[{"data":1,"prerenderedAt":367},["ShallowReactive",2],{"kc-/knowledge/gdpr-compliant-forms":3,"kc-clusters-/knowledge/gdpr-compliant-forms":142,"kc-related-/knowledge/gdpr-compliant-forms":143},{"id":4,"title":5,"author":6,"body":7,"date":105,"description":106,"draft":107,"extension":108,"faqs":109,"image":119,"isPillar":107,"meta":120,"navigation":121,"path":122,"pillar":123,"pillarName":124,"seo":125,"sources":126,"stem":135,"tags":136,"takeaways":140,"updated":105,"__hash__":141},"knowledge/knowledge/gdpr-compliant-forms.md","How to Build GDPR-Compliant Forms","RoundPushPin Team",{"type":8,"value":9,"toc":97},"minimark",[10,14,20,25,49,53,67,71,77,81],[11,12,13],"p",{},"A GDPR-compliant form collects personal data lawfully, takes only what it needs, tells people what you'll do with it, and lets you honor their rights over that data. The form tool can't make you compliant on its own, but its design and where it stores data make compliance much easier or much harder.",[15,16,17],"blockquote",{},[11,18,19],{},"This is general information about GDPR concepts, not legal advice. Confirm your specific obligations with a qualified professional.",[21,22,24],"h2",{"id":23},"what-does-gdpr-require-of-a-form","What does GDPR require of a form?",[11,26,27,28,32,33,36,37,40,41,44,45,48],{},"At a high level, the GDPR's Article 5 principles mean a compliant form should: have a ",[29,30,31],"strong",{},"lawful basis"," for collecting the data (consent, contract, legitimate interests, etc., per ICO guidance), collect ",[29,34,35],{},"only what's necessary"," (data minimisation), be ",[29,38,39],{},"transparent"," about purpose, keep data only ",[29,42,43],{},"as long as needed"," (storage limitation), and keep it ",[29,46,47],{},"secure",". People also have rights — access, rectification, erasure — that you must be able to act on.",[21,50,52],{"id":51},"how-do-you-design-a-form-for-data-minimisation","How do you design a form for data minimisation?",[11,54,55,56,61,62,66],{},"Ask less. Every field should map to a real, stated purpose; if you can't name why you need it, drop it or defer it. Practically that means cutting optional fields, avoiding \"nice to have\" questions, and using ",[57,58,60],"a",{"href":59},"/knowledge/conditional-logic-in-forms","conditional logic"," so people only answer what applies. Minimisation is both a legal principle and a ",[57,63,65],{"href":64},"/knowledge/form-completion-rate","completion-rate"," win.",[21,68,70],{"id":69},"how-do-consent-and-retention-work-on-a-form","How do consent and retention work on a form?",[11,72,73,76],{},[29,74,75],{},"Consent must be specific, informed, and freely given — a pre-ticked box doesn't count."," In practice, that's a clear, unbundled opt-in next to a plain-language purpose, plus a link to your privacy notice. Retention means deciding up front how long you keep each response and being able to delete it on request — which is far easier when the data sits in a database you can query and delete from directly.",[21,78,80],{"id":79},"how-roundpushpin-helps-with-gdpr-compliant-forms","How RoundPushPin helps with GDPR-compliant forms",[11,82,83,91,92,96],{},[29,84,85,86,90],{},"Because RoundPushPin is ",[57,87,89],{"href":88},"/knowledge/self-hosted-forms","self-hosted"," with responses in your own PostgreSQL database, you control the data path, residency, retention, and deletion directly — no third-party submissions store to reason about."," Combined with data-minimising ",[57,93,95],{"href":94},"/knowledge/conversational-form-design","conversational design",", it gives you the technical foundation to build compliant forms; the policies and lawful basis remain yours to define.",{"title":98,"searchDepth":99,"depth":99,"links":100},"",2,[101,102,103,104],{"id":23,"depth":99,"text":24},{"id":51,"depth":99,"text":52},{"id":69,"depth":99,"text":70},{"id":79,"depth":99,"text":80},"2026-03-04","Building GDPR-compliant forms means collecting only what you need, on a lawful basis, with clear consent and control over retention. This guide covers the principles that apply and how a self-hosted, relational