JotForm

JotForm

JotForm is an online form builder used to create contact forms, surveys, order forms, and registration pages. Scripts embed form iframes or inline form widgets on host websites. Submission data is stored in JotForm's platform and can trigger email notifications and third-party integrations.

Back to Vendor Library

Overview

JotForm is a web-based form builder with over 20 million users worldwide, used to create contact forms, surveys, order forms, registration pages, and payment collection forms. It embeds forms on host websites as iframes or inline widgets, with all submission data stored and managed within JotForm's platform.

What This Script Does

JotForm's client-side presence consists of an embed snippet (a short JavaScript block or iframe tag) that loads the full form UI from JotForm's servers.

Script Files and CDN Domains

  • form.jotform.com — Primary form rendering domain serving the form HTML, JavaScript, and CSS
  • cdn.jotfor.ms — CDN domain (note alternate spelling) delivering form assets including images, JavaScript libraries, and widget files
  • submit.jotform.com — Endpoint receiving form submission POST requests
  • The embed snippet itself is typically a few lines of JavaScript or a direct <iframe> pointing to a unique form URL

Cookies Set

  • JFBLT_* — Form session token cookies set on the jotform.com domain within the iframe context. Short-lived (session-scoped), used to prevent duplicate submissions and maintain form state between multi-step form pages.
  • _ga, _gid — Google Analytics cookies may be set within JotForm's iframe if JotForm has its own GA configuration. Persists 2 years / 24 hours respectively.
  • No persistent first-party tracking cookies are set on the host website's domain.

Data Collected Per Submission

  • All user-entered form field values (name, email, phone, address, custom fields)
  • File uploads (stored in JotForm's cloud storage)
  • IP address and user-agent (captured server-side at submission)
  • Submission timestamp and form session metadata

Integrations and Data Forwarding JotForm supports 100+ native integrations. On submission, data can be automatically forwarded to HubSpot, Salesforce, Mailchimp, Google Sheets, Slack, Zapier, and payment processors (Stripe, PayPal, Square). Each integration represents an additional downstream data processor.

Multi-Step and Conditional Logic Multi-page forms maintain state via the form session token across page navigations within the iframe. Conditional logic (showing/hiding fields) executes entirely client-side within the JotForm iframe.

Consent & Compliance

Consent category: Functional

  • GDPR: JotForm acts as a data processor under GDPR. A Data Processing Agreement (DPA) is required — JotForm provides a standard DPA. Form submissions containing personal data require a lawful basis (typically contract performance or legitimate interest for contact forms, explicit consent for lead generation). The form itself does not require a consent banner, but the data collected through it must be disclosed in the site's privacy policy.
  • ePrivacy: Cookies set within the JotForm iframe are scoped to jotform.com, not the host site domain. Under strict ePrivacy interpretation, third-party iframe cookies require consent. Functional session cookies for multi-step form state may qualify for exemption if strictly necessary for the form to operate.
  • CCPA/CPRA: Form submissions are provided directly by the user and do not constitute a sale of personal information. However, data forwarded to third-party integrations (HubSpot, Salesforce, etc.) must be disclosed.
  • EU-US Data Privacy Framework: JotForm is a US company. Data transfers rely on SCCs; verify current DPF participation status.

Should You Block This Without Consent?

No. JotForm serves a functional purpose initiated directly by the user. Contact forms, support request forms, and registration forms are user-initiated interactions that do not require prior consent to load. The cookies set are for form session management, not cross-site tracking. Ensure JotForm is listed as a data processor in your privacy policy and that a DPA is in place.

Visit website

Consent Categories

Functional

Also Known As

JotFormJotForm embedonline form builderJotForm iframeform data collectionJotForm GDPR

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (3)

jotform.comFunctional
cdn.jotfor.msFunctional
form.jotform.comFunctional

Frequently Asked Questions

Do I need consent to use JotForm?

No. JotForm serves a functional purpose — visitors deliberately submit forms to contact businesses, register for events, or complete orders. Core form functionality does not require tracking cookies. Session cookies within the JotForm iframe manage multi-step form state and are strictly necessary for the form to operate.

What cookies does JotForm set?

JotForm sets JFBLT_* session token cookies on jotform.com within the iframe to prevent duplicate submissions and maintain multi-step form state. No persistent first-party tracking cookies are set on the host site's domain. Google Analytics cookies (_ga, _gid) may appear inside the iframe if JotForm has its own GA configuration.

How does ConsentStack detect JotForm?

ConsentStack classifies JotForm as functional and does not block it. It is detected via form.jotform.com and cdn.jotfor.ms iframe and script loads. Because form embeds are user-initiated and set no host-domain tracking cookies, ConsentStack allows JotForm unconditionally and recommends listing it as a data processor in the site's privacy policy.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for JotForm

ConsentStack automatically detects and manages JotForm trackers so your site stays compliant with global privacy regulations.

Get started free