But there's literally hundreds of competing form builders on the market, and the options are just super overwhelming. The costs of the high-quality alternatives are exorbitant which doesn't help when you're already struggling to make a profit.

Don't worry: I'm here to guide you through what makes an engaging, high-converting lead gen form that will actually make you money. These tips are all easy to implement and will rapidly improve your engagement rates.

1. Keep it simple​

Take some time to consider where your user is in their journey.

They've just clicked your Instagram ad and its taken them to your form. They're maybe slightly curious about you, but filling in their data takes effort and time.

Remember, average consumer attention is 8 seconds. Think: can you fill your form in 8 seconds?

Although you may be running a B2B strategy, you're still marketing to human beings at the end of the day, so some careful engineering is crucial.

Some questions to ask:

• Do you really need your lead's full home address?
• Do you need their phone number and email? Can you just make do with one?
• Are you presenting all the questions at once? It might feel overwhelming.

The simpler your form, the more likely users are to complete it all the way through. Scrape it down to its bare minimum, collecting only the information you genuinely need, and removing any surplus details.

This example collects all the data you need to do some basic research on the person and company, as well as a way to contact them. In 99% of cases, you really don't need more data than this!

Good example

2. Give repeated reassurance​

Modern-day consumers are increasingly worried about how their data is handled. Every new data point you're collecting will need a sort of "mental" justification for many people, which can be easy to forget when you're solely focussed on collecting as much data as possible.

It's important to be super clear about how you're handling their data and what security practices you'll be using. Not only to make leads feel comfortable, but also to ensure you're following data protection laws such as the GDPR. Here's some simple things you can do:

• At the start of the form, include a link to your Privacy Policy. Not only is this legally required, it makes your business look super professional and convinces your users they're in comfortable hands.
• Use an end-to-end encrypted form builder. The majority of form builders on the market such as Google Forms and Typeform don't fully encrypt response data. Users can feel creeped out by this, and it exposes you to serious data breaches. Try Palform, which offers unlimited responses for free, and security standards that outperform the entire industry.
• Explain briefly why you need their contact details. If you'll be sending them a newsletter, make that clear! Most people will only be interested in talking to you directly, and reassuring them they won't receive any unwanted emails can increase their confidence.

3. Use a lead magnet​

There's nothing more exciting than getting free stuff.

Present an appetising offer from the get-go. This makes it clear your form is worth filling out, and it's possibly the best way to reduce dropoff. Customers will be willing to spend way more time providing their data if they know they're getting something in return.

Some examples include:

• Free trials: make sure these sound exclusive and exciting, for example by giving an offer that isn't normally advertised by your company.
• Lifetime deals: offer a limited-time one-off price that gets users unlimited lifetime access to your normally subscription-based product. This is a much easier sell and often something that's just too good to miss.
• Free consultations: offer a way to speak to a real human being. It's getting rarer to see genuine humans behind ever-growing mysterious SaaS companies, so standing out from the crowd can help you here.

Or try offering a guide/resource that promises to solve common problems experienced by your target audience, like in this example form:

Good example

4. Make sure your design stands out​

The worst mistake you can make is using ugly forms that look unprofessional. Google and Microsoft forms just scream "low effort" and convince your leads you're not taking them seriously.

Not to mention:

• your branding is basically completely non-existent
• it's on a random domain that's impossible to memorise
• a megacorporation known for non-stop data breaches gets front-row access to your data
• and so on...

Use a form builder that gives you powerful customisation options: you want to be able to modify everything, from colours to images, and border rounding to font settings. Palform offers a sophisticated branding scheme editor that consistently applies your organisation's design to all your forms.

Take a look at this heavily-branded example:

Good example

It conveys a sense of luxury and elegance that an unbranded form simply wouldn't. Add a logo and some more custom assets, and it's perfect!

5. Handle the response surge!​

Now that you've made the perfect lead gen form, it's important to be prepared for the surge of response you'll inevitably receive.

But here's where the real obstacle comes in. Nearly all form builders have annoying response limits!

Take Typeform as an example. On the free plan, you're restricted to a mere 10 responses per month. If you want more, you'll have to hand over at least £21 per month. And that still only gets you 100 responses.

The number of posts on X about Typeforms filling up and breaking down is constantly growing and quite sad to look at. There's nothing more unprofessional than your form just ceasing to work in the middle of the night and losing leads to it.

With Palform you get unlimited responses completely free of charge. In fact, all plans include unlimited responses. Your forms will just keep growing with you at no extra cost, so you can actually get some sleep! Feel free to post the submission link anywhere on the internet and stop worrying.

Conclusion​

Hopefully you've gained some good tips on how to level up your forms and optimise them for higher conversions. It's something that often takes hours of experimentation, and you'll probably fail a few times before you land on a winning design. The important thing is to keep iterating and getting feedback!

