Why form retention matters
Contact forms collect more personal data than teams realize: email addresses, phone numbers, budgets, medical hints, legal questions, resumes, IP addresses, file uploads, and business context. If nobody decides how long that data lives, it tends to live forever.
Forever is rarely the right answer. It increases privacy risk, makes exports noisy, and turns old submissions into a liability. A retention policy gives your team a default: what to keep, what to delete, and how to answer a deletion request without inventing a process under pressure.
Recommended retention windows
| Submission type | Typical retention | Reason |
|---|---|---|
| General contact | 30-180 days | Enough time to respond, follow up, and export if needed. |
| Sales lead | CRM policy | The CRM becomes the system of record after sync. |
| Support request | Ticket policy | Keep according to support and warranty requirements. |
| Spam | 7-30 days | Short review window for false positives and abuse patterns. |
| File uploads | Shortest practical window | Files often contain sensitive or unnecessary data. |
| Job applications | Legal/recruiting policy | Depends heavily on region and hiring process. |
A simple policy template
Form submission retention policy
Owner: Operations
System of record: splitforms dashboard and connected CRM
General contact submissions:
- Retain for 90 days in the form dashboard.
- Export or sync qualified leads to the CRM.
- Delete dashboard copies after the retention window.
Spam submissions:
- Retain for 14 days for false-positive review.
- Delete automatically after the review window.
File uploads:
- Retain only while the request is active.
- Delete uploads after export, support handoff, or 30 days.
Deletion requests:
- Verify requester identity.
- Delete dashboard record and connected CRM/ticket records where required.
- Confirm completion within 30 days.
Backups:
- Backups expire according to provider backup windows.
- Do not restore deleted submissions except for incident recovery.Export before deleting when the business needs a record
Deleting the dashboard copy does not mean the business has to lose every useful record. Qualified leads can move to a CRM. Support requests can move to a ticket system. Event RSVPs can move to a spreadsheet. The point is to make the destination intentional.
splitforms supports dashboard storage, exports, and integrations so a form can be the intake layer without becoming the permanent archive. See the GDPR page and DPA for more privacy details.
Access control is part of retention
Retention policies fail when too many people can read old data. Limit dashboard access, use separate forms for sensitive workflows, and avoid forwarding raw submissions to shared inboxes if the data is confidential.
- Keep submission access limited to people who need it.
- Use per-form routing instead of one company-wide inbox.
- Do not store sensitive file uploads longer than necessary.
- Review integrations when someone leaves the team.
- Document where exports go after they leave the form backend.
Handling deletion requests
- Confirm the requester controls the email address in the submission.
- Search the dashboard by email and related identifiers.
- Delete or anonymize the submission where required.
- Delete connected records in CRM, sheets, ticketing, and email where required.
- Keep a minimal internal note that the request was completed.
The hardest part is usually not deleting from the form backend. It is finding every integration that received the data afterward.
How this maps to splitforms
splitforms is designed to be the intake layer: receive the submission, filter spam, store the record, notify the owner, and route the data when needed. You can export data, connect downstream workflows, and use form-level settings to keep the operational record clean.
For implementation details, read the security page, privacy policy, and developer docs.
FAQ
How long should contact form submissions be retained?
Most small teams should keep ordinary contact submissions for 30 to 180 days unless there is a sales, legal, support, or compliance reason to keep them longer. Leads synced to a CRM should follow the CRM retention policy.
Do spam submissions need to be retained?
Keep spam briefly for audit and false-positive review, then delete it. A 7 to 30 day spam retention window is usually enough unless you need evidence for abuse handling.
What should a form retention policy include?
Include submission categories, retention windows, deletion rules, export rules, backup behavior, access controls, data-subject request handling, and who owns the policy.
Is this legal advice?
No. This is an operational guide for product and engineering teams. Ask your counsel or privacy advisor before publishing a legal retention policy.