Inc. as the data importer, reference the DPF and SCCs, and document retention periods and access controls.