Lawful Basis for Data Processing
Last updated: February 14, 2026
Under the GDPR (Article 6), every processing activity must have a lawful basis. This page documents the lawful basis Rowform relies on for each category of data processing.
1. Account Holders (Form Creators)
These are users who sign up for a Rowform account to create and manage forms.
| Processing Activity | Data Processed | Lawful Basis | GDPR Article |
|---|---|---|---|
| Account registration and authentication | Email, name, OAuth profile | Contract — necessary to provide the service | Art. 6(1)(b) |
| Billing and payment processing | Email, payment details (via DodoPayments) | Contract — necessary to fulfill the subscription agreement | Art. 6(1)(b) |
| Transactional emails (welcome, password reset, invitations) | Email, name | Contract — necessary to operate and secure the account | Art. 6(1)(b) |
| Submission email notifications | Contract — core feature of the service | Art. 6(1)(b) | |
| Product updates and marketing emails | Email, name | Consent — opt-in toggle in Account Settings, revocable at any time | Art. 6(1)(a) |
| Audit logging (logins, exports, deletions, consent changes) | User ID, action, timestamp, IP | Legitimate interest — security monitoring and GDPR accountability | Art. 6(1)(f) |
| Cookie and analytics tracking | Browser metadata, cookies | Consent — managed via CookieYes consent banner | Art. 6(1)(a) |
2. Form Respondents (End Users)
These are individuals who fill out forms created by Rowform account holders. In this context, the account holder is the Controller and Rowform is the Processor.
| Processing Activity | Data Processed | Lawful Basis | GDPR Article |
|---|---|---|---|
| Collecting form responses | Answers, email (if requested by form creator) | Determined by the Controller — the form creator is responsible for establishing their own lawful basis (typically consent or legitimate interest) | Art. 6(1)(a) or (f) |
| Storing and displaying responses to the form creator | Response data, timestamps | Contract — necessary to provide the service to the Controller | Art. 6(1)(b) |
| Partial response storage (abandoned sessions) | Partial answers, session metadata | Legitimate interest — allows respondents to resume incomplete forms | Art. 6(1)(f) |
| Anonymizing respondent emails after 365 days | Email addresses | Legal obligation — GDPR data minimization principle | Art. 6(1)(c) |
3. Team Members and Collaborators
These are users invited to a workspace by an account holder.
| Processing Activity | Data Processed | Lawful Basis | GDPR Article |
|---|---|---|---|
| Workspace invitation emails | Email, inviter name | Legitimate interest — facilitating team collaboration as requested by the account holder | Art. 6(1)(f) |
| Workspace access and role management | Email, user ID, role | Contract — necessary to provide multi-user access to the service | Art. 6(1)(b) |
4. Data Retention Justification
| Data Type | Retention | Justification |
|---|---|---|
| Partial responses | 30 days | Legitimate interest — allows session resumption; deleted after reasonable window |
| Respondent emails | 365 days then anonymized | Data minimization (Art. 5(1)(e)) — analytics preserved, PII removed |
| Webhook delivery logs | 90 days | Legitimate interest — debugging and operational monitoring |
| Audit logs | 2 years | Legitimate interest — security review and regulatory compliance |
| Account data | Until account deletion | Contract — retained while service is active |
5. Consent Management
Where consent is the lawful basis, Rowform ensures:
- Freely given — Consent is not a precondition for using the service (except where necessary, e.g., cookies for site functionality).
- Specific — Each consent is for a defined purpose (marketing emails, cookie tracking).
- Informed — Users are told what they are consenting to at the point of collection.
- Revocable — Consent can be withdrawn at any time via Account Settings (marketing) or the CookieYes banner (cookies), with the same ease as it was given.
- Recorded — All consent events are timestamped and stored in user metadata (
consent_given_at,marketing_consent_at).
6. Legitimate Interest Assessments
Where legitimate interest is relied upon, Rowform has considered:
Audit Logging
- Purpose: Detect unauthorized access, support GDPR accountability, and assist in breach investigations.
- Necessity: Cannot be achieved without logging user actions with identifiers.
- Balancing: Minimal data collected (user ID, action type, timestamp). Logs are automatically deleted after 2 years. Data Subjects can request access to their audit logs via data export.
Partial Response Storage
- Purpose: Allow respondents to resume incomplete forms without losing progress.
- Necessity: Requires temporary storage of partial answers linked to a session.
- Balancing: Data is automatically deleted after 30 days. No marketing or profiling use. Benefits the Data Subject directly.
Workspace Invitations
- Purpose: Enable account holders to invite team members to collaborate.
- Necessity: Requires sending an email to the invitee with workspace details.
- Balancing: Single transactional email. No further processing unless the invitee accepts and creates an account.
7. Contact
For questions about our lawful basis for processing or to exercise your data protection rights:
- Email: privacy@rowform.io
- Website: rowform.io
Last updated on