Jotform and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Jotform, it typically processes the visitor's IP address, browser and device information, cookies as well as the answers entered into the form for the purpose of providing the embedded form, on the basis of a third-party content consent or a legitimate interest (Art. 6(1)(a) or (f) GDPR). This page explains which data Jotform processes according to publicly available provider information and what website operators need to include in their privacy policy.

A. Purpose and Function of Jotform

Jotform is an online form builder offered by Jotform Inc. (USA) for creating forms, surveys, registrations, applications and payment forms. The provider hosts the forms on its own servers and offers a wide range of templates and workflow integrations.

For website operators, the most relevant feature is the integration of the form into their own website. Jotform offers several embed options: a JavaScript embed (loads the form dynamically into an auto-resizing iFrame), a classic iFrame embed, a lightbox/modal popup variant, a feedback tab (floating button that opens a modal), popup links and source-code embeds. In addition, there is a WordPress plugin and unofficial React/Angular packages.

Furthermore, Jotform allows a purely linked, standalone URL of a form (form.jotform.com/...); this is not an embed in the strict sense but a redirection. This page focuses on the practically more common embed in the operator's own website.

B. Mandatory Disclosures in the Privacy Policy when Using Jotform

In addition to general information about the controller, the rights of data subjects and the supervisory authority, the GDPR requires the following specific disclosures regarding the use of tools in a privacy policy:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• and – if data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The following sections classify these mandatory disclosures for the use of Jotform.

In practice, it has become common to add a separate text template for each individual tool – including Jotform – to the privacy policy. This approach is, in our view, not mandatory and regularly leads to long, repetitive and hard-to-maintain privacy policies. This contradicts the transparency requirement of Art. 12(1) GDPR, which calls for a "concise, transparent, intelligible and easily accessible form". A more appropriate approach is a topic-oriented structure: processing operations are described across topic blocks (server operation, third-party content, newsletter, tracking, sales …); the specifically used providers such as Jotform are then listed in an annex of recipients.

C. Provider of Jotform

According to publicly available provider information, the contractual partner for German website operators is:

• Jotform Inc.
• Address: 4 Embarcadero Center, Suite 780, San Francisco, CA 94111, USA
• Country of establishment: USA
• Privacy Policy: https://www.jotform.com/privacy/
• Cookie Policy: https://www.jotform.com/cookie-policy/
• Data Processing Agreement: https://www.jotform.com/dpa/
• DPA template (PDF): https://www.jotform.com/gdpr-compliance/dpa/gdpr_dpa_en.pdf

Group structure: According to publicly available information, Jotform operates further group companies in the United Kingdom (Jotform Ltd, London), Australia (Jotform Pty Ltd) and Canada (Jotform Canada Inc.); a dedicated EU company as a contractual partner is not visible in the verified sources. The contractual partner for German website operators is therefore regularly the US-based Jotform Inc.

DPF status: Jotform Inc. is listed in the DPF database under Participant ID 6788. The current certification status for the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF is to be verified by the website operator at https://www.dataprivacyframework.gov/s/participant-search, as public sources on the status were not unambiguous.

D. Data Processing with Jotform – Step by Step

E. Data Collected by Jotform

When a Jotform form is embedded, the provider, according to publicly available information, processes in particular the following data categories: technical connection data (IP address, user agent, timestamp, referrer), browser and device information, performance data of the embed component as well as all content the visitor enters in the form – depending on configuration, this includes name, email address, phone number, free text, selections or uploaded files. With active reCAPTCHA, additional data is processed by Google.

According to provider information, the IP address is by default attached to the submission, but can be deactivated per form.

This data can be classified into the following standardised data categories:

• Web server log data: in particular IP address, date, time, URL of the requested content (embed endpoint), referrer URL of the embedding page, status code, transferred data volume.
• Device data: device type, operating system, screen size and resolution.
• Browser information: browser name and version.
• Coarse location data: location at city/municipality level derived from the IP address.
• User content: all content entered into the form by the visitor – answers, selections, uploaded files.
• Click paths and interaction data: clicks within multi-page forms, input behaviour.
• Conversion events: the submission of a form as a success event defined for the website operator.
• Technical telemetry data: performance and error data of the embed component.

F. Purposes of Use for the Website Operator When Using Jotform

The website operator regularly uses Jotform to provide online forms, e.g. for lead capture, applications, orders, payment forms, bookings or feedback forms. In addition, the data collected is used to evaluate the answers, process the requests and, where applicable, optimise the form itself.