form helps you meet them.",false,"md",[110,113,116],{"q":111,"a":112},"How do I make a form GDPR-compliant?","Collect data on a lawful basis, take only what you need, be transparent about purpose, keep it only as long as necessary, secure it, and be able to honor access and deletion rights. The tool helps, but the policies are yours. This is general information, not legal advice.",{"q":114,"a":115},"Do I need consent for a form?","Only if consent is your lawful basis — there are others, such as contract or legitimate interests. When you do rely on consent it must be specific, informed, and freely given, with no pre-ticked boxes. Confirm your basis with a professional.",{"q":117,"a":118},"How does self-hosting help with GDPR?","Self-hosting puts the data path, residency, retention, and deletion under your control, with no third-party submissions store to account for. It's a strong technical foundation, though compliance still depends on your policies.","/images/knowledge/gdpr-compliant-forms.png",{},true,"/knowledge/gdpr-compliant-forms","form-data-ownership","Privacy & data ownership",{"title":5,"description":106},[127,131],{"title":128,"url":129,"publisher":130},"Regulation (EU) 2016/679 (GDPR) — Article 5, principles relating to processing","https://eur-lex.europa.eu/eli/reg/2016/679/oj","EUR-Lex, European Union",{"title":132,"url":133,"publisher":134},"Lawful basis for processing","https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/","Information Commissioner's Office (ICO)","knowledge/gdpr-compliant-forms",[137,138,139],"gdpr","privacy","compliance",[],"DGrXe9Lk9CMOY7LwUCgCMT0x5pAMGjiqSDCTl-qWFUQ",[],[144,239],{"id":145,"title":146,"author":6,"body":147,"date":211,"description":212,"draft":107,"extension":108,"faqs":213,"image":223,"isPillar":107,"meta":224,"navigation":121,"path":88,"pillar":123,"pillarName":124,"seo":225,"sources":226,"stem":233,"tags":234,"takeaways":237,"updated":211,"__hash__":238},"knowledge/knowledge/self-hosted-forms.md","Self-Hosted Forms: Own Your Form Data",{"type":8,"value":148,"toc":205},[149,152,156,162,166,177,181,187,191],[11,150,151],{},"A self-hosted form runs on infrastructure you control, with responses stored in your own database rather than a vendor's cloud. It is the most direct form of data ownership: no third party sits between you and your respondents' answers.",[21,153,155],{"id":154},"what-does-self-hosted-actually-mean","What does \"self-hosted\" actually mean?",[11,157,158,161],{},[29,159,160],{},"It means you run the form application and its database on servers you choose — your own cloud account, a private server, or on-prem — instead of submitting data to a SaaS vendor's platform."," The form still works the same for respondents; the difference is custody. With a hosted tool the vendor holds the data and you access it through their product; self-hosted, you hold it.",[21,163,165],{"id":164},"why-does-self-hosting-matter-for-privacy","Why does self-hosting matter for privacy?",[11,167,168,171,172,176],{},[29,169,170],{},"Because it removes a party from the data path and puts residency in your hands."," Where data is stored and transferred is a real concern under regimes like the GDPR, whose Chapter V governs transfers of personal data across borders. When you self-host, you decide which region and provider hold the data, rather than inheriting a vendor's choices — which simplifies ",[57,173,175],{"href":174},"/knowledge/form-data-ownership","data ownership and privacy"," generally.",[21,178,180],{"id":179},"what-are-the-trade-offs","What are the trade-offs?",[11,182,183,186],{},[29,184,185],{},"Self-hosting trades convenience for control."," You run the infrastructure — updates, backups, uptime — which a fully-managed SaaS handles for you. The upside is ownership: direct database access, your own residency and retention rules, and no vendor lock-in. Good tooling narrows the gap; a one-command Docker setup and a typed schema (via tools like Drizzle) make running your own stack far less work than it used to be.",[21,188,190],{"id":189},"how-roundpushpin-does-self-hosting","How