Privacy policy clauses for JotForm
JotForm is an online form builder that allows websites to create and deploy customizable forms for collecting user data. When visitors submit forms on your site, JotForm processes and stores their responses and collects their IP addresses.
Free scan · No signup · Results in 60 seconds
What data JotForm collects
Your privacy policy must disclose each of the following data types when you use JotForm.
When does JotForm trigger privacy obligations?
Installation Trigger
The moment you embed JotForm on your website or app, you begin collecting form responses and capturing visitor IP addresses through JotForm Inc's servers in the United States. This dual data flow—responses plus IP logs—creates immediate compliance obligations.
GDPR Applicability
If your site serves EU residents, GDPR applies regardless of your location. JotForm's collection of IP addresses constitutes personal data processing (GDPR Article 4(1)). You become the controller; JotForm Inc is your processor. You must execute a Data Processing Agreement (GDPR Article 28(3)) before data flows to JotForm—not after launch.
CCPA/CPRA Applicability
If you operate a for-profit business collecting California residents' data, CCPA Section 1798.100 requires disclosure of what you collect. JotForm's IP capture means you're collecting IP address plus form content; this must be itemized in your privacy policy before collection occurs.
First Concrete Step
Before embedding JotForm, confirm JotForm's DPA is signed and covers your jurisdiction's laws. Then update your privacy policy to disclose: (1) form responses are collected; (2) IP addresses are logged; (3) data flows to JotForm Inc in the US; (4) retention period. Obtain explicit consent (opt-in, not opt-out) if you process special categories (health, children's data).
