Database Compliance

Privacy Policy for Airtable

Your Airtable bases collect form submissions, store attachments, and share data through API integrations. Here is what your privacy policy needs to cover.

For base creators, workspace admins, and developers.

Zapier Privacy PolicyTrello Privacy PolicyGenerate Policy
AK
Written by Anupam Kumar
Last updated: April 2026
7 min read
Reviewed for compliance
1

Why Airtable Bases Need a Privacy Policy

Airtable is not just a spreadsheet -- it is a full database platform that collects, stores, and processes personal data. If you use Airtable form views to collect submissions from visitors, share bases with external collaborators, or connect Airtable to other services via the API, you are processing personal data and need a privacy policy that discloses this under GDPR and CCPA.

Key point: Airtable form views collect data directly from visitors without requiring them to have an Airtable account. This makes you the data controller, not Airtable, and you must disclose what happens to submissions.
2

Airtable Data Flows

Airtable bases collect and process data from multiple sources throughout your workflow.

Form View Submissions

  • Names, email addresses, and phone numbers from form fields
  • File attachments (photos, documents, resumes)
  • Free-text responses that may contain personal details
  • Submission timestamps and metadata

Workspace Collaborator Data

  • Collaborator email addresses and display names
  • Activity logs (who edited what and when)
  • Permission levels and access history
  • Comment threads and mentions

API and Integration Data

  • Data imported from external services (CRMs, form tools, payment platforms)
  • Data exported via API to third-party tools
  • Webhook payloads containing personal information
  • Automation triggers sending data to Slack, email, or Zapier

Attachment Storage

  • Files uploaded to attachment fields are stored on Airtable servers (AWS S3)
  • Attachment URLs are temporarily accessible without authentication
  • Images, PDFs, and documents may contain personal data or metadata

Airtable attachment URLs expire after a few hours but can be regenerated by anyone with base access.

3

Airtable as Data Processor

Under GDPR, you are the data controller and Airtable acts as your data processor. This distinction matters because you are responsible for obtaining consent and disclosing how data is used, while Airtable processes it on your instructions.

ResponsibilityYou (Controller)Airtable (Processor)
Obtaining consentYes -- you must collect and record consentNo
Deciding what data to collectYes -- you design the base fieldsNo
Storing data securelyShared -- configure permissionsYes -- infrastructure security
Responding to data requestsYes -- you handle subject access requestsAssists on request
Data Processing AgreementMust sign Airtable DPAProvides DPA
Important: Airtable offers a Data Processing Addendum (DPA) for Enterprise and Business plans. If you collect EU personal data, you should sign this DPA and reference it in your privacy policy.
4

GDPR Compliance for Airtable Users

Airtable stores data on US-based servers (AWS). If you collect data from EU residents, you must address international data transfers in your privacy policy.

Data location: Airtable stores all data in the United States. EU data is transferred under Standard Contractual Clauses (SCCs) included in Airtable's DPA.

Lawful basis: Consent (form submissions), legitimate interests (collaborator management), or contractual necessity depending on context.

Data retention: Data remains in Airtable until you delete it. Deleted records may persist in backups for up to 30 days. Snapshots retain data per your plan limits.

Subject access requests: You must be able to export, correct, or delete individual records when users exercise their GDPR rights.

Automations: Airtable automations that send data to third parties (email, Slack, webhooks) create additional data flows you must disclose.

5

What Your Airtable Privacy Policy Must Include

Your privacy policy should cover each of these areas specifically:

Form Data Collection Disclosure

Explain what data your Airtable forms collect, why you collect it, and how long you keep it. Link to the form from your privacy policy.

Third-Party Data Sharing

List all services that receive data from your Airtable base -- Zapier, Make, email providers, Slack, or any tools connected via API or automations.

Airtable as Sub-Processor

Disclose that Airtable (a US company) stores and processes data on your behalf. Reference their privacy policy and DPA where applicable.

Collaborator and Shared View Access

Describe who has access to the data -- workspace collaborators, shared view recipients, and anyone with shared links to views or interfaces.

Data Security Measures

Outline how you protect data within Airtable -- permission levels, field-level restrictions, and interface-only access for limited collaborators.

Generate Your Airtable Privacy Policy

Create a customized privacy policy that covers your Airtable data collection, API integrations, and compliance needs.

Free previewOne-time paymentAirtable-specific disclosures

Structured around widely accepted GDPR and CCPA requirements. Not legal advice.

Related Resources

Privacy Policy for Zapier

Automation data compliance guide

Privacy Policy for Trello

Project board data compliance

GDPR Privacy Policy Template

EU compliance requirements

Privacy Policy for Websites

General website compliance guide

CCPA Privacy Policy Example

California compliance requirements

Privacy Policy for Canva

Design tool compliance guide

Cookie Policy for Websites

Cookie compliance requirements

Policy Generator

Create your compliant privacy policy