These purposes can be classified into the following standardised categories of purposes of use:

• Function provision: delivery and operability of the embedded Jotform form (display, input validation, submission logic), error detection and prevention.
• Contract performance: use of the form data for contract initiation or execution, where the form aims at concluding a contract (e.g. order, booking, payment).
• Security and abuse prevention: spam and bot protection, in particular when reCAPTCHA, hCaptcha or JotCAPTCHA are activated.
• Communication: use of the contact details entered in the form to respond to the user's request or for further correspondence.
• General product improvement: evaluation of aggregated answer and abandonment data to optimise forms and processes.

G. Legal Bases for the Use of Jotform

Jotform falls into the tool category of third-party content (an embedded form from an external provider). Since the embed inevitably transfers connection data to Jotform servers when the page is loaded and sets cookies, the tool is also relevant under data protection law in the sense of Sec. 25(1) TDDDG.

The following legal bases come into consideration for the use of Jotform:

• Consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG) as a third-party content consent: Since the embed transfers connection data to a US provider when the page is loaded and cookies are set, obtaining consent via a consent banner is regularly the more legally robust option. Where tracking/marketing integrations are activated, consent is practically mandatory.
• Contract performance (Art. 6(1)(b) GDPR): where the form serves the conclusion or initiation of a specific contract between the website operator and the user (e.g. order form, application, booking).
• Legitimate interests (Art. 6(1)(f) GDPR): with the specific interests pursued in function provision, efficiency, security and abuse prevention. This basis comes into consideration for purely functional embeds; given the – in the absence of an activated EU region – existing third-country transfer to the USA, a case-by-case balancing is appropriate.

The applicable legal basis depends on the specific use case and configuration and is to be assessed by the website operator on a case-by-case basis.

H. Special Features and Notes Regarding Jotform

• DPA: Jotform provides a pre-signed data processing agreement with EU and UK Standard Contractual Clauses at https://www.jotform.com/dpa/ or as PDF at https://www.jotform.com/gdpr-compliance/dpa/gdpr_dpa_en.pdf. Concluding it is regularly mandatory when using the tool to process personal data.
• Third-country transfer: With the standard configuration, a transfer to the USA takes place. Jotform Inc. is listed in the DPF database as Participant 6788; the current status should be verified at https://www.dataprivacyframework.gov/s/participant-search, as public sources on the status were not unambiguous. In addition, Jotform states that it bases transfers on Standard Contractual Clauses.
• EU hosting (GDPR Datacenter): Jotform offers an optional EU data residency in Frankfurt (Google Cloud). Activation is done in the account under "Settings → Data → GDPR Datacenter" and is a central risk-mitigating measure for German website operators. According to provider information, backups are still held on AWS.
• Sub-processors: AWS and Google Cloud are confirmed as hosting sub-processors. The current sub-processor list is available at https://www.jotform.com/subprocessors/.
• Encryption: Optionally, "Encrypted Forms 2.0" (RSA-2048 field encryption, form-specific) and a HIPAA-compliant mode (Gold/Enterprise) are available; relevant in particular for sensitive data.
• Cookie behaviour: Jotform maintains a central cookie overview at https://www.jotform.com/cookie-policy/ as well as a specific list for embedded forms at https://www.jotform.com/cookie-list/forms/. The cookies actually set in the embed depend on the form type and activated functions and should be reviewed by the website operator in the specific use case.
• Settings for the website operator: activate GDPR mode, activate EU datacenter, deactivate IP collection per form, choose CAPTCHA variant (reCAPTCHA, hCaptcha, JotCAPTCHA), activate field encryption.
• Settings for the website visitor: The embed can be denied via the consent banner of the embedding website; in addition, browser cookie settings are available.
• Joint Controller Agreement: According to publicly available sources, a joint controller agreement under Art. 26 GDPR is not provided. Jotform positions itself as a processor.

I. Frequently Asked Questions on Jotform and Data Protection

J. Conclusion on Jotform and Notes for the Privacy Policy

Jotform is a widely used third-party tool for online forms that is integrated into other websites via JavaScript or iFrame embed. When the page is loaded, connection data is technically inevitably transferred to Jotform servers; without an activated EU datacenter, hosting takes place in the USA. Website operators must therefore determine a legal basis, conclude a DPA, address the third-country transfer (or activate the EU datacenter) and present the processing transparently in the privacy policy.

From the perspective of the privacy policy, it makes little sense to include a separate text template for Jotform. Such tool-specific text blocks make privacy policies long, confusing, hard to maintain and contradict the transparency requirement of Art. 12(1) GDPR, which requires information in a concise, transparent, intelligible and easily accessible form.

The more appropriate approach is a structured, topic-oriented one that explains tools across topic blocks (server operation, third-party content, newsletter, tracking, sales …) and refers to individual providers such as Jotform in the annex of recipients. This is the methodology of the matterius generator.

This article serves general information purposes regarding Jotform and does not replace legal advice in individual cases. As of: 6 May 2026.

K. Curator of this Page

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com