GDPR

Formspring is GDPR-compliant. We process personal data on your behalf as a processor; you remain the controller for the data your forms collect.

DPA

We have a Data Processing Agreement (DPA) ready to sign. It covers:

• Categories of data processed (form payloads, file uploads, technical metadata)
• Sub-processors (see sub-processors)
• Standard Contractual Clauses (SCCs) for any data leaving the EEA
• Breach notification obligations (we notify you within 72 hours of becoming aware)
• Audit rights and termination terms

To get a copy:

• Pro and Team customers — download the pre-signed DPA at Settings → Compliance. Counter-sign at your end and you're done.
• Scale customers — we can negotiate redlines on the DPA as part of your master agreement.

The pre-signed DPA is the same document for everyone, so you don't need to wait for a custom version unless you're on Scale.

Lawful basis

You — as the controller — pick the lawful basis for processing the personal data your forms collect (Art. 6 GDPR). The most common bases for form data are:

• Consent — for marketing-style forms ("subscribe to our newsletter")
• Contract — when the form is part of fulfilling a service ("contact us about a quote")
• Legitimate interest — for general contact forms

We don't pick the basis for you, and we don't need to: as a processor we just process under your instructions. But if your privacy policy doesn't state a basis, you should fix that before pointing more traffic at the form.

Data subject access requests (DSARs)

When a data subject (someone who submitted a form) asks you for a copy of their data or asks you to delete it, you handle the request directly using the dashboard.

Right of access (Art. 15)

To produce a copy of someone's data:

1. Open the relevant form's Submissions tab.
2. Search by email or other identifying field.
3. Click each matching submission → Export to JSON or Export to PDF.

The export includes the full payload, files (signed URLs valid 24 hours), AI moderation score, category, and timestamps. Hand that to the requester. We don't gatekeep DSARs — they're a controller obligation and the data is yours.

If the requester's data is spread across multiple forms, do this once per form. The REST API also exposes a search endpoint if you want to script it.

Right to rectification (Art. 16)

Open the submission, click Edit payload, fix the data, save. We log the edit (audit trail on Team+ plans) but don't keep the prior value once it's overwritten.

Right to erasure (Art. 17)

Two paths:

• One submission. Open the submission, click Delete. Hard-delete is immediate from the primary database; backups age out within 35 days.
• Bulk delete. Search for matching submissions, select them, Bulk actions → Delete. Up to 500 at a time.

Both paths permanently delete the submission and any attached files from object storage. There's no soft-delete trash for submissions deleted under right-to-erasure — the request is honoured immediately. See data retention for normal retention vs. erasure timelines.

Right to data portability (Art. 20)

Same flow as right of access — JSON export. The format is portable enough to import elsewhere; it's a flat object with stable field keys.

Right to object (Art. 21)

If a data subject objects to processing, the practical move is to delete their submission(s). There's no "objection without erasure" mode — we don't reprocess inbox data unless you trigger it (re-running spam classification, regenerating AI insights), and once it's deleted, it's not in any input set.

Data exports on cancellation

If you cancel your subscription, your data is retained according to your last active plan (see cancellation and data retention). Use the bulk export tools during the retention window to pull everything.

For a full team-wide export covering every form and every submission, the REST endpoint GET /api/v1/team/export streams a single archive. It's gated behind submissions:export and may take several minutes for large teams.

Where data lives

The application database and file storage are EU-hosted by default. Scale customers can request US residency. See regional hosting for the geography.

Notifying us of incidents

If you suspect a breach involving Formspring (e.g. you found unauthorized API token use), email info@pixelandprocess.de. We treat that as priority-one and respond within 4 hours during business hours, 24 hours otherwise.

What's next

• Sub-processors → — every third party we use
• Regional hosting → — EU vs. US residency
• Data retention → — how long we keep things
• Encryption → — what's encrypted and where