This article was written by Pal Kerecsenyi, Founder of Palform. Sign up for free now and get unlimited responses with the world's most secure form builder.

Got any questions? Email hey@palform.app and we'll get an actual friendly human to help you.

Typeform is beloved by marketing teams the world over — and with good reason! Since its launch in 2014, it's revolutionised the way people collected data. Rather than just a bland series of boxes and buttons, forms were now brilliantly colourful full-featured experiences that end-users actually enjoyed filling out.

However, Typeform's rapid growth has introduced a range of problems for its users. The extreme pricing makes it an increasingly hard option to justify, and the complex web of new features and models greatly grows the learning curve over time.

Maybe it's time to look for a simpler, friendlier, more secure, and more affordable alternative. Read on to find out why.

1. Unaffordable pricing​

It's no secret that Typeform is the "luxury" option on the market. While not offering substantially more value than competitors, its pricing gives the appearance that it does something no other form builder can do.

The free plan, neatly hidden at the very bottom of their pricing page, includes only 10 responses per month. Even an extremely simple student research project will easily exceed this number, making it nearly useless for anything other than tiny-scale demos.

From there, pricing just scales into oblivion:

• £21/month for 100 responses
• £41/month for 1,000 responses
• £66/month for 10,000 responses

Even other variables like user count or file upload size get limited between plans. This makes forecasting really difficult and can easily end up costing you heavily. Once you're locked in, switching might be difficult.

In fact, some features are hidden behind a "Contact Sales" enterprise option, rendering some pricing options invisible and unpredictable.

Palform, a leading competitor, offers unlimited responses even on the free plan. You only pay for advanced features like brand customisation or a custom subdomain. A simple flat fee makes it an easier option to buy with confidence and security. All pricing information is fully open, and there's no special features you need to sign a complex contract to access.

2. Privacy issues​

Typeform's main servers are hosted in the US, despite the company itself being based in Barcelona. While from a legal perspective this isn't a direct violation of the GDPR, many European users will be skeptical about their data going through such Barcelona. While from a legal perspective this isn't a direct violation of the GDPR, many European users will be skeptical about their data going through such seemingly unnecessary international transfers.

Internet users want privacy more than ever, and your company can gain increased engagement simply by choosing high-quality service providers that show a clear commitment to treating end-user data with respect and compliance.

Furthermore, while they wouldn't necessarily use it regularly, Typeform has access to all your response data. If they wanted to (or e.g. if they were required to by a court order), they could see any potentially confidential data submitted by your customers. While they employ at-rest and in-cloud encryption, this doesn't completely prevent certain members of their own staff (or a hacker posing as such) from accessing your data.

To be clear, this is the standard model used by the majority of cloud-based services. Despite this, the number of data breaches keeps growing year-on-year. A lot of these breaches could be prevented by employing more secure full end-to-end encryption.

With new players in the field such as Palform, Jotform (under certain settings), and BlockSurvey this means the data is fully encrypted between the end-user's browser and yours. Absolutely nobody, not even the form service themselves can see the responses.

3. Over-complicated new features​

Typeform is under constant development, and a host of new features have been added since 2014. These have increased flexibility, but arguably have also made the platform much more complex and hard to navigate, especially for new users.

New additions such as personalised video content, CRM data enrichment, and AI analysis may seem helpful. But do you really need them? They're likely to creep out your users, while also distracting Typeform from really perfecting their platform's core. Sometimes, less is more.

4. Closed-source code​

We get it, this is a technical one. But it really makes a big impact!

Typeform, like almost all competing form builders, is closed-source. You can't see the code behind the platform that handles all your trusted customer data and sensitive information. While this may seem trivial at first, consider the implications: you have zero insight into how that data gets handled. Maybe it gets sent to a wide range of third-party services you had no idea about. Or maybe there are serious security vulnerabilities. You simply can't tell.

Of course, open source code isn't inherently secure, despite popular belief. However, sharing the code implies that the company is so confident in its security that it'll allow anyone to inspect it. In fact, it'll even accept improvements and bug fixes from anyone who wants to contribute.

There's a whole host of other benefits to open source codebases, and it's absolutely something you should be considering when looking for a form builder. You can read more about Palform's motivation for releasing its source code.

Is it worth my time?​

Switching away from Typeform isn't as hard as it seems. Most form builders offer a consistent and predictable set of features, and usually a consistent UI to go along with it. Setting up your branding and adding all your questions never takes more than a few minutes, and you could get great benefits by making a simple switch, including:

• Massively reducing your bills
• Improving security and customer trust
• Experiencing a simpler, less disorientating set of features

If you need more inspiration for which platform to choose, read our article comparing 7 of the best.

