Core Forms integrates with the WordPress privacy system to support GDPR compliance. This includes data export and data erasure for privacy requests.
Data Export
When a site administrator processes a privacy data export request (via Tools > Export Personal Data), Core Forms exports all submission data associated with the requested email address.
The export searches the JSON data column in the submissions table for the email address. Matching submissions are included in the exported ZIP file with these details:
- All submitted field values
- Submission date
- IP address (anonymized)
- User agent
- Referrer URL
- Form name
The exporter is registered under the name “Core Forms” in the WordPress privacy export tool.
Data Erasure
When a site administrator processes a privacy data erasure request (via Tools > Erase Personal Data), Core Forms deletes all submissions associated with the requested email address.
The eraser searches the same JSON data column for the email address and permanently removes matching submissions from the database.
How It Works
The GDPR integration is handled by the Admin\GDPR class, which:
- Registers a data exporter via
wp_register_personal_data_exporter. - Registers a data eraser via
wp_register_personal_data_eraser.
Both the exporter and eraser search for the email address within the JSON-encoded submission data. This means it matches any field containing the email address, not just fields named “email”.
IP Address Handling
IP addresses are collected and stored for security purposes (spam detection, abuse prevention). In the data export, IP addresses may be anonymized.
If you want to disable IP address collection entirely, you can filter the submission data before it is saved:
add_action( 'cf_process_form', function( $form, $submission ) {
$submission->ip_address = '';
}, 10, 2 );Consent Considerations
Core Forms itself does not include a consent checkbox. If your jurisdiction requires explicit consent before collecting data, add a required checkbox to your form:
<p>
<label>
<input type="checkbox" name="consent" value="yes" required />
I agree to the <a href="/privacy-policy/">Privacy Policy</a>
</label>
</p>Then add consent to the form’s required fields to enforce it.
Email Logs
Email logs contain recipient addresses, subject lines, and message content. These are not currently included in privacy export/erasure requests. If you need to clean up email logs for GDPR compliance, use the cf_delete_old_email_logs() function or manually query the wp_cf_email_logs table.
Data Retention
Core Forms does not automatically delete old submissions. Data is retained indefinitely unless manually deleted by an administrator or removed via a privacy erasure request. If you need automatic data retention limits, implement a scheduled cleanup:
add_action( 'init', function() {
if ( ! wp_next_scheduled( 'cf_cleanup_old_submissions' ) ) {
wp_schedule_event( time(), 'daily', 'cf_cleanup_old_submissions' );
}
} );
add_action( 'cf_cleanup_old_submissions', function() {
global $wpdb;
$table = $wpdb->prefix . 'cf_submissions';
$wpdb->query(
"DELETE FROM {$table} WHERE submitted_at < DATE_SUB(NOW(), INTERVAL 365 DAY)"
);
} );