Does your website use third-party services? Get GDPR compliant in minutes.

Formrun

What does Formrun do?

Formrun is a Japanese SaaS that combines a no, code form builder with a lightweight CRM. Marketers and customer success teams create contact, survey or registration forms in the dashboard and either share the hosted page URL or embed the form on their site through a JavaScript snippet. Submissions land in a Kanban board with team comments, tags and email automation. Because submissions are personal data and the embed sets analytics cookies, the integration requires consent under the GDPR and ePrivacy Directive.

What Formrun is

Formrun is a Japanese SaaS from Basic Inc. that lets non technical teams build contact, registration, survey and feedback forms in minutes. Each form gets a hosted URL on form.run and can additionally be embedded on any website via a JavaScript snippet. Submissions automatically populate a Kanban inbox where the team can assign owners, add internal tags and trigger reply emails, turning a simple form into a light CRM.

Data and cookies

Form submissions normally include name, email, phone number, message and any custom fields the publisher added. Formrun also processes the visitor IP, User, Agent, timestamps, and aggregated analytics on form opens and completion. The embed sets fr_session, fr_csrf (strictly necessary), fr_locale (functional) and _fr_track (analytics) cookies on form.run domains.

GDPR and Japan adequacy

Japan benefits from European Commission Implementing Decision (EU) 2019/419 which recognises it as ensuring an adequate level of data protection. Transfers to Tokyo therefore do not require Standard Contractual Clauses, even though the Japanese APPI applies in parallel. The submission itself can rely on Article 6(1)(b) GDPR (pre, contract or contract performance for the request the visitor sent) and the form analytics cookie (_fr_track) needs prior consent under Article 5(3) ePrivacy.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Email automation and ePrivacy Article 13

Formrun ships with auto reply and follow up email templates. When the publisher uses those features to send marketing messages rather than purely transactional confirmations, the ePrivacy Directive Article 13 marketing consent rules apply. Document the opt in mechanism, unsubscribe links and frequency policy. Keep auto replies strictly transactional unless the visitor explicitly opts in.

Compliance checklist

Place the _fr_track analytics cookie behind the CMP. Keep the strictly necessary and functional cookies always on. Mention Basic Inc. and Japan in the privacy notice and cite the EU adequacy decision. Sign the Formrun DPA. Configure short submission retention in the dashboard. Pre fill no sensitive default fields. Treat email automations as marketing whenever they are not strict order or contact confirmations.

GDPR consent category

Marketing

Websites using Formrun must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR) for the form analytics cookies; contract or pre, contract performance (Art. 6(1)(b) GDPR) for the form submission itself

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, Japanese APPI

DPIA considerations

Formrun processes form submissions which often contain direct identifiers (name, email, phone) and may include free, text fields with sensitive content. Key DPIA considerations: (1) data is stored in Tokyo, an adequate country under EU Implementing Decision 2019/419, so no SCCs are required but adequacy may be reviewed periodically; (2) Formrun has built, in email automation that triggers Article 13 ePrivacy obligations when used for marketing; (3) Kanban tags and assignment fields could reveal employee processing patterns useful for GDPR Article 22 risk assessment if used to score leads; (4) the embed loads JavaScript from formrun.com which can carry analytics cookies that require consent; (5) the publisher is the controller, Basic Inc. is the processor under its DPA. A DPIA is not required for basic contact forms but becomes useful for surveys collecting opinions, health or financial data.

Sample consent text

Our contact form is powered by Formrun (Basic Inc., Tokyo, Japan). When you send the form, your name, your email, the content of your message and your IP address are sent to Formrun servers in Tokyo. Japan benefits from a European Commission adequacy decision, so the transfer is treated like a transfer inside the EU. The Formrun embed also sets analytics cookies, which are only loaded after you accept them in our cookie banner.

Technical details

Tracking methodHosted form pages plus JavaScript embed (form builder with light CRM)

Server locationJapan (Basic Inc., AWS ap, northeast, 1 Tokyo)

Data transferred outside the EUFormrun is operated by Basic Inc., a Japanese company based in Tokyo. Form submissions, contact data and analytics are stored on AWS ap, northeast, 1 (Tokyo). Japan benefits from a European Commission adequacy decision (Implementing Decision (EU) 2019/419), so transfers to Japan are treated as transfers to an adequate country under Article 45 GDPR and do not require Standard Contractual Clauses on top of the adequacy.

Third-party domains contacted

form.runformrun.ioapi.formrun.iocdn.formrun.io

Cookies placed

Name	Type	Duration	Purpose
fr_session	Strictly necessary	Session	Identifies the current form filling session so partial answers are not lost on page reload.
fr_csrf	Strictly necessary	Session	Anti, CSRF token that protects the form submission against cross, site request forgery.
fr_locale	Functional	6 months	Stores the visitor's language preference so the form labels display in the right locale.
_fr_track	Analytics	13 months	Aggregated analytics on form opens, completion rate and drop, off step used by Formrun and the publisher for funnel optimisation.

Formrun places tracking cookies for advertising — comply with GDPR using FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does Formrun set?

Formrun sets fr_session and fr_csrf (strictly necessary, session), fr_locale (functional, 6 months) and _fr_track (analytics, 13 months) on its form.run and formrun.io domains.

Do I need consent for Formrun?

Only for the _fr_track analytics cookie. The strictly necessary and functional cookies can be loaded without consent. The form submission itself relies on Article 6(1)(b) GDPR for the request the user sent.

What is the legal basis?

Contract or pre, contract performance (Article 6(1)(b) GDPR) for the form submission, consent (Article 6(1)(a)) for the analytics cookie, legitimate interest (Article 6(1)(f)) for spam protection and basic security logs.

Is data transferred to a third country?

Yes : to Japan. Japan is an adequate country under EU Implementing Decision 2019/419, so the transfer is treated as if it were intra, EU. Standard Contractual Clauses are not required.

Is a DPIA required?

Not for a basic contact form. Run a DPIA if the form collects health, financial, opinions or biometric data, or if the responses feed automated decisions affecting the user.

How do I implement Formrun compliantly?

Place _fr_track behind the CMP. Configure short retention. Sign the Formrun DPA. Display Basic Inc. and Japan in the privacy notice and reference the adequacy decision. Treat marketing follow ups as Article 13 ePrivacy marketing that requires its own opt in.

Are there European alternatives?

Yes : Tally (Belgium), Typeform (Spain), Formspree (US but EU regions), JotForm EU, or self, hosted FormBricks. For pure form to inbox flows without analytics, Tally is the most privacy lean European option.

How should I update my cookie policy?

List the four Formrun cookies with domain, duration and purpose. Mention Basic Inc. as a processor based in Tokyo and reference the EU Japan adequacy decision so users understand why no SCC is needed.

Get compliant — Try FlowConsent free

Free plan · 10-min setup