GDPR Compliance

How BttrForm handles data protection β€” DPA, data export, deletion requests, and compliance controls.

6 min read

The General Data Protection Regulation (GDPR) sets the standard for data protection across the European Union, and BttrForm is committed to meeting its requirements fully. Whether you collect data from EU residents through surveys, contact forms, or application forms, this guide explains how BttrForm helps you stay compliant.

Our GDPR Commitments

BttrForm operates as a data processor when handling form responses on your behalf. You, as the form creator, are the data controller who determines what data is collected and how it is used. Our commitments include:

  • Lawful processing -- We only process personal data as instructed by you, the data controller.
  • Data minimization -- We do not collect or retain data beyond what is necessary to provide our service.
  • Transparency -- We clearly document what data we collect, where it is stored, and how it is processed.
  • Security by design -- Encryption, RLS, and access controls are built into our infrastructure from the ground up (see our Data Encryption article for details).

Scope

GDPR applies when you collect personal data from individuals in the European Economic Area (EEA), regardless of where your organization is based. If any of your form respondents could be EU residents, GDPR compliance is relevant to you.

Data Processing Agreement (DPA)

A Data Processing Agreement is a legally binding contract between you (the data controller) and BttrForm (the data processor). GDPR Article 28 requires this agreement to be in place before any personal data is processed.

What Our DPA Covers

  • Subject matter and duration -- Covers all personal data processed through BttrForm for the duration of your subscription.
  • Sub-processors -- Lists all third-party sub-processors that may handle your data.
  • Data breach notification -- We commit to notifying you within 72 hours of discovering a breach.

How to Sign the DPA

  1. Navigate to Settings > Legal > Data Processing Agreement.
  2. Review the DPA document.
  3. Click Sign DPA to execute the agreement electronically.
  4. A signed copy is emailed to your account email and available for download at any time.
DPA Status:     Signed
Signed by:      jane@company.com
Date:           2026-02-01
Version:        2.1
Download:       [PDF] [HTML]

Pro Tip

If your organization requires a custom DPA or has specific contractual requirements, contact our legal team at privacy@bttrlabs.com. Enterprise customers can negotiate custom data processing terms.

Data Subject Rights

GDPR grants individuals (data subjects) specific rights over their personal data. BttrForm provides tools to help you fulfill these rights efficiently.

Right of Access (Article 15)

Data subjects can request a copy of all personal data you hold about them. BttrForm makes this easy:

  1. Go to Responses for the relevant form.
  2. Use the Search function to find responses by email or name.
  3. Click Export to download the matching responses in CSV or JSON format.
# API: Search responses by email
curl "https://api.bttrlabs.com/v1/forms/{form_id}/responses?search=jane@example.com" \
  -H "Authorization: Bearer YOUR_API_KEY"

Right to Data Portability (Article 20)

Data subjects can request their data in a structured, machine-readable format. BttrForm supports export in JSON, CSV, and PDF formats.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," this allows data subjects to request deletion of their personal data.

Deleting Individual Responses

  1. Go to Responses for the relevant form.
  2. Search for the data subject's responses.
  3. Select the responses to delete.
  4. Click Delete and confirm.

Bulk Deletion via API

# Delete all responses matching an email address across all forms
curl -X DELETE "https://api.bttrlabs.com/v1/workspaces/{workspace_id}/responses?email=jane@example.com" \
  -H "Authorization: Bearer YOUR_API_KEY"

Permanent Deletion

When you delete responses to fulfill an erasure request, the data is permanently removed from our active databases within 24 hours and from all backups within 30 days. This action cannot be undone.

Right to Rectification (Article 16)

Data subjects can request corrections to inaccurate data. In BttrForm, you can edit individual response fields directly from the response detail view.

Consent Management

GDPR requires a lawful basis for processing personal data, and consent is one of the most common bases for form data collection. BttrForm provides built-in tools for managing consent.

Consent Checkboxes

Add a consent checkbox to any form using the Consent field type. This field:

  • Requires the respondent to actively opt in (no pre-checked boxes)
  • Records the timestamp of consent alongside the response
  • Stores the exact consent text shown to the respondent
  • Cannot be bypassed -- the form cannot be submitted without checking the box
Field Type:    Consent
Label:         "I agree to the processing of my personal data as described in the Privacy Policy"
Required:      Yes
Timestamp:     Recorded automatically

Legitimate Interest

If you process form data under legitimate interest rather than consent, you do not need a consent checkbox. However, you should still include a privacy notice field that links to your privacy policy.

Data Retention Policies

BttrForm gives you control over how long response data is retained.

Automatic Retention Rules

Configure retention rules at the form or workspace level:

  1. Go to Form Settings > Data Retention.
  2. Set the retention period (30 days, 90 days, 1 year, or custom).
  3. Choose the action: Delete or Anonymize after the retention period.
Form:       Customer Feedback Q1
Retention:  90 days
Action:     Anonymize (remove PII, keep aggregate data)
Schedule:   Runs daily at 2 AM UTC

Pro Tip

Set up retention policies when you create the form, not after the fact. This ensures compliance from the first response and avoids accumulating data you are obligated to delete later.

Sub-Processors

BttrForm uses the following sub-processors to deliver our service. This list is maintained and updated as required by our DPA:

Sub-ProcessorPurposeLocation
SupabaseDatabase and authenticationUS / EU
VercelApplication hostingGlobal CDN
AWSFile storage and backupsEU (Frankfurt)
ResendTransactional emailUS
RazorpayPayment processingIndia

EU Data Residency

For Business and Enterprise plans, you can request EU-only data residency, ensuring that all primary data storage and processing occurs within the European Union. Contact support to enable this option.

Your Compliance Checklist

  • Sign the DPA in Settings > Legal
  • Add consent checkboxes to forms collecting personal data
  • Link your privacy policy in form headers or footers
  • Configure data retention policies for each form
  • Establish a process for handling data subject requests
  • Review the sub-processor list and ensure it meets your requirements

Was this helpful?

GDPR Compliance | BttrForm