GDPR Compliance
Formtorch stores personal data submitted through your forms (names, email addresses, IP addresses, and any other fields your form collects). This guide covers your responsibilities as a data controller and how Formtorch helps you meet GDPR obligations.
Formtorch is the data processor; you are the data controller. You are responsible for your forms’ privacy policy, consent, and responding to data subject requests.
Right to erasure (Article 17)
When a user requests deletion of their data:
- In the dashboard , open the form they submitted
- Search for their submissions by email address or name using the submission search
- Delete each matching submission individually or select and bulk-delete
- Deletion is immediate and permanent — the data cannot be recovered
Formtorch stores no personal data outside of submission records. Deleting the submission removes all associated field data, IP address, user agent, and file attachments.
Data minimization
Only collect the fields your use case requires. If your form asks for a phone number “just in case,” that’s personal data you’re responsible for. Remove fields you don’t need.
Notification recipients and unsubscribe
Notification recipients (form owners who receive submission emails) can unsubscribe via the link in any notification email. If a recipient asks to be removed:
- Go to Form Settings → Notifications
- Find the address and click Remove
This stops future notifications. It does not delete past submissions — those must be deleted separately if requested.
Autoresponder unsubscribe (coming soon)
When autoresponder emails ship, every autoresponder will include a one-click unsubscribe link. Submitters who use it are permanently opted out and will not receive future autoresponder emails.
Data storage
- Submission data: Neon Postgres database (US region)
- File attachments: Follow the same storage region
- No personal data is stored in third-party analytics or ad networks
If you have specific data residency requirements (e.g. EU-only storage), contact support.
Privacy policy
Add a mention of Formtorch to your site’s privacy policy as a third-party data processor. Your policy should describe:
- What data your form collects
- How long you retain it
- That submissions are processed by Formtorch
- How users can request deletion
Consent
If your form collects data from EU residents, you may need an explicit consent checkbox depending on how you use the data. Formtorch does not manage consent — add a consent field to your form if required.
<label>
<input type="checkbox" name="consent" required />
I agree to the <a href="/privacy">privacy policy</a>
</label>Learn more
- Data Retention & Deletion — retention periods by plan, deletion mechanics
- Email Notifications — how to remove notification recipients
- Recipient Verification — per-form verified recipient management