Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Gravity Forms is an analytics and measurement platform providing deep insights into digital ecosystem performance. It tracks user interactions, measures campaign effectiveness, and identifies optimization opportunities across web and mobile. Gravity Forms offers customizable dashboards, automated alerts, and data export capabilities. By transforming raw data into actionable intelligence, Gravity Forms empowers organizations to optimize strategy and maximize return on investment.
Gravity Forms is a flagship premium form plugin for WordPress, developed since 2008 by Rocketgenius Inc. in Tampa, Florida. With over a million active installations it powers contact forms, registration forms, surveys, quizzes and payment forms on WordPress sites worldwide. Because it is fully self hosted, Gravity Forms gives website operators direct control over where the submission data is stored and how long it is kept.
Gravity Forms renders forms on the server using the WordPress template engine, validates input client side and server side, and stores submissions as entries in the WordPress database. Add ons connect the form to email, CRM, payment, signature, e commerce and marketing services. The plugin also offers conditional logic, multi page forms, file uploads, partial entries and a REST API.
Gravity Forms stores everything the form collects in the entries table of WordPress, including the values submitted, the visitor IP (if not anonymised), the user agent, the source page URL and the user ID if the visitor is logged in. By default it sets only short lived cookies for partial entries (gform_browser_id) when the partial entries add on is active. None of these cookies is shared with Rocketgenius.
Because the data controller is the website operator (not Rocketgenius), Gravity Forms is treated as a tool rather than a third party service. The website operator chooses the lawful basis, the retention period and the security measures. Gravity Forms provides the IP anonymisation toggle, the consent field, the Entry Anonymizer for erasure requests and the Personal Data tools added in version 2.4 to comply with Art. 15, 17 and 20 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Rocketgenius servers only receive the licence key and basic site fingerprint. However, every add on you activate may transfer the entry data to a third party (Stripe, PayPal, Mailchimp, ActiveCampaign, HubSpot, Salesforce, Zoho, Twilio, etc.), often located in the United States. Each add on must be assessed individually in your records of processing and may require an additional sub processor agreement.
Enable IP anonymisation in Forms > Settings > General. Add a Consent field and a privacy notice on every form. Configure the retention period per form (Form Settings > Personal Data). Use the Personal Data Exporter and Eraser hooks for Art. 15 and Art. 17 requests. List every active add on and its sub processor in your records of processing and privacy notice. Audit forms quarterly to remove unused fields.
Websites using Gravity Forms must obtain user consent under GDPR regulations.
Third-party domains contacted
gravityforms.comgravityhelp.comrocketgenius.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gform_browser_id | first_party | 30 days | Identifies the browser for the Partial Entries add on to resume an incomplete form submission. |
| gf_session_* | first_party | Session | Stores intermediate form state between pages on multi page forms. |
| gform_uniqueid_* | first_party | Session | Generates a unique identifier for file uploads tied to the current submission. |
Gravity Forms collects user analytics data — you legally need a consent banner. Try FlowConsent free.
By default, Gravity Forms sets only short lived first party cookies that are strictly necessary: gform_browser_id when the Partial Entries add on is active and a session cookie for multi page forms. None is shared with Rocketgenius. The plugin does not set any tracking or marketing cookie.
Consent is generally not required for the form itself, because submitting personal data through a contact form is processed on the legal basis of pre contractual measures (Art. 6(1)(b) GDPR). However, any marketing checkbox (newsletter, profiling) and add ons that drop tracking cookies must be wrapped in a separate opt in consent.
Most contact forms rely on Art. 6(1)(b) GDPR (pre contractual measures), recruitment forms on Art. 6(1)(b) for the application and Art. 6(1)(c) for legal record keeping. Marketing checkboxes always require consent under Art. 6(1)(a) and Art. 7. Sensitive data (Art. 9 GDPR) needs explicit consent and a documented assessment.
Form submissions stay in your WordPress database, so by default no data leaves the EU. Only the Gravity Forms licence key and site fingerprint reach Rocketgenius in the US. Active add ons (Stripe, Mailchimp, HubSpot, etc.) however do transfer the entry data and trigger separate transfer rules.
Not in itself. A DPIA may be needed when the form collects special categories of data (health, biometrics, religion), is used in a recruitment context with profiling, or feeds into automated decision making. The DPIA covers the form purpose, not the plugin code base.
Activate IP anonymisation, add a consent field and a privacy notice, set a retention period per form, list the third party add ons in your privacy policy, sign Data Processing Agreements with each add on vendor, and rely on the WordPress Personal Data Exporter and Eraser to honour Art. 15 and 17 requests within one month.
WordPress alternatives include WPForms, Ninja Forms, Fluent Forms (all US/Bangladesh), Formidable Forms (US) and self hosted Forminator. EU first SaaS options: Tally (Belgium), Typeform (Spain), JotForm (US with EU hosting). For pure privacy, the built in Contact Form 7 with Flamingo plugin is fully local.
When you add an add on that drops new cookies or transfers data, update the cookie table and the data transfer section in your privacy notice, bump the consent banner version to invalidate older consents, and document the new sub processor in your records of processing.