Fillout offers EU-based hosting and storage for all respondent data (form submissions) on our Team plan and above. Contact support to switch to EU hosting after upgrading.
What is GDPR?
The European Union’s General Data Protection Regulation, or GDPR, are data protection regulations built around the EU Charter of Fundamental Rights’ stipulation that EU citizens have the right to the protection of their personal data. In short, GDPR stipulates that you obtain consent before collecting personal data, that you give users their data and delete it if requested to do so, and that Europeans’ data is stored only inside the EU.Who does GDPR apply to?
GDPR applies to all businesses based in the EU, as well as all businesses that receive or process data from European residents. If your company is based in the EU, or if Europeans fill out your forms, GDPR may apply to your work.Is Fillout GDPR-compliant?
Fillout complies with the GDPR framework. Fillout is engineered to keep every user’s data private and secure and we have taken a number of measures to comply with GDPR.
Privacy requests and exports
You can export your data from Fillout at any time, including all form responses, to migrate data if needed. If you would like a copy of your account data, email privacy@fillout.com. You can also request that Fillout remove form responses, if needed. Fillout will permanently delete forms, individual form responses, or your user data from our servers and backups, if deleted in Fillout or requested from privacy@fillout.com, within 45 days.
If you are an EU resident and would like to make use of your GDPR data privacy rights, please contact Plighter, our privacy representative in the EU.
Security
Fillout is hosted on the Google Cloud platform, via Render.com, with Google’s industry-leading security. Fillout encrypts all data in transit between you or your form respondents and Fillout’s servers over HTTPS/TLS. Data is also encrypted at rest and replicated for durability.
Fillout can also save your form data to third-party applications—and for Enterprise plans, can save data solely to external storage applications if you choose (i.e. your data is never stored on our servers). Be sure to check the app where you’re storing form data for their GDPR policies, including Airtable, Google Sheets, Notion, SmartSuite, HubSpot, and Monday.com.
For more information about Fillout’s security and data storage policies, check our Fillout Security docs.
How to export my data from Fillout
Every Fillout form includes a CSV spreadsheet that you can export. ClickResults on the top menu bar followed by to download the CSV.
How to remove my data from Fillout
If you’re a Fillout user, you can delete your data in several ways:- Delete a form - look for your form in the dashboard and click **⋯ **to
Move to trash. This also deletes responses collected. - Delete an individual form response - in the
Resultspage of your form, click the cell containing their response followed byDelete row. - Delete your Fillout account - in your
Account settings, scroll down toDelete account.
How to build a GDPR-compliant form
Fillout is designed around GDPR-compliant privacy and security, but there are a few things you need to keep in mind when building forms to ensure that your forms and business are GDPR-compliant, too. First, always make sure your form respondents consent to the collection of their data. Include a privacy notice at the bottom of your forms, something like “by submitting this form, you agree to the terms of our privacy policy” and link to your company’s privacy policy. Better yet, include a checkbox as a required field that contains your privacy policy, so you can guarantee that every respondent consciously accepted your policy. In your privacy policy, be sure to outline how respondents can request their data or its removal.