Compliance

GDPR & Data Erasure

GDPR controls in BizForms — lawful basis, data subject rights, erasure requests, and the DPA.

Open in app

BizForms provides tools to help you meet your GDPR obligations as a data controller collecting responses through your forms.

Legal note: You are the data controller for form responses. BizForms acts as your data processor. GDPR compliance is your responsibility. This page describes the tools available to you.

Your role as data controller

When you use BizForms to collect data from EU/EEA respondents, you must:

  • Have a lawful basis for processing (consent, legitimate interest, contract, etc.)
  • Inform respondents of how their data will be used (privacy notice / fair processing notice)
  • Respond to data subject rights requests within the required timeframes
  • Have a Data Processing Agreement (DPA) in place with BizForms (Business plan)

Use a Consent field to obtain explicit consent from respondents before submission. The field displays a checkbox with linked legal text. Making the field required ensures the form cannot be submitted without consent.

Configure the consent text and link to your privacy policy in the field settings.

Data Erasure (Right to be Forgotten)

When a respondent exercises their right to erasure, you need to delete their data from your systems. In BizForms:

  1. Go to Settings → Erasure
  2. Enter the respondent's email address or response ID
  3. BizForms identifies all matching responses across all forms in your workspace
  4. Review the list and click Erase

The erasure permanently deletes:

  • All field values for the matched responses
  • Uploaded files linked to those responses
  • The response record itself

An erasure event is logged in the Audit Log with a timestamp and the performing user.

Data Processing Agreement (DPA)

A DPA is required under GDPR when engaging a data processor. BizForms' DPA is available on the Business plan.

Go to Settings → Compliance → DPA to:

  • Download the DPA template
  • Record your DPA acceptance date
  • Access the list of sub-processors used by BizForms

Data residency

BizForms currently stores data in the US (Supabase default region). EU data residency is on the roadmap. If EU data residency is a hard requirement, contact us at privacy@bizforms.io to discuss options.

Retention periods

Configure automatic data deletion in Settings → Compliance → Data Retention. Set a workspace-wide retention period (e.g., 2 years) and BizForms will automatically purge responses older than that window.

GDPR checklist

  • Lawful basis identified for each form
  • Privacy notice linked or displayed on form pages
  • Consent field used where consent is the lawful basis
  • DPA in place with BizForms (Business plan)
  • Erasure process documented internally
  • Data retention period configured
PreviousHIPAA ModeNext Audit Log

Something unclear? Let us know.