Thanks for reading! This article was written by Pal Kerecsenyi, founder of Palform. If you have any questions, please contact hey@palform.app.

It's an ambitious project, and I'm well aware that transparency is critical. I've implemented a range of security practices to ensure Palform can deliver on these claims. However, there's also a range of compromises I've had to make to ensure a good balance between usability and security.

This post aims to lay out clearly what Palform protects you against and how, and also what it doesn't protect you against.

Security practices​

End-to-end encrypted responses​

Palform end-to-end encrypts all responses to forms, meaning no intermediaries (Palform, our server providers, infrastructure operators, etc.) are able to see them. This is always on (unlike e.g. Jotform where it's an opt-in feature) and cannot be turned off. This helps reassure users that when they see a Palform, it will be encrypted.

Correctly implemented encryption is one of the most powerful methods of safeguarding data. It's something no major form builders provide by default.

Palform uses OpenPGP through the Sequoia PGP library (in Rust). Compared to other implementations, this is written in a memory-safe language (automatically eliminating whole categories of vulnerabilities) while still being maintained very actively.

Open source code base​

The entirety of Palform is open source, including the complete backend/frontend, the landing page, and even this blog post. I develop it fully in public, with no "hidden" code.

I know, it's not guaranteed secure just because it's open source.

However, it's a step in the right direction. As I mentioned in a previous post, the client-side part of Palform performs a lot of encryption work in opaque binary WASM files (primarily for performance reasons). Having to murkily reverse engineer these would massively hinder users' confidence in the cryptography being applied correctly.

Having a public changelog also increases accountability and transparency into everything we do.

I'm also working on a self-hosted version, which I'll be posting updates on soon!

Third-party providers​

There's certain elements of Palform that I can't reinvent from scratch. Right now, it uses third-party services for these components:

• Email notifications (Mailgun)
  • Your name and email address are passed to Mailgun, as well as the names of your forms when there's a response.
  • We never pass encrypted or plaintext response data to Mailgun
• Captcha (Cloudflare Turnstile)
  • This is more private and less annoying than e.g. Google reCAPTCHA.
  • It's only loaded on pages where it's needed. By default it's not loaded on form fill pages, unless the form captcha feature is enabled.
• Analytics (Plausible Analytics)
  • This is only loaded on the landing page and blog/docs pages. It does not collect any personally identifiable information.
• Payments (Stripe)
• Server and database hosting (Scaleway)

Other than this, everything is built into the codebase. Reducing dependence on third-parties helps the open source nature of Palform and will make it easier to set up self-hosting.

No plaintext response data is ever passed to any third-parties.

We don't track any of your personal info for advertising purposes, and we don't operate any ads on our websites.

Data location​

All data is stored and hosted in the EU on Scaleway's servers, and so is subject to the strict privacy regulations of the GDPR.

Palform is a company is based in the UK, and is subject to the Data Protection Act, which is currently very similar to the GDPR.

Our servers and databases only ever store encrypted response data. Plaintext responses never leave browsers.

Data minimisation​

As required by law, we only collect the bare minimum data we need to operate. We don't collect any additional data on your form responses either (e.g. IP addresses or other analytics). All we can tell is how many responses your forms had, and when they happened.

Backups​

Our database is automatically backed up every day, allowing us to quickly recover from corruption and data loss events. This helps us avoid losing your encrypted response data.

Authentication & authorisation​

You can use either email/password or OpenID Connect (on higher plans) to sign into Palform. We store passwords hashed with the industry-recommended Argon2 algorithms, and never in plaintext.

We support two-factor authentication with TOTP, and as a Yubikey user myself, I plan on adding security key support soon.

Authorisation is managed in a tiered system of organisations and teams. By default, new users in your org are added to your "default" team, with read-only permissions. You can customise this and set read, write, or admin permissions. Certain assets, like images and branding configurations, also belong to a team, and can be applied to all forms within that team.

This system means larger organisations also feel comfortable within Palform. They can even set up rules to automatically assign users into teams with givern permissions based on a response from their OIDC server.

Audit logs​

Larger organisations using Palform can make use of audit logs to track events that occur in their organisation. This is not intrusive of employee's actions, as it doesn't track reads, only writes.

Any significant events, such as configuration changes or form response deletions, are clearly shown in the logs with associated metadata.

Other helpful features​

I've tried to add features that help users improve their security practices and GDPR compliance:

• Auto-delete form responses within a certain number of days to comply with data retention limits
• Force include a Privacy Policy link in all forms in a team
• You own your data: responses can be exported in multiple formats whenever you want

Limitations​

Nothing is perfect, and it's very important to understand what Palform can't proctect you against.

Here are some known limitations:

• Supply chain attacks: while we follow modern standards to prevent them (e.g. transparent CI builds, pushing containers straight to Scaleway, etc), they're a category of attacks that are essentially impossible to completely eliminate.

