Typeform and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Typeform, it typically processes the visitor's IP address, browser and device information as well as the answers entered into the form for the purpose of providing the embedded form, on the basis of a third-party content consent or a legitimate interest (Art. 6(1)(a) or (f) GDPR). This page explains which data Typeform processes according to publicly available provider information and what website operators need to include in their privacy policy.

A. Purpose and Function of Typeform

Typeform is a form and survey tool offered by TYPEFORM S.L. (Spain). Website operators use it to create online forms, surveys, quizzes and lead-generation flows that the provider hosts on its own servers.

For website operators, the most relevant feature is the integration of the form into their own website. Typeform offers several embed variants for this: Standard/Inline widget, Full-Page embed, Popup, Slider, Popover and Side-Tab. Technically, the form is loaded into an <iframe> from the *.typeform.com domain; the embed snippet additionally loads the provider's JavaScript. For integration, Typeform offers a vanilla JavaScript library (@typeform/embed) and a React SDK (@typeform/embed-react).

In addition, Typeform allows a purely linked, standalone URL of a form (form.typeform.com/...); this is not an embed in the strict sense but a redirection. This page focuses on the practically more common embed in the operator's own website.

B. Mandatory Disclosures in the Privacy Policy when Using Typeform

In addition to general information about the controller, the rights of data subjects and the supervisory authority, the GDPR requires the following specific disclosures regarding the use of tools in a privacy policy:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• and – if data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

The following sections classify these mandatory disclosures for the use of Typeform.

In practice, it has become common to add a separate text template for each individual tool – including Typeform – to the privacy policy. This approach is, in our view, not mandatory and regularly leads to long, repetitive and hard-to-maintain privacy policies. This contradicts the transparency requirement of Art. 12(1) GDPR, which calls for a "concise, transparent, intelligible and easily accessible form". A more appropriate approach is a topic-oriented structure: processing operations are described across topic blocks (server operation, third-party content, newsletter, tracking, sales …); the specifically used providers such as Typeform are then listed in an annex of recipients.

C. Provider of Typeform

According to publicly available provider information, the contractual partner for German website operators is:

• TYPEFORM S.L.
• Country of establishment: Spain (EEA)
• DPO contact: dpo@typeform.com
• Privacy Policy: https://www.typeform.com/privacy-policy/
• Cookie Policy: https://www.typeform.com/legal/cookie-policy/
• Data Processing Agreement: https://www.typeform.com/dpa

The exact current business address should be verified by the website operator in the current data processing agreement or on the provider's website.

Group structure: Typeform operates a US subsidiary (TYPEFORM US LLC, San Francisco, USA), which can play a role in the sub-processor chain. In addition, Typeform uses Amazon Web Services (AWS) as a hosting sub-processor; according to provider information, the standard hosting region is US-East (Virginia, USA). An EU hosting option is, according to provider information, only available in higher tier plans.

D. Data Processing with Typeform – Step by Step

E. Data Collected by Typeform

When a Typeform form is embedded, the provider, according to publicly available information, processes in particular the following data categories: technical connection data (IP address, user agent, timestamp, referrer), browser and device information as well as connection metadata. Typeform states that it derives a "Network ID" (hash) from the IP address. In addition, Typeform processes all content the visitor enters in the form – depending on configuration, this includes name, email address, phone number, free-text answers or uploaded files.

If the form creator activates further integrations (e.g. Facebook Pixel, Google Analytics, HubSpot), additional tracking data is processed. Such integrations are optional and can be activated in the Typeform backend.

This data can be classified into the following standardised data categories:

• Web server log data: in particular IP address, date, time, URL of the requested content (embed endpoint), referrer URL of the embedding page, status code, transferred data volume.
• Device data: device type, operating system, screen size and resolution.
• Browser information: browser name and version.
• Coarse location data: location at city/municipality level derived from the IP address.
• User content: all content entered into the form by the visitor – answers, selections, uploaded files.
• Click paths and interaction data: clicks within the form, dwell time per question; insofar as form tracking is active.
• Conversion events: where marketing integrations (pixel, analytics) are activated, the submission of a form as a conversion.
• Technical telemetry data: performance and error data of the embed component.

F. Purposes of Use for the Website Operator When Using Typeform

The website operator regularly uses Typeform to provide interactive forms, e.g. for lead capture, applications, surveys, bookings, feedback forms or support requests. In addition, the data collected is used to evaluate the answers, process the requests and, where applicable, optimise the form itself.

