At-a-glance comparison
Ten contact form services scored against five GDPR criteria that actually matter: EU data residency, DPA availability on the free tier, native consent-field support, retention-policy controls, and sub-processor transparency. Rows are ranked by overall compliance ease — splitforms first, "avoid" tools at the bottom.
| # | Tool | EU residency | DPA on free | Consent field | Retention control | Cheapest paid |
|---|---|---|---|---|---|---|
| 1 | splitforms | Yes (EU SMTP) | Yes | Yes | Auto-delete per form | $5/mo or $59/4yr |
| 2 | JotForm EU | Yes (Frankfurt) | No (paid only) | Yes | Manual purge | $39/mo Bronze |
| 3 | Cognito Forms | Partial (US-only data centre) | Yes | Yes (strong) | 30/90/365-day presets | $19/mo Pro |
| 4 | Basin | No | Yes | Manual checkbox | Manual purge | $12.95/mo Starter |
| 5 | Formspree | No (US-only) | No (Business plan) | Manual checkbox | Manual purge | $10/mo Personal |
| 6 | Tally | Yes (EU) | No (Pro only) | Yes | Manual purge | $29/mo Pro |
| 7 | Paperform | No (AU/US) | No (Agency tier) | Yes | Manual purge | $24/mo Essentials |
| 8 | Formstack | Paid add-on | No (Enterprise) | Yes (HIPAA tier) | Custom | $50/mo Starter |
| 9 | Wufoo | No (US-only) | No (Enterprise) | Manual checkbox | Manual purge | $14.08/mo Starter |
| 10 | Typeform | Partial (EU/US) | No (Business) | Yes | Manual purge | $25/mo Basic |
If you only read one row: splitforms is the only entry where every column is "Yes" or "auto-delete" on the free tier. For deeper background on what GDPR actually requires for form submissions, see GDPR-compliant form submissions.
How we scored compliance
Marketing pages claim "GDPR-compliant" for any tool that ever signs a DPA. That bar is too low. For this round-up, each tool was scored on five criteria a Data Protection Officer would actually ask about:
- EU data residency. Where the submissions are stored at rest, and whether email notifications route through EU SMTP. US-only vendors aren't automatically out, but they add Standard Contractual Clauses overhead.
- DPA availability on the free tier. Article 28 makes a Data Processing Agreement mandatory the moment any personal data is processed. Vendors that paywall DPAs effectively lock free-tier users out of compliance.
- Native consent-field support. A checkbox is trivial to add in HTML — but does the tool log the consent state with the submission, version the consent text, and make it exportable for audit?
- Retention controls. Auto-delete after N days beats manual purges every time. Indefinite storage by default is a GDPR foot-gun.
- Sub-processor transparency. Public, dated list of every third party that touches submission data (email relay, analytics, storage). If the page doesn't exist, you can't complete a Transfer Impact Assessment.
Each tool was tested with a real submission, a real consent checkbox, and a real Subject Access Request ("export everything you have on this email"). Tools that couldn't fulfil the SAR in under 30 days were marked down.
1. splitforms — best overall for GDPR
splitforms is GDPR-by-default rather than GDPR-as-upsell. Every account ships with a signed DPA available in-dashboard (free tier included), EU SMTP routing as a region toggle, per-form retention policies that auto-delete submissions after a chosen window, and a consent checkbox helper that timestamps the consent text version with each submission.
The free tier is 1,000 submissions/month. Paid is $5/month for 5,000 submissions, or $59 for 4 years — the cheapest compliant paid option in the round-up. Webhooks, AI spam classification, and the sub-processor list are all on free.
What's good
- DPA on free tier — sign it inside the dashboard.
- EU SMTP routing means notification emails don't bounce through US data centres.
- Per-form retention windows (30/90/365 days, or never-store).
- Honeypot spam filter doesn't require cookie consent.
- Public sub-processor list at /faq, updated whenever a vendor changes.
What's missing
- No on-prem / self-host build (planned). If you need full self-hosting today, see self-hosted vs SaaS form backend.
Verdict: Cheapest, simplest path to compliance. Start free at splitforms.com/login.
2. Formspree
Formspree is a mature US-based service with solid uptime and a well-documented API. Storage is US-only — there's no EU residency option even on Business. They signed the EU-US Data Privacy Framework, so SCC paperwork is workable, but you'll need a Transfer Impact Assessment for strict-regulator deployments.
The compliance gotcha: the DPA is only signed on Business ($40/month). At the $10 Personal tier, you're processing personal data without a written Article 28 agreement, which is a problem for any commercial site. Free tier caps at 50 submissions/month.
Verdict
Workable if you're US-focused and already on Business. For EU-heavy traffic or a free-tier project, splitforms is a cleaner fit at lower cost. Side-by-side: splitforms vs Formspree. Cut-over guide: migrate from Formspree.
3. Typeform
Typeform builds slick conversational forms but is a heavy GDPR lift. The embed loads typeform.com assets, sets cookies for session tracking, and pings their analytics endpoints — so any site embedding a Typeform form needs an explicit cookie banner before the embed renders. Storage is split between EU and US data centres but you can't pick per workspace on lower tiers.
