Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Wufoo is an online form builder owned by SurveyMonkey LLC, used to collect contact requests, registrations, surveys and payments through embeddable HTML forms or hosted form URLs. Because the embed loads from wufoo.com and writes third, party cookies, and because all submissions are stored on US servers, Wufoo requires consent for the cookie layer and a careful GDPR setup for the form data itself.
Wufoo is an online form builder launched in 2006 and acquired by SurveyMonkey in 2011 (now operated by Momentive AI / SurveyMonkey LLC). It lets non, technical users create web forms with conditional logic, file uploads, e, signatures, and payment fields, then embed them on any website via an HTML snippet, an iframe, or a hosted form URL on wufoo.com. The product covers contact pages, event registrations, lead capture, customer surveys, job applications, and donation forms. All form submissions are stored in a Wufoo account dashboard and can be exported to CSV/XLSX or pushed via webhook or Zapier to downstream systems.
When a Wufoo embed loads on a public page, the wufoo.com domain typically sets third, party cookies including __cfruid (Cloudflare load balancing), __cf_bm (bot management), and a session cookie used by the form runtime. The hosted form pages on wufoo.com also set authentication cookies for logged, in account holders. Beyond cookies, Wufoo collects every field the visitor submits (names, emails, addresses, free, text answers, uploaded files), the IP address at submission, the browser metadata, the referring page, and a timestamp. When payments are enabled, payment metadata is shared with the configured processor (PayPal, Stripe, Authorize.Net).
Two distinct compliance layers apply. First, the cookies set by the wufoo.com embed before the visitor interacts with the form fall under Article 5(3) of the ePrivacy Directive and require prior consent unless they are strictly necessary for the form to function. In practice the bot, management cookie qualifies as strictly necessary, but the rest do not. Second, the form submission itself triggers the GDPR processing rules: SurveyMonkey LLC acts as processor under Article 28, and the publisher (controller) must sign a DPA, document the legal basis, store the data only as long as necessary, and respect subject rights. The US storage location adds a Chapter V transfer dimension.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Two practical patterns work well. Option A: gate the entire Wufoo embed behind a CMP consent event under the Functional or Marketing category, so neither the iframe nor the cookies load until the visitor accepts. Option B: replace the embed with a click, to, load placeholder (a button labelled Load form) that loads the iframe only after the user clicks; this user gesture can constitute prior consent for the third, party cookies under recent CNIL and AEPD guidance. Always include a privacy notice on the form itself with the legal basis for processing the answers, the controller and processor identities, the retention period, and a link to the data subject rights process.
Wufoo does not offer EU data residency. All form submissions and embed assets are processed by SurveyMonkey LLC in the United States. SurveyMonkey is certified under the EU, US Data Privacy Framework and provides Standard Contractual Clauses (Commission Decision 2021/914) in its DPA for customers that prefer to rely on SCCs. A Transfer Impact Assessment is recommended; consider the type of data collected (regular contact details vs. sensitive answers), the volume, and whether end, to, end encryption can be added (file fields can be configured to encrypt at rest in Wufoo).
Sign a DPA with SurveyMonkey LLC, list Wufoo and SurveyMonkey in your record of processing activities, and add an entry to the privacy policy that names the controller, the processor, and the US data location. Use a CMP gate or click, to, load wrapper for the embed. Configure a sensible retention period in Wufoo (delete entries after the use case is complete, do not keep them indefinitely). Keep sensitive fields out of Wufoo when possible, route them through encrypted channels. For European audiences with frequent GDPR scrutiny, consider EU, hosted alternatives such as Tally, Typeform with EU residency, Formspark, or open source options like Formbricks.
Websites using Wufoo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Wufoo is used to collect special categories of data (health questionnaires, ethnicity surveys), when forms gather data of vulnerable groups (children, patients), when payment data flows through the form, or when high volumes of personal data are processed for marketing purposes. The combination of US transfer and third, party embed cookies elevates the risk profile compared with self, hosted forms. Document the SurveyMonkey DPA, the data retention policy in your Wufoo account, the transfer safeguards (DPF certification + SCCs), and the role of any payment processor.
