Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Typeform is a Spanish online form and survey platform known for its conversational, one-question-at-a-time interface. It is used for lead generation forms, customer surveys, quizzes, payment forms, and registration flows. As a Spanish company with EU infrastructure, Typeform is one of the most GDPR-compliant form tools available. The form operator is the data controller for respondent data; Typeform acts as the processor. The legal basis for form data depends on the purpose of each form.
Typeform is a Barcelona-based online form and survey platform known for its distinctive one-question-at-a-time conversational interface. It supports surveys, quizzes, lead generation forms, contact forms, product feedback forms, registration workflows, NPS surveys, and payment forms. Typeform''s design philosophy prioritises respondent engagement, leading to significantly higher completion rates than traditional multi-question forms.
Typeform acts as a data processor for the personal data collected through forms. The organisation creating and deploying the form is the data controller. This means GDPR obligations for form respondent data — legal basis, transparency, retention limits, data subject rights — fall primarily on the form operator, not Typeform. A DPA between the form operator and Typeform is required under GDPR Article 28.
The correct legal basis for Typeform responses depends on what the form is for. Lead generation forms collecting contact details for marketing require consent. Customer feedback surveys may rely on legitimate interest. Registration and booking forms use contract performance. Forms collecting special category data (health, political views) require explicit consent under Article 9(2). The form designer must determine and document the appropriate basis for each form.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Typeform processes all data within the EU as a Spanish company. No SCCs are needed for standard form deployments. This makes Typeform preferable to US-based alternatives like SurveyMonkey and Google Forms (which transfer data to the US) for European organisations with strict transfer requirements.
Sign the Typeform DPA. Determine the correct legal basis for each form. Add a privacy notice to each form explaining what data is collected and why. For consent-based forms, include an explicit consent checkbox. Configure form response data retention in Typeform. Implement a process for respondent data deletion requests. Add Typeform to your privacy policy as a processor.
Websites using Typeform must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard form and survey use cases. It may become relevant for large-scale processing of sensitive personal data via Typeform forms, such as health surveys, financial questionnaires, or forms that systematically profile individuals.
Sample consent text
This form is powered by Typeform, an EU-based form platform. Information you submit is processed in accordance with our privacy policy. By completing this form, you confirm you have read and understood how your data will be used.
Third-party domains contacted
typeform.comembed.typeform.comapi.typeform.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __tfp | persistent | 1 year | Typeform visitor tracking cookie for form analytics and respondent identification |
Typeform uses cookies for user preferences — inform visitors with a consent banner.
Yes. Typeform is a Spanish company with EU infrastructure and provides a GDPR-compliant DPA. As the form operator, you are the data controller for respondent data and must ensure your use of Typeform complies with GDPR requirements for each specific form.
It depends on the form purpose. Lead generation: consent. Customer feedback: legitimate interest (with opt-out). Order or booking forms: contract performance. HR recruitment forms: contract performance (pre-contractual). Health surveys: explicit consent (Art. 9(2)(a)).
No for standard deployments. Typeform processes all data within the EU. This makes it preferable to US-based alternatives like SurveyMonkey, Google Forms, and Microsoft Forms for organisations requiring EU-only processing.
Yes. You are the data controller for form respondent data; Typeform is the processor. Sign the Typeform Data Processing Agreement (available from Typeform's privacy settings) before using Typeform for EU personal data collection.
Use Typeform's Legal block or Opinion Scale with custom text to add a consent question. For strict GDPR consent, use a Yes/No or multiple choice question with the consent statement as the question text, and make it required with the "yes" option as the only valid submission path.
Define retention based on form purpose. Lead responses: typically until lead conversion or 2 years. Survey responses: until analysis is complete, then anonymise or delete. The retention period must be disclosed in your privacy notice linked to the form.
In Typeform admin, search for the respondent's response (by email if captured), delete the specific response entry. For bulk deletions, use the Typeform Responses API delete endpoint. Document all deletions and confirm to the data subject within 30 days.
Yes, with appropriate safeguards. For health or financial data, use explicit consent, implement HTTPS, configure Typeform response access to restricted team members only, set short retention periods, and consider enabling Typeform's data encryption options for response storage.