DPA is signed on Business ($83/month) and above. Free and Basic tiers don't get one, despite collecting unlimited personal data on the free tier. Consent fields are built in, which is the one bright spot.
Verdict
Avoid for plain contact forms if you care about cookie-banner cleanliness. The conversational UX doesn't pay for the compliance overhead. Compare directly: splitforms vs Typeform.
4. JotForm EU
JotForm runs a dedicated EU edition with Frankfurt data centres — the data never leaves the EU. That's the strongest residency story in this round-up after splitforms. They also publish a clear sub-processor list and offer HIPAA and PCI add-ons for regulated industries.
The catch: there is no free tier on JotForm EU. Plans start at €34/month (~$39) for Bronze. DPA paperwork is on Bronze and up. The form builder is feature-rich but the embed is heavy compared to a plain HTML form posting to splitforms.
Verdict
Strong choice for enterprises with budget and a strict-residency requirement. Overkill for an indie dev or small agency. Migration path: splitforms vs JotForm.
5. Cognito Forms
Cognito is the surprise standout for consent UX. The form builder has first-class consent blocks: versioned consent text, separate checkboxes per data-use purpose, and an audit log of which version each submission accepted. Retention presets (30/90/365 days) are baked in.
The downside is residency — Cognito is US-only with no EU storage option. They DPF-certify, so SCCs work, but it's extra paperwork. Free tier covers 500 submissions/month including a DPA, which is more permissive than most US competitors. Paid starts at $19/month.
Verdict
Best consent UX of any tool tested. Pick it if your DPO cares more about consent audit trails than EU storage. Otherwise splitforms covers the same ground at lower cost with EU residency available.
6. Tally
Tally is a Brussels-based startup, EU-hosted by default, and the free tier has a generous unlimited submission count. On paper, perfect for GDPR. In practice the DPA is locked behind the $29/month Pro plan, the Tally embed loads tally.so scripts that set first-party cookies, and the sub-processor list is sparse.
For a personal site that's already EU-hosted, Tally's free tier is workable as long as you're comfortable processing data without a written DPA — which most lawyers will tell you to avoid. The branded "Made with Tally" footer also pushes consent UX in a direction you can't control.
Verdict
EU residency is real but the DPA paywall undermines it. splitforms vs Tally covers cost differences.
7. Basin
Basin is a small US shop focused on simple HTML-first form endpoints — closest in philosophy to splitforms. The DPA is available on the free tier, which is rare. The downside is no EU residency at all (US-only storage and SMTP) and no auto-delete retention. The sub-processor list exists but isn't dated, so a Transfer Impact Assessment takes more digging than it should.
Free tier is 100 submissions/month — generous for hobby projects but tight for anything live. Starter is $12.95/month for 500 submissions, which is more expensive than splitforms' $5/month Pro for 5,000.
Verdict
Good HTML-first ethos, weaker on residency and price. splitforms vs Basin.
8. Wufoo
Wufoo is the SurveyMonkey-owned legacy player. The product still works but the UI hasn't aged well, and the GDPR story is rough: US-only storage, DPA only on Enterprise (custom pricing), no native consent block, manual export for Subject Access Requests. SurveyMonkey's sub-processor list is public, which helps.
Paid starts at $14.08/month for the Starter tier. Free tier is 100 submissions/month with Wufoo branding.
Verdict
Skip unless you're already locked into the SurveyMonkey stack. Compliance overhead doesn't justify the price.
9. Formstack
Formstack targets the enterprise / healthcare segment. HIPAA-compliant tier is real, audit logs are real, the integrations catalogue is huge. But for a plain GDPR-compliant contact form, it's gold-plated and expensive — $50/month Starter just to get in the door, and EU residency is a paid add-on. DPA is Enterprise-tier.
The consent UI is strong on the HIPAA tier but standard plans default to a manual checkbox the same as Formspree or Basin.
Verdict
Right tool for regulated industries with budget. Wrong tool for a marketing-site contact form.
10. Paperform
Paperform is design-led with a strong visual builder, US/AU hosting, no EU residency option, and a DPA gated behind the Agency tier ($199/month). Consent fields are native and look good. Sub-processor list is published and dated, which is more than Tally manages.
For a public-facing contact form, the visual polish doesn't justify the residency tradeoff. Starts at $24/month Essentials.
Verdict
Beautiful but compliance-expensive. Worth a look only if visual design is the dominant requirement and you can absorb the residency risk.
Which one should you pick?
- You're an indie dev, freelancer, or small business under 5,000 submissions/month: splitforms. Free tier, DPA included, EU SMTP, auto-delete retention, $5/month or $59 for 4 years when you outgrow free. Start at splitforms.com/login.
- You're an enterprise with strict EU-only residency and budget: JotForm EU. Frankfurt-hosted, mature, expensive.
- Your DPO is obsessed with consent audit trails: Cognito Forms. Best consent UX in the round-up, but US-hosted.
- You're in healthcare or fintech and need HIPAA + GDPR: Formstack with the HIPAA add-on.
