Automation Compliance

Privacy Policy for Zapier

Zapier connects hundreds of apps and transfers personal data between them automatically. Your privacy policy must disclose every data flow your Zaps create.

For Zapier users, automation builders, and developers.

Airtable Privacy PolicyTrello Privacy PolicyGenerate Policy
AK
Written by Anupam Kumar
Last updated: April 2026
8 min read
Reviewed for compliance
1

Why Zapier Users Need a Privacy Policy

Zapier is an automation platform that connects over 6,000 apps. Every Zap you build creates a data pipeline -- personal information flows from a trigger app through Zapier to one or more action apps. Under GDPR and CCPA, you must disclose these automated data transfers to your users.

Key point: A single Zap can send a customer email from your form tool to Google Sheets, Mailchimp, and Slack simultaneously. Each destination is a separate data sharing disclosure you must include in your privacy policy.

Beyond Zaps, Zapier now offers Tables (a database product) and Interfaces (form and page builders) that collect data directly from visitors. If you use these features, you are collecting personal data through Zapier itself, not just routing it.

2

Data Flowing Through Zaps

Every Zap creates a data flow that your privacy policy must account for.

Trigger Data (Incoming)

  • Form submissions with names, emails, and custom fields
  • New customer records from CRMs or ecommerce platforms
  • Payment events with transaction and billing data
  • Email and calendar events containing participant details

Action Data (Outgoing)

  • Data written to spreadsheets, databases, or Airtable
  • Subscriber data sent to email marketing platforms
  • Customer details posted to Slack or team messaging tools
  • Records created in project management tools like Trello

Zapier Tables and Interfaces

  • Zapier Tables store structured data that persists between Zap runs
  • Interfaces collect form submissions and display data to visitors
  • Chatbots built with Interfaces may collect conversation data

Tables and Interfaces turn Zapier from a pass-through automation tool into a data storage platform.

What Zapier Retains

  • Task history logs that include input and output data (retained based on plan)
  • Free plans retain task history for 7 days, paid plans up to 1 year
  • Authentication tokens and API keys for connected accounts
3

Zapier as Data Processor

Under GDPR, Zapier acts as a data processor that handles personal data on your behalf. You remain the data controller and are responsible for ensuring compliance across your entire automation chain.

AspectYou (Controller)Zapier (Processor)
Building ZapsYou decide what data flows whereExecutes your instructions
Consent collectionYou obtain consent before data enters ZapsNo direct role
Multi-app disclosureYou list every connected appProvides sub-processor list
Data deletionYou handle deletion requests across all appsDeletes task history on request
DPAMust sign Zapier DPAProvides DPA for all plans
Important: Each app connected through Zapier is a separate sub-processor. A Zap with 5 action steps means personal data is shared with 5 different third-party services, and each must be disclosed.
4

GDPR Transfer Implications

Zapier is a US-based company, and data processed through Zaps passes through US servers. For EU personal data, you must address international transfer mechanisms.

Data location: Zapier processes data on US-based infrastructure (AWS). EU data transfers rely on Standard Contractual Clauses (SCCs) in Zapier's DPA.

Chain of transfers: Data may flow from an EU user to your trigger app, to Zapier in the US, then to each action app (potentially in different countries). Each hop is a transfer.

Lawful basis: Consent or legitimate interests for automation processing. Contractual necessity if automations are part of service delivery.

Data minimization: Only map the fields you actually need in each Zap step. Avoid passing entire records when you only need an email address.

Task history: Zapier's task history contains full input/output data. Configure your plan's retention settings and note this in your privacy policy.

5

What Your Zapier Privacy Policy Must Include

Your privacy policy should specifically address these Zapier-related areas:

Complete App List Disclosure

List every third-party app connected through your Zaps that receives personal data. Group them by purpose -- email marketing, CRM, analytics, project management.

Automated Processing Description

Explain that data is transferred automatically between services without manual review, and describe the purpose of each automation.

Zapier Data Retention

Disclose that Zapier retains task history (including personal data) for up to 1 year depending on plan, and that Tables data persists indefinitely until deleted.

International Transfer Disclosure

State that Zapier processes data in the US and explain the safeguards in place (SCCs, DPA) for international data transfers.

Data Subject Rights Across Apps

Explain how users can exercise deletion, access, and correction rights when their data exists across multiple connected apps.

Generate Your Zapier Privacy Policy

Create a customized privacy policy that covers your Zapier automations, connected apps, and data transfer disclosures.

Free previewOne-time paymentAutomation-specific disclosures

Structured around widely accepted GDPR and CCPA requirements. Not legal advice.

Related Resources

Privacy Policy for Airtable

Database compliance guide

Privacy Policy for Trello

Project board data compliance

GDPR Privacy Policy Template

EU compliance requirements

Privacy Policy for Canva

Design tool compliance guide

CCPA Privacy Policy Example

California compliance requirements

Privacy Policy for Websites

General website compliance guide

Cookie Policy for Websites

Cookie compliance requirements

Policy Generator

Create your compliant privacy policy