FormBuilder.Tools

What is Data Retention Control?

Data retention control in form builder tools is the ability to decide how long the data you collect is retained. It might mean setting an automatic deletion schedule, restricting how long files are downloadable, or giving respondents a way to request removal of their own submissions. Depending on the tool, you might have a lot of control over this, a little, or none at all. Most people don't think about this until they have to.

The details that you should be aware of before you commit

  • Most tools retain your data indefinitely by default: Unless you actively configure a retention policy, submissions typically sit on the form builder's servers for as long as your account exists. And in some cases, for a period after your account is closed or you manually delete your data (Some governments require this from form builder tools due to security reasons). So, make sure to clarify this by checking documents or getting in touch.
  • GDPR's storage limitation principle has teeth: Article 5(1)(e) of GDPR requires that personal data be kept "no longer than is necessary" for the purpose it was collected. If you're collecting data from EU residents and storing it indefinitely on a form builder's platform because you never thought about retention, that's a compliance gap. Data retention control is one of the tools that helps close it. But it needs to be configured, not just available.
  • The retention setting and the backup schedule are different things: A tool might delete your submission from the main database after 30 days, but still hold it in backups for longer. If you need hard deletion guarantees, for compliance or legal reasons, check the tool's documentation on backup retention separately. It's usually in their DPA (Data Processing Agreement), not in the feature list.
  • Automatic deletion is irreversible: This sounds obvious, but it's worth stating plainly. If you configure submissions to delete after 60 days and then realise on day 90 that you needed a specific response, it's gone. Some tools offer a soft-delete or trash period before permanent deletion; some don't. Know which you're dealing with before turning it on.
  • You need to disclose your retention policy: Unless your form links to a privacy policy that explains your retention period, respondents have no way of knowing. If your forms collect personal data, a disclosure, even a brief one, is good practice, and in many contexts, required.

Questions to ask before picking a tool with data retention control

  • Does the tool support automated, time-based deletion, or only manual deletion?
  • If automated deletion is available, is it per-form or account-wide?
  • What happens to uploaded file attachments — are they covered by the same retention setting?
  • Is there a grace period or soft-delete before submissions are permanently removed?
  • Where is this documented in the tool's DPA or privacy documentation?
  • Does the tool's own infrastructure retain backups beyond your configured deletion window?

Frequently asked questions

Is data retention control required for GDPR compliance?

Not in the sense that GDPR mandates a specific feature. But GDPR does require that personal data not be kept longer than necessary (Article 5(1)(e)), and it gives individuals the right to request deletion of their data (Article 17). Data retention controls are a practical way to operationalise both. Whether you need them depends on what you're collecting, who from, and how your organisation handles compliance. A privacy or legal professional is better placed to advise on your specific situation than a form builder's marketing page.

What's the difference between deleting a submission and anonymising it?

Deletion removes the record entirely. Anonymisation strips out the identifying information, name, email, IP address, but keeps the response data. Some tools offer anonymisation as an alternative to deletion, which can be useful when you need aggregate response data for analytics but no longer have a legal basis for holding the personal information it was attached to. Both are valid approaches; which is appropriate depends on your purpose for keeping the data.

If I delete submissions from my form builder, are they really gone?

Not necessarily immediately. Most platforms retain backups for disaster recovery purposes, and deleted data can persist in those backups for days or weeks before being purged. If you need hard deletion (for legal, regulatory, or contractual reasons), you'll need to check the platform's Data Processing Agreement (DPA) to understand its backup retention policy. What's described in the feature list and what's in the DPA can be different.