GDPR | Mobyform

Overview

This page explains how Mobyform approaches GDPR-related responsibilities at a high level. It is intended as a practical public reference for customers that collect personal data from individuals in the European Economic Area or otherwise need GDPR-aware operations.

This page does not constitute legal advice. Customers should assess their own use cases with legal counsel where necessary.

Controller and Processor Roles

In most customer form setups:

the customer decides what personal data is collected and why
the customer is therefore usually the controller
Mobyform operates the hosted service and is usually the processor

If you are a respondent submitting a form created by a Mobyform customer, that customer is generally the primary point of contact for questions about the use of your submission.

Mobyform is designed to support GDPR-aware operations in areas such as:

configurable consent and disclosure patterns in forms
customer control over form structure, permissions, and retention settings
exports, deletion tools, rectification support, portability support, and administrative actions tied to respondent data
DSAR-style request tracking for access, erasure, portability, and rectification requests
deadline tracking around the standard 30-day response window used in GDPR-oriented request handling
configurable retention-policy records in file storage, including retention-day settings and optional auto-purge behavior where enabled
breach-tracking records that can record authority-notification time, subject-notification time, and whether an authority notification occurred within 72 hours
role-based access, audit-oriented records, and operational controls
public legal references such as our Privacy Policy, DPA, Subprocessors, and Security pages

For product walkthroughs, see:

What Customers Still Need to Do

Using a form platform does not automatically make an implementation GDPR compliant. Customers remain responsible for decisions such as:

identifying a lawful basis for processing
deciding what data is collected and whether it is necessary
giving respondents clear privacy notices
managing consent where consent is the legal basis
handling data subject requests
setting appropriate retention periods
reviewing connected integrations and downstream systems

Data Subject Rights

GDPR gives individuals rights that may include access, rectification, deletion, restriction, portability, and objection. Mobyform can support customers with these processes through exports, deletion tools, rectification support, retention controls, and operational tooling, but the customer typically remains responsible for responding to the request and determining whether it applies.

International Transfers

Depending on infrastructure, vendor location, or customer configuration, some processing may involve cross-border data transfers. Where applicable, Mobyform uses appropriate safeguards and contractual mechanisms required by law.

Security and Confidentiality

GDPR readiness also depends on appropriate technical and organizational measures. A summary of our public security posture is available on the Security page.

Contact

If you need privacy documentation for a procurement or compliance review, contact support@mobyform.com.

Overview

This page does not constitute legal advice. Customers should assess their own use cases with legal counsel where necessary.

Controller and Processor Roles

In most customer form setups:

the customer decides what personal data is collected and why

the customer is therefore usually the controller

Mobyform operates the hosted service and is usually the processor

If you are a respondent submitting a form created by a Mobyform customer, that customer is generally the primary point of contact for questions about the use of your submission.

GDPR-Relevant Product Support

Mobyform is designed to support GDPR-aware operations in areas such as:

configurable consent and disclosure patterns in forms

customer control over form structure, permissions, and retention settings

exports, deletion tools, rectification support, portability support, and administrative actions tied to respondent data

DSAR-style request tracking for access, erasure, portability, and rectification requests

deadline tracking around the standard 30-day response window used in GDPR-oriented request handling

configurable retention-policy records in file storage, including retention-day settings and optional auto-purge behavior where enabled

breach-tracking records that can record authority-notification time, subject-notification time, and whether an authority notification occurred within 72 hours

role-based access, audit-oriented records, and operational controls

public legal references such as our Privacy Policy, DPA, Subprocessors, and Security pages

For product walkthroughs, see:

What Customers Still Need to Do

Using a form platform does not automatically make an implementation GDPR compliant. Customers remain responsible for decisions such as:

identifying a lawful basis for processing

deciding what data is collected and whether it is necessary

giving respondents clear privacy notices

managing consent where consent is the legal basis

handling data subject requests

setting appropriate retention periods

reviewing connected integrations and downstream systems

Data Subject Rights

Public overview of how Mobyform supports GDPR-oriented data handling, security operations, and customer responsibilities.

Overview

Controller and Processor Roles

What Customers Still Need to Do

Data Subject Rights

International Transfers

Security and Confidentiality

Contact

Public overview of how Mobyform supports GDPR-oriented data handling, security operations, and customer responsibilities.

Overview

Controller and Processor Roles

What Customers Still Need to Do

Data Subject Rights

International Transfers

Security and Confidentiality

Contact