Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Ninja Forms is an analytics and measurement platform providing deep insights into digital ecosystem performance. It tracks user interactions, measures campaign effectiveness, and identifies optimization opportunities across web and mobile. Ninja Forms offers customizable dashboards, automated alerts, and data export capabilities. By transforming raw data into actionable intelligence, Ninja Forms empowers organizations to optimize strategy and maximize return on investment.
Ninja Forms is a long established drag and drop form builder for WordPress, developed by Saturday Drive in California. With more than a million active installations it is used for contact forms, registration, multi step surveys, payment forms and conditional logic flows. Like its competitors it is fully self hosted, which keeps the submission data on the customer WordPress server.
Ninja Forms renders forms server side, validates inputs, sends notifications and stores entries in the nf3_submissions custom post type. The free version covers basic forms. Premium add ons add multi page forms, conditional logic, file uploads, Stripe, PayPal, Mailchimp, ActiveCampaign, Constant Contact, Salesforce, Zapier, Slack and webhooks integrations.
Ninja Forms stores the values submitted, the visitor IP (unless anonymised), the user agent and the submission timestamp. It sets only short lived first party cookies for spam protection and multi page form state. The plugin does not set tracking or marketing cookies. The free version sends anonymous usage telemetry to Saturday Drive unless opted out from Ninja Forms > Settings > Misc.
The website operator is the data controller for form submissions. Ninja Forms provides built in tools for compliance: a global submission expiration setting (Ninja Forms > Settings > Data), IP anonymisation, the GDPR opt in field, and full integration with the WordPress Personal Data Exporter and Eraser. IP storage must be justified by a clear purpose and limited in time.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Saturday Drive (US) only receives licence and optional telemetry pings. Each activated add on is a separate sub processor: Stripe and PayPal (US with EU entities), Mailchimp (US, EU US DPF), Constant Contact (US), ActiveCampaign (US), Salesforce (US, EU US DPF), Zapier (US). Each must be listed in your records of processing and contractually covered with a DPA.
Set a submission expiration period appropriate to the form purpose. Enable IP anonymisation. Add the GDPR field with a privacy notice link. Disable usage telemetry. Use Akismet, hCaptcha or Cloudflare Turnstile for spam control without third country transfers. Sign DPAs with each integration. Document the integrations in the records of processing and link them in the privacy notice.
Websites using Ninja Forms must obtain user consent under GDPR regulations.
Third-party domains contacted
ninjaforms.comsaturdaydrive.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| nf_wp_session | first_party | Session | Identifies the visitor session for multi page form state and anti spam. |
| nf_form_step | first_party | Session | Stores the current page index in multi page forms. |
Ninja Forms collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Ninja Forms only sets short lived first party cookies for spam protection (nf_wp_session) and multi page form state. None is shared with Saturday Drive. The plugin does not set tracking or marketing cookies on the embedding website.
Consent is not required for a simple contact form processed under Art. 6(1)(b) GDPR. It is required for marketing checkboxes and for any active integration that drops a tracking cookie or transfers behavioural data to a third party (Mailchimp, ActiveCampaign, etc.).
Pre contractual measures (Art. 6(1)(b) GDPR) for contact and quote forms. Legal obligation (Art. 6(1)(c)) for tax related forms. Consent (Art. 6(1)(a)) for marketing checkboxes and tracking add ons.
Submissions remain on your WordPress server. Saturday Drive (US) only receives the licence key and optional usage telemetry. Active add ons (Mailchimp, Salesforce, Constant Contact, Stripe) may transfer entry data to the US under the EU US DPF or SCCs.
Not for the plugin itself. A DPIA is appropriate for forms collecting special categories of data, automated decisions or high risk profiling. The DPIA covers the form purpose and integrations, not the plugin code.
Enable submission expiration, IP anonymisation and the GDPR opt in field. Disable usage telemetry. Use Akismet, hCaptcha or Cloudflare Turnstile for spam control. Sign DPAs with each integration. Document integrations in the records of processing and link them in the privacy notice.
WordPress alternatives include Gravity Forms, WPForms, Fluent Forms (Bangladesh), Forminator (US) and Contact Form 7 with Flamingo. EU first SaaS options: Tally (Belgium), Typeform (Spain), JotForm (US with EU hosting).
When activating a new integration, update the cookie table, the data transfer section and the list of sub processors in your privacy notice, bump the consent banner version to invalidate older consents, and re run any documented assessment.