FormForge

Privacy & GDPR Compliance

FormForge includes built-in tools for GDPR compliance, giving you control over data retention, sensitive field redaction, subject access requests, and the right to erasure. These features help you meet your obligations under the General Data Protection Regulation without building custom solutions.

Data Retention

Data retention lets you automatically delete old submissions after a specified number of days. This is useful for forms that collect time-sensitive data (e.g. event registrations, support requests) where you have no legal basis to store submissions indefinitely.

How it works

  1. Open a form in the backoffice and navigate to Settings.
  2. Set the Retention Period to the number of days you want to keep submissions. Leave it empty to keep submissions indefinitely.
  3. Submissions (and their associated uploaded files) older than the retention period are automatically and permanently deleted.

Examples

Retention PeriodBehavior
Not set (default)Submissions are kept indefinitely
30 daysSubmissions older than 30 days are deleted
90 daysSubmissions older than 3 months are deleted
365 daysSubmissions older than 1 year are deleted
Important

Deletion is permanent and irreversible. Once a submission is deleted, neither the data nor the uploaded files can be recovered. Make sure to export any data you need before setting a retention period.

Tip

Combine data retention with workflow email notifications to ensure you receive submission data by email before the automatic cleanup removes it from the database.

Sensitive Fields

Mark individual form fields as sensitive to restrict who can see their values in the backoffice. Users without the right permission see redacted values instead of the real data.

How it works

  1. In the form builder, select a field and enable the Sensitive toggle. Use this for fields containing personal data such as phone numbers, addresses, or payment references.
  2. When a backoffice user views submissions, FormForge checks whether they have the “Sensitive data” user group in Umbraco.
  3. Users without the permission see ****** instead of the actual field value.
  4. Users with the permission see the real value.

Where redaction applies

  • Submission listing in the backoffice
  • Submission detail view
  • CSV export (the same “Sensitive data” user group is enforced)

Recommended use cases

  • Phone numbers
  • Postal addresses
  • Payment references or transaction IDs
  • National identification numbers
  • Health or financial information
  • Any field where you want to restrict visibility to authorized personnel only
Note

“Sensitive data” is a built-in Umbraco user group. Assign it to a user under Users → select user → Assign access → Groups. FormForge does not introduce its own permission system.

Subject Access Requests (SARs) are a core GDPR right. When an individual requests access to their personal data, you need to find all form submissions that contain information about them. FormForge provides a dedicated search tool for this.

How it works

  1. In the backoffice, navigate to the FormForge section and open the GDPR panel.
  2. Enter a search term (e.g. an email address, name, phone number, or IP address) and run the search.
  3. FormForge searches all field values across all form submissions using a case-insensitive match.
  4. Any submission where at least one field value contains the search term is returned, with full submission data and metadata.

Authorization

SAR Search requires the Umbraco “Sensitive data” user group. Users without this permission cannot access the GDPR search functionality.

Tip

Search by email address for the most targeted results. You can also search by name, phone number, IP address, or any other identifier that may appear in form field values.

Right to Erasure

The right to erasure (also known as the “right to be forgotten”) allows individuals to request the deletion of their personal data. FormForge lets you find and delete all matching submissions in a single operation.

How it works

  1. In the GDPR panel, search for the data subject using the same search as SAR Search.
  2. Review the matching submissions to verify the scope of the request.
  3. Click Erase to permanently delete all matching submissions, including any associated uploaded files.
  4. The operation is recorded in the audit trail for your compliance records.

Authorization

Erasure requires the Umbraco “Sensitive data” user group. Users without this permission cannot perform erasure operations.

Important

Erasure is permanent and irreversible. Always review the search results first to confirm which submissions will be deleted. The audit log records that an erasure was performed, but does not retain the deleted data itself.

Recommended Workflow

  1. Receive an erasure request from a data subject.
  2. Use SAR Search to identify all matching submissions and verify the scope of the request.
  3. Export or document the search results if needed for your internal records.
  4. Perform the erasure to permanently delete all matching data.
  5. Confirm the deletion count matches the expected number of records.
  6. Notify the data subject that their data has been erased.
Note

Erasure only deletes FormForge submission data. If you have forwarded submission data to external systems (e.g. via email workflows, Slack notifications, or API integrations), you must separately ensure that data is also deleted from those systems to fully comply with the erasure request.