RoundPushPin does self-hosting",[11,192,193,201,202,200],{},[29,194,195,196,200],{},"RoundPushPin is self-hosted: a Docker Compose file brings up the app with PostgreSQL in one command, so every response lands in a relational database you own and can ",[57,197,199],{"href":198},"/knowledge/query-form-data-with-sql","query with SQL","."," You get the conversational experience of a hosted tool with the ownership of running your own — the foundation for ",[57,203,204],{"href":122},"GDPR-compliant forms",{"title":98,"searchDepth":99,"depth":99,"links":206},[207,208,209,210],{"id":154,"depth":99,"text":155},{"id":164,"depth":99,"text":165},{"id":179,"depth":99,"text":180},{"id":189,"depth":99,"text":190},"2026-03-06","Self-hosted forms run on your own infrastructure, so responses live in a database you control rather than a vendor's cloud. This guide explains what self-hosting means, the trade-offs, and why it matters for data ownership.",[214,217,220],{"q":215,"a":216},"What does a self-hosted form mean?","It means the form application and its database run on infrastructure you control, so responses are stored in your own database rather than a vendor's cloud. Respondents see the same form; you hold the data.",{"q":218,"a":219},"Are self-hosted forms worth the trade-off?","If data ownership, residency, or privacy matter, usually yes. You take on running the infrastructure, but you gain direct database access, your own retention rules, and no vendor lock-in. Good tooling narrows the operational gap.",{"q":221,"a":222},"How do I self-host RoundPushPin?","RoundPushPin ships with a Docker Compose setup that brings up the app and PostgreSQL in one command, so every response lands in a relational database you own and can query with SQL.","/images/knowledge/self-hosted-forms.png",{},{"title":146,"description":212},[227,229],{"title":228,"url":129,"publisher":130},"Regulation (EU) 2016/679 (GDPR) — Chapter V, transfers of personal data to third countries",{"title":230,"url":231,"publisher":232},"Drizzle ORM — Overview","https://orm.drizzle.team/docs/overview","Drizzle","knowledge/self-hosted-forms",[89,235,236],"data ownership","data residency",[],"RzL7AxN_kbM3NSnZ9kp1aFZ7xi-3lBJgfjrKMeMLoUQ",{"id":240,"title":241,"author":6,"body":242,"date":330,"description":331,"draft":107,"extension":108,"faqs":332,"image":341,"isPillar":107,"meta":342,"navigation":121,"path":343,"pillar":344,"pillarName":345,"seo":346,"sources":347,"stem":358,"tags":359,"takeaways":362,"updated":330,"__hash__":366},"knowledge/knowledge/what-to-ask-on-a-form.md","What to Ask (and Not Ask) on a Form",{"type":8,"value":243,"toc":323},[244,247,251,264,268,274,278,294,298,308,312],[11,245,246],{},"Every field on a form is a trade: more data for you, more effort and more drop-off for the respondent — and, for personal data, more legal exposure. Deciding what to ask, and what to leave off, is one of the highest-leverage choices in form design.",[21,248,250],{"id":249},"how-do-you-decide-which-fields-to-include","How do you decide which fields to include?",[11,252,253,256,257,260,261,200],{},[29,254,255],{},"Work backward from what you'll actually do with each answer."," If a field doesn't route the response, qualify a lead, personalize a follow-up, or satisfy a genuine requirement, it shouldn't be there. This is also the GDPR principle of ",[29,258,259],{},"data minimisation"," — collect only what's necessary for your stated purpose (Article 5). Minimisation is both good law and good ",[57,262,263],{"href":64},"completion rate",[21,265,267],{"id":266},"what-should-you-not-ask-on-a-form","What should you not ask on a form?",[11,269,270,273],{},[29,271,272],{},"Anything you won't use — and sensitive data you don't truly need."," Beyond the obvious \"cut vanity fields\", be careful with sensitive topics. Tourangeau and Yan (2007) found that sensitive questions produce more misreporting and more refusals, so adding them costs you both data quality and completions. If you don't need it, don't ask it.",[21,275,277],{"id":276},"how-do-sensitive-questions-change-your-data","How