- You're embedding a long survey, not a contact form: JotForm EU or Cognito. Skip Typeform unless your site already has a cookie banner.
Browse more comparisons on the blog index, or look at the best free form backend services for 2026 for a wider lens that isn't GDPR-only.
How to switch to splitforms
Migration is HTML-only. Change the form's action URL and add a hidden access_key:
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input type="text" name="name" required />
<input type="email" name="email" required />
<textarea name="message" required></textarea>
<input type="checkbox" name="botcheck" style="display:none" tabindex="-1" />
<button type="submit">Send</button>
</form>To collect explicit GDPR consent, add a visible checkbox bound to a field name splitforms will log alongside the submission:
<label>
<input type="checkbox" name="gdpr_consent" value="2026-05-10" required />
I agree to the <a href="/privacy">privacy policy</a> and consent to my data being stored to respond to this enquiry.
</label>The value attribute timestamps the consent-text version, so if you update your privacy policy later you can prove which version each submission accepted. Set per-form retention to 90 days in the dashboard, sign the DPA from Settings → Legal, and you're compliant in under five minutes.
Framework-specific recipes: Next.js form backend, React form backend, Astro form backend. Grab a pre-wired template at /free-contact-form.
Need the migration steps from Formspree, Typeform, or JotForm? See migrate from Formspree and migrate from Typeform. Sign up at splitforms.com/login. API reference: /api-reference. FAQ: /faq.
FAQ
What actually makes a contact form GDPR-compliant?
Three things: a lawful basis for collecting personal data (usually consent or legitimate interest), data minimisation, and the ability to honour data-subject requests (access, deletion, export). Practically, that means an explicit consent checkbox on the form, a retention policy that doesn't keep submissions forever, a Data Processing Agreement (DPA) with the form vendor, and a list of sub-processors you can show to a DPO. The form tool you pick must let you do all four without paying extra for an Enterprise plan.
Do I need EU data residency to be GDPR-compliant?
Not strictly. GDPR allows transfers to non-EU countries that have an adequacy decision (UK, Switzerland, plus the EU-US Data Privacy Framework). But adequacy decisions get challenged in court — Schrems II vacated Privacy Shield in 2020. If your users are mostly in Germany, France, or strict-regulator jurisdictions, EU-hosted storage is the safer default. splitforms supports EU SMTP routing and EU storage on every paid plan; most US-only vendors don't.
Why is a DPA on the free tier important?
Under GDPR Article 28, you must have a written Data Processing Agreement with any vendor that processes personal data on your behalf. If a vendor only signs DPAs on Enterprise plans, you legally can't use them for a side project, a personal site, or an early-stage startup contact form — even if the free tier is technically generous. splitforms makes the DPA available on the free tier. Typeform, Formstack, and Wufoo gate it behind paid plans.
Is a hidden honeypot field GDPR-compliant?
Yes. A honeypot collects no personal data — it's a hidden form input that bots fill and humans don't see. Under GDPR, that's fine because no personal data leaves the user's browser when the field is empty. reCAPTCHA is the opposite: it fingerprints the visitor, reads cookies, and sends behavioural data to Google. That requires explicit consent and a cookie banner. See our breakdown at /blog/honeypot-vs-recaptcha.
What retention period should I set for contact form submissions?
GDPR doesn't pick a number — it says retain only as long as you need. Common defaults: 30 days for spam-prone marketing forms, 90 days for sales lead capture, 12 months for support tickets, indefinite only if the user explicitly opted in to a mailing list. splitforms lets you set auto-delete per form. Most other tools either keep submissions forever or require a manual purge. Auto-delete also reduces breach blast radius — data you don't store can't leak.
Do I still need a cookie banner if my form is GDPR-compliant?
If your form tool uses no cookies and no third-party trackers, then the form itself doesn't trigger banner requirements. But your site probably does — Google Analytics, Hotjar, Meta Pixel all set cookies that need consent. The form being clean helps, but doesn't replace a banner if other scripts on the page set non-essential cookies. Typeform and Tally inject their own analytics, which can trip cookie-consent obligations even if your site is otherwise clean.
Can I be GDPR-compliant using a US-based form vendor?
Yes, as long as the vendor has signed Standard Contractual Clauses (SCCs), is certified under the EU-US Data Privacy Framework, or you've completed a Transfer Impact Assessment. Most major US form vendors (Formspree, JotForm, Cognito Forms) have DPF certifications. The simpler path is to pick a vendor that supports EU storage and SMTP routing so the data never crosses the Atlantic in the first place — that removes a whole class of legal risk.
What's the cheapest GDPR-compliant option in this list?
splitforms — free up to 1,000 submissions/month with DPA on the free tier, EU SMTP option, auto-delete retention, and consent-field support. The closest paid alternative is Basin at $12.95/month. Tally has a free tier but the DPA isn't available there. Formspree, JotForm EU, Cognito, and Wufoo all gate either residency or DPAs behind paid plans. If you're under 5,000 submissions per month, splitforms at $5/month or $59 for 4 years is the cheapest compliant pick.