These purposes can be classified into the following standardised categories of purposes of use:

• Function provision: delivery and operability of the embedded form (display, input validation, submission logic), error detection and prevention.
• Contract performance: use of the form data for contract initiation or execution, where the form aims at concluding a contract (e.g. booking, order, registration).
• Security and abuse prevention: spam and bot protection, in particular when reCAPTCHA is activated, as well as detection and prevention of other abusive entries.
• Communication: use of the contact details entered in the form to respond to the user's request or for further correspondence.
• General product improvement: evaluation of aggregated answer and abandonment data to optimise forms and processes.

If additional tracking or marketing integrations are activated, depending on configuration, user profile creation, general marketing and user-individual marketing also come into consideration as purposes.

G. Legal Bases for the Use of Typeform

Typeform falls into the tool category of third-party content (an embedded form from an external provider), supplemented in certain configurations by a tracking component (when marketing pixels, analytics integrations or similar are activated in the form).

The following legal bases come into consideration for the use of Typeform:

• Consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG) as a third-party content consent: Since the embed inevitably transfers connection data to a US sub-processor when the page is loaded and Typeform may set cookies, obtaining consent through a consent banner is regularly the more legally robust option. Where tracking/marketing integrations are activated, consent is practically mandatory.
• Contract performance (Art. 6(1)(b) GDPR): where the form serves the conclusion or initiation of a specific contract between the website operator and the user (e.g. order form, application, booking).
• Legitimate interests (Art. 6(1)(f) GDPR): with the specific interests pursued in function provision, efficiency, security and abuse prevention. This basis comes into consideration for purely functional embeds without tracking components; given the third-country transfer to the USA, a case-by-case balancing is appropriate.

The applicable legal basis depends on the specific use case and configuration of the form and is to be assessed by the website operator on a case-by-case basis.

H. Special Features and Notes Regarding Typeform

• DPA: Typeform provides a pre-signed data processing agreement at https://www.typeform.com/dpa. Concluding it is regularly mandatory when using the tool to process personal data.
• Third-country transfer: According to provider information, a transfer to the USA takes place (standard hosting region AWS US-East, Virginia). Typeform states that it bases these transfers on the EU Standard Contractual Clauses (SCC). A DPF certification of TYPEFORM US LLC is not unambiguously confirmed by publicly available sources; the current status is to be checked by the website operator at https://www.dataprivacyframework.gov/s/participant-search.
• EU hosting: According to provider information, an optional EU data residency is available only in higher tier plans (Enterprise / Growth Custom); a self-hosted variant does not exist.
• Sub-processors: AWS is confirmed as a hosting sub-processor. The current sub-processor list is available at https://www.typeform.com/help/a/what-other-companies-do-we-share-data-with-360029617191/.
• Cookie behaviour: When embedded, third-party cookies from the typeform.com domain are set, according to provider information. A complete public list of all proprietary cookies with names and purposes is not exhaustively documented; in addition, cookies may be created through activated third-party integrations (e.g. _ga, _fbp, _gcl_au).
• Settings for the website operator: Typeform offers a built-in "Activate cookie consent" function within the form; the integrated reCAPTCHA can be deactivated per form; marketing/analytics integrations are optional and should only be activated where the appropriate consent is in place.
• Settings for the website visitor: The embed can be denied via the consent banner of the embedding website; in addition, browser cookie settings are available.
• Joint Controller Agreement: A joint controller agreement under Art. 26 GDPR is not visible in the publicly available sources. The role as processor follows from the standard DPA.

I. Frequently Asked Questions on Typeform and Data Protection

J. Conclusion on Typeform and Notes for the Privacy Policy

Typeform is a widely used third-party tool for online forms that is embedded into other websites via embed snippets. When the page is loaded, connection data is technically inevitably transferred to Typeform's servers; the standard hosting region is, according to provider information, the USA. Website operators must therefore determine a legal basis, conclude a DPA, address the third-country transfer and present the processing transparently in the privacy policy.

From the perspective of the privacy policy, it makes little sense to include a separate text template for Typeform. Such tool-specific text blocks make privacy policies long, confusing, hard to maintain and contradict the transparency requirement of Art. 12(1) GDPR, which requires information in a concise, transparent, intelligible and easily accessible form.

The more appropriate approach is a structured, topic-oriented one that explains tools across topic blocks (server operation, third-party content, newsletter, tracking, sales …) and refers to individual providers such as Typeform in the annex of recipients. This is the methodology of the matterius generator.

This article serves general information purposes regarding Typeform and does not replace legal advice in individual cases. As of: 6 May 2026.

K. Curator of this Page

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com