Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Typeform is a Spanish online form and survey platform known for its conversational, one-question-at-a-time interface. It is used for lead generation forms, customer surveys, quizzes, payment forms, and registration flows. As a Spanish company with EU infrastructure, Typeform is one of the most GDPR-compliant form tools available. The form operator is the data controller for respondent data; Typeform acts as the processor. The legal basis for form data depends on the purpose of each form.
Typeform is the conversational form and survey SaaS operated by TYPEFORM S.L. since 2012, headquartered in Barcelona. It offers single question, full screen forms with conditional logic, calculators, payment collection through Stripe, and integrations with Slack, Notion, HubSpot, Salesforce, Google Sheets and over 200 other apps. Typeform is delivered through a dedicated subdomain (publisher.typeform.com) or embedded on the publisher pages as a standard iframe, a popup, a popover or a side tab.
When the publisher embeds a Typeform, the iframe loads from typeform.com and sets the following cookies on its domain: typeform_session (visitor identifier, 1 year), typeform_metric (analytics, 1 year), ajs_anonymous_id (Segment, 1 year), ajs_user_id (logged in identifier) and intercom_user.* (Intercom support, 1 year). Local storage entries store the partial answers while the user fills the form. The publisher domain itself receives no Typeform cookie because the embed runs on the typeform.com origin.
The actual submission relies on performance of contract or pre contract (GDPR art. 6(1)(b)) when the form is required to deliver a service, or consent when the form collects opinions, leads or newsletter subscriptions. The loading of the Typeform iframe writes third party cookies and transmits the visitor IP and user agent before any submission, so the embed itself requires consent under ePrivacy art. 5(3). The CJUE Fashion ID case (2019) confirms that the embedding website is joint controller for the data exchanged with the embedded iframe.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Typeform infrastructure is fully hosted on AWS Ireland and Frankfurt, which means form responses stay in the European Economic Area in the default configuration. TYPEFORM S.L. is established in Barcelona and supervised by the Spanish AEPD. The Typeform DPA lists US based sub processors (Stripe, Segment, Datadog, Intercom) that receive operational metadata under the EU US Data Privacy Framework and EU Standard Contractual Clauses; respondent answers are not shared with them in standard configuration.
Gate the Typeform embed behind the productivity or marketing category of your CMP. Configure the form to ask only for the data strictly necessary (GDPR art. 5(1)(c) data minimisation) and disable the optional metadata capture. Sign the Typeform DPA included by reference in the Master Services Agreement. Document Typeform and its sub processors in your records of processing (GDPR art. 30) and in the privacy notice. Set a clear retention period in the Typeform workspace settings (90 days, 180 days, etc.) instead of keeping responses indefinitely.
Direct competitors include Jotform (US with EU hosting), Tally (Belgium, GDPR designed), Formaloo (US with EU residency), Paperform (Australia), Google Forms (Google Workspace EU region), Microsoft Forms (Microsoft 365 EU Data Boundary), HubSpot Forms (US, EU residency add on), and the open source self hostable Formbricks, OhMyForm and LimeSurvey (Germany).
Websites using Typeform must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Typeform collects special category data (health, opinions, minors) or processes large volumes. Document the data flow and the US sub processing.
Sample consent text
We use Typeform, a form and survey platform operated by TYPEFORM S.L. in Barcelona, to collect your answers. All response data is hosted in the European Union (AWS Ireland and Frankfurt) and never leaves the European Economic Area in the default configuration. The Typeform embed sets the cookies typeform_session and typeform_metric on the typeform.com domain after you load the form. We load the embed only after you accept the productivity or marketing category in our cookie preferences.
Third-party domains contacted
typeform.comtypeform.comembed.typeform.comform.typeform.comapi.typeform.comembed.typeform.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __tfp | persistent | 1 year | Typeform visitor tracking cookie for form analytics and respondent identification |
| TYPEFORM_PARTIAL | Third party (typeform.com) | 6 months | Stores partial responses so the user can resume the form later. |
| mp_* | Third party (typeform.com) | 12 months | Internal Mixpanel identifier used by Typeform for product analytics. |
| _tf_uid | Third party (typeform.com) | 12 months | Anonymous Typeform respondent identifier. |
| _tf_session | Third party (typeform.com) | Session | Session cookie used while completing the form. |
Typeform uses cookies for user preferences — inform visitors with a consent banner.
Yes. Typeform is a Spanish company with EU infrastructure and provides a GDPR-compliant DPA. As the form operator, you are the data controller for respondent data and must ensure your use of Typeform complies with GDPR requirements for each specific form.
It depends on the form purpose. Lead generation: consent. Customer feedback: legitimate interest (with opt-out). Order or booking forms: contract performance. HR recruitment forms: contract performance (pre-contractual). Health surveys: explicit consent (Art. 9(2)(a)).
No for standard deployments. Typeform processes all data within the EU. This makes it preferable to US-based alternatives like SurveyMonkey, Google Forms, and Microsoft Forms for organisations requiring EU-only processing.
Yes. You are the data controller for form respondent data; Typeform is the processor. Sign the Typeform Data Processing Agreement (available from Typeform's privacy settings) before using Typeform for EU personal data collection.
Use Typeform's Legal block or Opinion Scale with custom text to add a consent question. For strict GDPR consent, use a Yes/No or multiple choice question with the consent statement as the question text, and make it required with the "yes" option as the only valid submission path.
Define retention based on form purpose. Lead responses: typically until lead conversion or 2 years. Survey responses: until analysis is complete, then anonymise or delete. The retention period must be disclosed in your privacy notice linked to the form.
In Typeform admin, search for the respondent's response (by email if captured), delete the specific response entry. For bulk deletions, use the Typeform Responses API delete endpoint. Document all deletions and confirm to the data subject within 30 days.
Yes, with appropriate safeguards. For health or financial data, use explicit consent, implement HTTPS, configure Typeform response access to restricted team members only, set short retention periods, and consider enabling Typeform's data encryption options for response storage.
Typeform sets TYPEFORM_PARTIAL (resume partial responses, 6 months), mp_* (internal Mixpanel analytics, 12 months), _tf_uid (respondent identifier, 12 months) and _tf_session (session). All are third party cookies on typeform.com.
Yes. The embed sets non essential cookies and loads scripts from typeform.com. Prior consent is required under Art. 5(3) ePrivacy Directive (and Art. 22 LSSI in Spain, § 25 TDDDG in Germany).
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy) for the embed cookies and scripts. Contract performance (Art. 6(1)(b)) for the answers submitted by the respondent.
Typeform runs on AWS Ireland for European customers but uses some sub processors in the United States. Transfers rely on EU SCCs and the EU US Data Privacy Framework certification of AWS.
A DPIA is recommended for surveys collecting special category data (health, opinions, minors) or large scale processing. Document the data flow and the US sub processing.
Sign the DPA, list Typeform in your Article 30 record, block the embed behind your CMP, minimise the data fields collected, set retention in the Typeform workspace, and document the US sub processing.
EU alternatives: Tally (Belgium, free), Formbricks (Germany, open source), Crispino (UK), LimeSurvey (Germany), Forms (Sogolytics, US), Jotform (US), SurveyMonkey/Momentive (US). For Google Workspace users: Google Forms.
List each Typeform cookie with name, purpose, retention and legal basis (consent). Mention typeform.com as the third party domain and the link to Typeform's privacy policy.