Fillout and GDPR-Compliant Forms

Fillout complies with the GDPR framework. Here’s what you need to know about keeping form data private and data processing.

This page should not be considered as legal guidance. Consult with your legal advisor to understand how GDPR impacts your business.
 
Fillout is engineered to keep your data secure and private. For our customers and users in Europe, Fillout is GDPR-ready and offers EU-based, end-user hosting and storage on the Enterprise plan.
Fillout offers EU-based hosting and storage for all end-user data (form submissions) on our Enterprise plan. Contact us to learn more and to obtain a Data Processing Agreement (DPA).
Fillout offers EU-based hosting and storage for all end-user data (form submissions) on our Enterprise plan. Contact us to learn more and to obtain a Data Processing Agreement (DPA).

What is GDPR?

The European Union’s General Data Protection Regulation, or GDPR, are data protection regulations built around the EU Charter of Fundamental Rights’ stipulation that EU citizens have the right to the protection of their personal data. In short, GDPR stipulates that you obtain consent before collecting personal data, that you give users their data and delete it if requested to do so, and that Europeans’ data is stored only inside the EU.

Who does GDPR apply to?

GDPR applies to all businesses based in the EU, as well as all businesses that receive or process data from European residents. If your company is based in the EU, or if Europeans fill out your forms, GDPR may apply to your work.

Is Fillout GDPR-compliant?

Fillout complies with the GDPR framework. Fillout is engineered to keep every user’s data private and secure and we have taken a number of measures to comply with GDPR.
Privacy requests and exports
You can export your data from Fillout at any time, including all form responses, to migrate data if needed. If you would like a copy of your account data, email privacy@fillout.com. You can also request that Fillout remove form responses, if needed. Fillout will permanently delete forms, individual form responses, or your user data from our servers and backups, if deleted in Fillout or requested from privacy@fillout.com, within 45 days.
If you are an EU resident and would like to make use of your GDPR data privacy rights, please contact Plighter, our privacy representative in the EU.
To obtain a Data Processing Agreement (DPA), contact us to learn about our EU Enterprise plan.
Security
Fillout is hosted on the Google Cloud platform, via Render.com, with Google’s industry-leading security. Fillout encrypts all data in transit between you or your form respondents and Fillout’s servers over HTTPS/TLS. Data is also encrypted at rest and replicated for durability.
Fillout can also save your form data to third-party applications—and for Enterprise plans, can save data solely to external storage applications if you choose (i.e. your data is never stored on our servers). Be sure to check the app where you’re storing form data for their GDPR policies, including Airtable, Google Sheets, Notion, SmartSuite, HubSpot, and Monday.com.
For more information about Fillout’s security and data storage policies, check our Fillout Security docs.

How to export my data from Fillout?

notion image
Every Fillout form includes a CSV spreadsheet export of your form data. Open your Fillout form, click Results, then click the Download arrow button to save a spreadsheet export of your form responses.
Anyone who has filled out a Fillout-powered form can contact the form creator and ask them to for a copy of the data they have submitted. Alternately, contact Fillout at privacy@fillout.com and we’ll assist you in contacting the form owner.

How to remove my data from Fillout?

If you’re a Fillout user, you can delete your data in several ways:
  • Delete a form: To delete a form and its responses, go to the Fillout dashboard, click the menu beside a form name, click Delete, then confirm deletion.
  • Delete an individual form response: If a user requests you remove their data, open your form, select Responses, click the checkmark beside their form response, then click the Delete row button in Fillout’s toolbar and confirm the deletion.
  • Delete your Fillout account: If you would like to close your Fillout account and delete all of your data stored at Fillout, contact Fillout at support@fillout.com or delete your account from the general settings to do so.
If you’ve filled out a Fillout-powered form and would like to remove your data, please contact the form creator and ask them to delete your data. Alternately, contact Fillout at privacy@fillout.com and we’ll assist you in contacting the form owner.

How to build a GDPR-compliant form

Fillout is designed around GDPR-compliant privacy and security, but there are a few things you need to keep in mind when building forms to ensure that your forms and business are GDPR-compliant, too.
First, always make sure your form respondents consent to the collection of their data. Include a privacy notice at the bottom of your forms, something like “by submitting this form, you agree to the terms of our privacy policy” and link to your company’s privacy policy. Better yet, include a checkbox as a required field that contains your privacy policy, so you can guarantee that every respondent consciously accepted your policy. In your privacy policy, be sure to outline how respondents can request their data or its removal.
notion image
Then, if a respondent asks that you remove their data, delete it fully from both Fillout and any other app or service where you may have synced the data. If your form signed them up for an email newsletter, unsubscribe them and delete their data. Fillout will fully delete any backup data within 45 days from when you delete it in Fillout—but it’s your responsibility to ensure the data is deleted anywhere else you may have copied, synced, or saved it.
If your business needs to store all respondent data within the EU, get in touch with Fillout’s Enterprise team to set up EU-based hosting, encryption with custom public/private keys, along with single sign-on, database integrations, and additional Enterprise-focused features.