Does your website use third-party services? Get GDPR compliant in minutes.

WPForms

What does WPForms do?

WPForms is an analytics and measurement platform providing deep insights into digital ecosystem performance. It tracks user interactions, measures campaign effectiveness, and identifies optimization opportunities across web and mobile. WPForms offers customizable dashboards, automated alerts, and data export capabilities. By transforming raw data into actionable intelligence, WPForms empowers organizations to optimize strategy and maximize return on investment.

WPForms is the most installed premium form builder for WordPress with more than six million active sites. Developed by WPForms LLC, part of the Awesome Motive group in Florida, it offers a drag and drop builder, pre built templates and a strong ecosystem of integrations. Like Gravity Forms, it is fully self hosted: submissions stay in the WordPress database controlled by the website operator.

What WPForms does

WPForms renders forms on the WordPress server, validates inputs, sends notifications, and stores entries in the wp_wpforms_entries table. It supports conditional logic, multi page forms, file uploads, calculations, signatures, anti spam (hCaptcha, Cloudflare Turnstile, Akismet) and integrations with Stripe, PayPal, Square, Mailchimp, ActiveCampaign, Constant Contact, HubSpot, Salesforce, Zapier, Slack and many more.

Data and cookies

By default, WPForms stores in the WordPress database the values submitted, the visitor IP (unless disabled in Settings > General > Disable User Details), the user agent and the referrer URL. The plugin sets first party cookies wpforms_referer_url, wpforms_ip and wpforms_uuid to power the form analytics and conversion tracking. The free version sends anonymous usage telemetry to Awesome Motive unless opted out.

GDPR and ePrivacy implications

The website operator remains the data controller. WPForms ships with built in GDPR enhancements: a global toggle to disable User Details storage (Settings > General), a Consent field for explicit opt in, and hooks compatible with the WordPress Personal Data Exporter and Eraser. The IP address is considered personal data under Recital 30 GDPR, so storage must be justified by purpose and limited in time. Disable telemetry on production sites.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data transfers and integrations

Awesome Motive servers (US) only receive licence validation and the optional telemetry ping. Each active integration is a separate sub processor: Stripe and PayPal (US, with EU entities), Mailchimp (US, EU US DPF), Constant Contact (US), ActiveCampaign (US), HubSpot (US, EU US DPF), Salesforce (US, EU US DPF), Zapier (US). Each must be listed and contractually covered.

Practical compliance steps

Disable User Details (or set a short retention) in WPForms Settings. Add a Consent field and a link to the privacy notice on each form. Disable usage telemetry. Add Akismet, hCaptcha or Cloudflare Turnstile to deter spam without third country transfers. Document active integrations as sub processors and sign their DPAs. Use the Personal Data Exporter and Eraser to handle Art. 15 and 17 requests within one month.

GDPR consent category

Analytics

Websites using WPForms must obtain user consent under GDPR regulations.

Legal basisPerformance of a contract or pre contractual measure (Art. 6(1)(b) GDPR) for the form submission itself. Consent (Art. 6(1)(a)) for a newsletter checkbox, marketing integration or tracking cookie. Legal obligation (Art. 6(1)(c)) if the form is used to honour a statutory obligation such as tax invoicing.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, TDDDG, LSSI CE, CCPA/CPRA, PCI DSS (when Stripe or PayPal payment forms are used)

Technical details

Tracking methodSelf hosted WordPress plugin. Forms are rendered server side, submissions are stored in the site's own WordPress database. The plugin communicates with WPForms LLC servers only for licence validation, automatic updates, template downloads and optional integrations (Stripe, PayPal, Mailchimp, Constant Contact, etc.).

Server locationPlugin developed by WPForms LLC (Awesome Motive group), West Palm Beach, Florida, United States. Form submissions remain on the customer WordPress server. Licence and template servers are operated from the United States and AWS regions.

Cookieless tracking availableYes

Data transferred outside the EUNo personal data of form respondents is automatically transferred outside the EU. Only the licence key, the plugin telemetry (if enabled) and the WPForms tracking ping are sent to Awesome Motive in the United States. Activated integrations (Stripe, Mailchimp, Constant Contact, ActiveCampaign) will transfer the entry data to those processors.

Third-party domains contacted

wpforms.comapi.wpforms.comawesomemotive.com

Cookies placed

Name	Type	Duration	Purpose
wpforms_referer_url	first_party	24 hours	Stores the URL of the page where the visitor first encountered the form, for form analytics.
wpforms_ip	first_party	24 hours	Stores a hashed copy of the visitor IP for form analytics and conversion tracking.
wpforms_uuid	first_party	12 months	Unique visitor identifier used by the User Journey add on to reconstruct the path to conversion.

WPForms collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Which cookies does WPForms set?

WPForms sets first party cookies wpforms_referer_url (24 hours), wpforms_ip (24 hours) and wpforms_uuid (12 months) when form analytics or User Journey tracking are enabled. These cookies are used to attribute submissions to a referring page. They require consent if used for non strictly necessary purposes.

Is consent required to use WPForms?

Consent is not required for a simple contact form processed under Art. 6(1)(b) GDPR. Consent is required for marketing checkboxes, the User Journey tracking cookie, and for any active integration that drops a tracking cookie (e.g. HubSpot, ActiveCampaign).

What is the legal basis for processing form data?

Pre contractual measures (Art. 6(1)(b) GDPR) for contact and quote forms. Legal obligation (Art. 6(1)(c)) for tax and invoicing forms. Consent (Art. 6(1)(a)) for marketing checkboxes. Vital interests (Art. 6(1)(d)) is unusual but possible for emergency forms.

Is form data transferred to the United States?

Submissions stay in your WordPress database. Awesome Motive (US) receives the licence key and optional telemetry only. Each active integration (Stripe, Mailchimp, HubSpot, etc.) may transfer the entry data to the US under the EU US Data Privacy Framework or Standard Contractual Clauses.

Do I need a DPIA for WPForms?

Not for the plugin itself. A DPIA is appropriate when forms collect special categories of data, are part of automated decision making, or are integrated with high risk profiling. The DPIA assesses the form purpose and integrations, not the plugin code.

How do I implement WPForms in a GDPR compliant way?

Disable User Details storage or set a short retention. Add a Consent field and a privacy notice link on every form. Disable usage telemetry. Use Akismet, hCaptcha or Cloudflare Turnstile for anti spam. Sign DPAs with each integration vendor. Document active integrations in the records of processing.

Which alternatives to WPForms should I consider?

WordPress alternatives include Gravity Forms (US), Ninja Forms (US), Fluent Forms (Bangladesh), Forminator (US), and the free Contact Form 7 with Flamingo. EU first SaaS options: Tally (Belgium), Typeform (Spain). For maximum privacy, Contact Form 7 + Flamingo keeps everything local.

How do I update the cookie policy when WPForms changes?

When you enable a new integration, update the cookie table and the data transfer section of your privacy policy, list the new sub processor in your records of processing, bump the consent banner version to invalidate older consents and re run any documented assessment.

Get compliant — Try FlowConsent free

Free plan · 10-min setup