If you’re collecting names, emails and phone numbers through a form, you’re processing personal data, which means GDPR (and equivalent privacy laws in the UK, EU, US states, Canada and elsewhere) applies. This article covers the practical basics: what you need to do, what we handle for you, and what counts as a sensible level of care.
This isn’t legal advice. For that, talk to a solicitor or privacy professional. But for most small service businesses, the rules are a lot simpler than they sound.
What counts as personal data
Anything that can identify a real person, directly or indirectly. In a typical quote form, that’s:
- Name, email, phone number, obviously personal
- Address or postcode, personal, especially in combination with a name
- Photos uploaded by the customer, usually personal
- Free-text fields where customers share project details, often personal (they might mention themselves, family members, business details)
What’s not usually personal data: the form answers themselves when isolated from the contact details (e.g. “3 bedrooms, deep clean, £180”). But once attached to a name, the whole record becomes personal data.
What you need to do as the form owner
Three basics that cover most situations for a small service business:
1. A privacy notice the customer can find
You need a privacy notice somewhere the customer can read it before submitting the form. Doesn’t need to be a 5,000-word legal document. A clear one-pager covering:
- What data you collect (“name, email, phone, project details”)
- Why you collect it (“to provide a quote and respond to your enquiry”)
- Who you share it with (“our quote-form provider Quotify; we don’t sell or share with anyone else”)
- How long you keep it (“12 months after the enquiry, unless we have an ongoing relationship”)
- The customer’s rights (“you can ask us to delete your data at any time — email us at…”)
Most small businesses don’t need a separate privacy policy per form. A single privacy page on your website, linked from the form, is fine.
2. A lawful basis to process the data
For quote forms, this is almost always “legitimate interest” (you’re providing a service the customer specifically asked for) or “performance of a contract” (they asked you to quote). You don’t typically need a separate opt-in checkbox just to send the quote they requested.
You do need an opt-in if you’re going to add them to a marketing list, send them unrelated promotional emails, or share their data with third parties beyond fulfilling the quote.
3. A way for customers to ask about or delete their data
If a customer asks “what data do you have about me?” or “please delete my data”, you need to respond, usually within 30 days. Most of the time this never happens, but it has to be possible. A simple email address ([email protected]) is sufficient.
What Quotify handles
The infrastructure pieces (secure storage, encryption in transit, access controls, backups) are handled at the platform level. As the form owner, you don’t need to set up servers, configure encryption, or worry about where the bytes live day-to-day.
What you do control:
- Who at your business can see the submissions
- How long you retain leads in your CRM after exporting them
- Whether you use the data for anything beyond responding to the quote
We don’t sell or share form submission data with anyone, and we don’t use submissions to train models or anything similar.
Cookies and tracking
A Quotify form doesn’t drop marketing or advertising cookies on your visitor’s browser. The form does use a small amount of essential storage (e.g. to remember progress in a multi-step form), but that’s classified as strictly necessary under GDPR and doesn’t require explicit consent.
If you’ve added Google Analytics, Meta Pixel, or other tracking to the page the form sits on, that’s a separate consideration. Those will need a cookie banner, but that’s about your site, not the form.
A practical “good enough” privacy setup
For a small service business with no specific privacy expertise on the team:
- Add a one-page privacy notice to your website (most website builders have a generator; tweak the output)
- Link it from the form (a small “Privacy policy” link below the submit button is standard)
- Add a line to your form’s confirmation message: “You can ask us to delete your data at any time, just reply to this email.”
- Set a calendar reminder to delete old leads from your CRM annually (12-24 months is a common retention window)
- Don’t add customers to marketing lists without an explicit tick-box opt-in
That’s the 95% solution. For specific compliance questions (medical, financial, children’s data, etc.), consult a professional.
Things to avoid
- Adding submitted email addresses to a newsletter without asking. Legal grey area at best; bad-faith at worst.
- Forwarding lead data to third parties (other businesses, partners) without telling the customer. Even for legitimate referrals, name it in your privacy notice.
- Asking for personal data you don’t need. “Date of birth” on a kitchen quote form is a privacy red flag and rightly so.
- Storing form submissions indefinitely. Set a retention policy and stick to it. The longer you keep data, the bigger the impact if anything ever goes wrong.
Related reading
- Email notifications for new quotes, where the customer’s contact data flows after submission
- Pre-launch checklist for your quote form, including privacy-link checks before you go live