GDPR Compliance

FavForm is designed to help you meet your obligations under the General Data Protection Regulation (GDPR).

Our Role

When you use FavForm to collect data from your users, you are the Data Controller and we are the Data Processor. We process personal data only on your instructions and in accordance with our Data Processing Agreement.

How FavForm Helps

Lawful Basis & Consent

Every form captures explicit consent with timestamp, IP address, and the exact text the user agreed to. This creates an auditable consent record.

Data Subject Rights

Export individual records to respond to access requests. Delete specific submissions to honor erasure requests. All actions are logged.

Data Minimization

Only collect what you need. Our templates are designed with privacy by default, asking only for necessary information.

Storage Limitation

Set retention periods for each form. Data is automatically flagged or deleted when the retention period expires.

Security

Data is encrypted in transit (TLS) and at rest (AES-256). Access controls, audit logs, and regular security assessments protect your data.

Accountability

Complete audit trails show who accessed what data and when. Export logs for compliance documentation.

Data Processing Agreement

We offer a Data Processing Agreement (DPA) that meets GDPR requirements. The DPA covers our obligations as a processor, including security measures, sub-processor management, and breach notification procedures.

Pro and Enterprise customers can request a signed DPA by contacting privacy@favform.com.

Data Location

By default, data is stored in the EU (Frankfurt). Enterprise customers can choose their preferred data region to meet data residency requirements.

Sub-processors

We use a limited number of sub-processors to provide our service. A current list is available upon request. We notify customers before adding new sub-processors.

Your Responsibilities

While FavForm provides the tools, you remain responsible for:

  • • Determining your lawful basis for processing
  • • Providing appropriate privacy notices to your users
  • • Responding to data subject requests
  • • Configuring appropriate retention periods
  • • Ensuring your forms collect only necessary data

Questions about GDPR compliance?

Contact us