do sensitive questions change your data?",[11,279,280,283,284,288,289,293],{},[29,281,282],{},"They lower honesty and raise refusals — so ask them sparingly and carefully."," When a question feels intrusive or socially loaded, people skip it or answer inaccurately (Tourangeau & Yan, 2007). If you genuinely need sensitive information: explain ",[285,286,287],"em",{},"why"," you're asking, keep it optional where you can, and place it late — after the respondent has invested effort and has some reason to trust you (see ",[57,290,292],{"href":291},"/knowledge/building-trust-in-forms","building trust in forms",").",[21,295,297],{"id":296},"should-fields-be-required-or-optional","Should fields be required or optional?",[11,299,300,303,304,307],{},[29,301,302],{},"Require only what you truly need to proceed; defer or drop the rest."," Forcing optional fields to be mandatory inflates abandonment and breeds junk answers from respondents who ",[285,305,306],{},"satisfice"," under pressure (Krosnick, 1991). A short set of genuinely-required fields plus optional or progressively-collected extras beats one long required form.",[21,309,311],{"id":310},"how-roundpushpin-helps-you-ask-the-right-things","How RoundPushPin helps you ask the right things",[11,313,314,317,318,320,321,200],{},[29,315,316],{},"RoundPushPin makes minimal, relevant forms easy — and keeps the data typed and queryable so you only collect what you'll use."," Graph-based ",[57,319,60],{"href":59}," shows sensitive or follow-up questions only when relevant, and because every field maps to a typed column, it's clear exactly what you store — the foundation of ",[57,322,175],{"href":174},{"title":98,"searchDepth":99,"depth":99,"links":324},[325,326,327,328,329],{"id":249,"depth":99,"text":250},{"id":266,"depth":99,"text":267},{"id":276,"depth":99,"text":277},{"id":296,"depth":99,"text":297},{"id":310,"depth":99,"text":311},"2026-03-14","Every field you add costs completion and risk. This research-backed guide explains how to decide what to ask, what to leave off, and how sensitive questions change both your data quality and your legal exposure.",[333,336,338],{"q":334,"a":335},"How do you decide which fields to put on a form?","Start from what you'll actually do with each answer. If a field doesn't route, qualify, personalize, or fulfil a real need, cut it. Every field costs completion, and under GDPR you should collect only what's necessary.",{"q":267,"a":337},"Anything you won't use, and sensitive data you don't truly need — research shows sensitive questions raise misreporting and refusals. If you must ask something sensitive, explain why, make it optional where possible, and ask it late.",{"q":339,"a":340},"Should form fields be required or optional?","Make required only what you genuinely need to proceed; mark the rest optional or defer it. Forcing optional fields to be required inflates abandonment and encourages junk answers.","/images/knowledge/what-to-ask-on-a-form.png",{},"/knowledge/what-to-ask-on-a-form","conversational-form-design","Conversational form design",{"title":241,"description":331},[348,352,356],{"title":349,"url":350,"publisher":351},"Tourangeau, R. & Yan, T. (2007) — Sensitive questions in surveys","https://doi.org/10.1037/0033-2909.133.5.859","Psychological Bulletin",{"title":353,"url":354,"publisher":355},"Krosnick, J. A. (1991) — Response strategies for coping with the cognitive demands of attitude measures in surveys","https://doi.org/10.1002/acp.2350050305","Applied Cognitive Psychology",{"title":357,"url":129,"publisher":130},"Regulation (EU) 2016/679 (GDPR) — Article 5, data minimisation","knowledge/what-to-ask-on-a-form",[360,259,138,361],"question design","research",[363,364,365],"Decide fields by what you'll act on — every field costs completion, and GDPR says collect only what's necessary.","Sensitive questions increase misreporting and refusals (Tourangeau & Yan, 2007); ask them only if needed, and late.","Keep required fields minimal; defer or drop the rest rather than forcing them.","bxIdGpoSliDGGguGfP_6vI3hYQzp3v9UMUBAZvuyqU4",1780692425661]