Sample consent text
We use Wufoo to display contact and registration forms on our website. Wufoo is operated by SurveyMonkey LLC and stores form submissions on its servers in the United States. The Wufoo embed sets third, party cookies on wufoo.com to load the form and protect against spam. Do you accept the use of Wufoo and the associated cookies?
Third-party domains contacted
wufoo.com*.wufoo.comwufoo.eusurveymonkey.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | third-party | 30 minutes | Cloudflare bot management cookie set on the wufoo.com domain when the form embed loads. Distinguishes humans from bots to protect the form runtime against automated abuse. Considered strictly necessary. |
| __cfruid | third-party | Session | Cloudflare load, balancing cookie used to route the form request to a healthy origin. Set by wufoo.com on form load. |
| wufoo_session | third-party | Session | Session cookie used by the Wufoo form runtime to maintain state during multi, page or conditional, logic forms. Set on wufoo.com. |
| wufoo_auth | third-party | 1 month | Authentication cookie used by the Wufoo dashboard for logged, in account holders. Only set when an editor accesses wufoo.com directly, not on visitor, facing pages. |
Wufoo collects user analytics data — you legally need a consent banner. Try FlowConsent free.
When the embed loads, the wufoo.com domain typically sets third, party cookies including __cfruid (Cloudflare load balancing), __cf_bm (bot management, around 30 minutes) and a session cookie. Hosted form pages on wufoo.com also set authentication cookies for logged, in account holders. None of these are written until the iframe actually loads, so blocking the embed before consent prevents all cookie placement.
Yes for the cookies set by the wufoo.com embed. Bot, management cookies can qualify as strictly necessary, but session and load, balancing cookies do not, and they are written before the visitor decides whether to fill in the form. Either gate the embed via your CMP or use a click, to, load placeholder to obtain prior consent before the iframe is fetched.
For the cookies: consent (GDPR Article 6(1)(a)). For the form data: contract performance (Article 6(1)(b)) when the form delivers a service the visitor requested, or legitimate interest (Article 6(1)(f)) for typical contact forms. Marketing opt, ins inside the form (newsletter, updates) are based on consent. Always document the legal basis and the retention period per form.
Yes. SurveyMonkey LLC stores all Wufoo form submissions and embed assets on US infrastructure. SurveyMonkey is certified under the EU, US Data Privacy Framework and provides Standard Contractual Clauses in its DPA. A Transfer Impact Assessment is recommended, especially when Wufoo is used to collect sensitive answers or large volumes of personal data.
A DPIA is recommended when Wufoo collects special categories of data (health, ethnicity), data on children or other vulnerable groups, payment data through the form, or large volumes of personal data for marketing. The combination of US storage and third, party embed cookies pushes the residual risk toward the medium range, which justifies a DPIA in many regulated sectors.
Sign a DPA with SurveyMonkey LLC, gate the embed via a CMP or click, to, load wrapper, attach a privacy notice on every form page, set a sensible retention policy in the Wufoo account, encrypt sensitive file uploads, and document the US transfer with SCCs plus a Transfer Impact Assessment. Add Wufoo and SurveyMonkey to your record of processing activities as sub, processors.
EU, hosted form alternatives include Tally (Belgium), Formspark (Netherlands), Formbricks (open source), Paperform (with EU residency on enterprise), Typeform with EU data residency, and self, hosted options like Mautic forms or Drupal Webform. For purely contact use cases, native HTML forms with a Postgres backend on an EU host avoid all third, party transfer concerns.
List Wufoo as a sub, processor with the cookies __cf_bm (strictly necessary) and __cfruid plus the session cookie (functional, requires consent). Mention SurveyMonkey LLC as the controller of the platform, the United States as the data location, the SCCs and DPF as transfer safeguards, and the retention period configured in the account. Link to SurveyMonkey's privacy policy.