  • For example, if someone compromised Palform's servers, they could send false public keys for an organisation, or serve up fake JavaScript on the frontend that steals encryption keys. This is the case for many end-to-end encrypted applications.

• Backend validation: our backend is unable to validate your form responses, because it can't see them. You have to trust our client-side validation, which can technically be overcome. Therefore, it's important to not rely 100% on Palform's validation rules.

• Metadata: by the nature of OpenPGP, the key IDs of users are included in the encrypted responses. This might make it possible to tell which organisation/team/user a response can be read by. Also, the time of submission and the access token used are stored unencrypted.

• Non-response data: questions, form details, administrative users, etc. all have their details stored unencrypted in our database.

• You still have to comply with GDPR and any other privacy regulations. We don't magically do that for you, but we try to publish tools that help.

Reporting issues​

We're currently too small to operate a paid bug bounty program. However, we would still really appreciate responsible disclosures of any potential security issues you find in our systems, no matter how big or small.

These can be related either to our production websites (*.palform.app) or our code repository (https://github.com/palform/palform).

If you would like to report a problem, please email our secure email address.

Questions and concerns​

If you have any questions about our security practices, please contact us and we'll be happy to help!

Thanks for reading! New here? Try out Palform online with unlimited responses free of charge.

If you're a business based anywhere in the world and you're processing the personal data of citizens of the UK, EU, or EEA, you're required to comply with the famous GDPR.

Example: Random Co. is a company based in California. They have a website with Google Analytics, meaning they're collecting personal information about users automatically. The website handles the personal information of EU users. Therefore, Random Co. must comply with the GDPR.

This goes for Google Forms, too. If you have any EU/EEA/UK citizens filling in your form, you must comply.

So how do you do it?

Requirements for compliance​

I won't detail how to comply with the GDPR. That's a whole profession.

Two important requirements are:

• Transparency. You need to provide a Privacy Policy or similar document, that details exactly how you process personal information, safeguards for protection, and the rights your users have.

• Data location. Transferring the data of EU/UK citizens outside of the EU/UK (e.g. into US data centers) can involve additional complexity. For example, transferring data to US companies is usually done by participating in the Data Privacy Framework, which comes with several requirements. It's often easier to just keep data in the EU, unless you're a large corporation with specific requirements.

Can I fulfill these requirements with Google Forms?​

Yes! It is possible to use Google Forms in compliance with the GDPR, but there are additional steps you need to take.

Transparency​

Google Forms, by default, does not provide a way to display your organisation's Privacy Policy in forms you create. It's up to you to ensure every single form created by anyone has a dedicated field linking to your data handling practices.

Google was fined €50m in 2019 for failing to provide the GDPR-mandated information, although in relation to Google Ads, not Forms. My point is, there are actual fines for failing to provide the correct information.

Data location​

You can configure the location of your data only if you're subscribed to Google Workspace Business Standard or higher. Here's how to do it.

If you're not using Google Forms within a Workspace account (i.e. just through a personal Google account), setting the location is not possible.

If your location is not set, your data is likely to be stored in the US. You don't really get much control.

Legally, this is not usually a problem, as Google is certified under the Data Privacy Framework, and so is a valid company to use as a data processor. However, many EU users might have concerns about transferring their data outside the EU, which could decrease their trust in your forms.

Other problems​

Sharing your forms with collaborators can introduce complexity. It's easy to get a setting wrong and accidentally allow collaborators to re-share the form with more people, revealing the responses to people outside your organisation you shouldn't be able to see it.

You'll also need to ensure you're complying in terms of the data you're collecting. As with any data collection tool, you need to avoid collecting excessive data, and make special provisions for sensitive categories of personal information, such as medical records (including seemingly simple questions like "Do you have any dietary requirements?"). Of course, this goes for all form builders.

Finally, there's the question of user trust. Google has previously misled users about their practices (this was not in relation to Forms, though). The majority of consumers worldwide are "somewhat or very concerned" about their privacy, and Google is arguably one of the reasons why.

Making compliance a little easier​

Here at Palform, we've built a privacy-focussed alternative to Google Forms. It aims to make GDPR compliance easier and increase customer trust. It's just as easy to use and it's completely free, too.

Here's how it helps:

• You can create organisation-wide privacy policies that automatically appear on all forms. This avoids costly mistakes and standardises the way you distribute information.

• All data is stored exclusively in the EU in secure databases. Plus, your responses are end-to-end encrypted, massively reducing the possibility and impact of data breaches, and helping you sleep better.

• You can view and manage your form sharing centrally, and responses cannot be shared outside of your organisation by default. Plus, each viewer has their own key, so you get guaranteed knowledge of who can access each individual response.

Of course, it's still important to comply with the GDPR in terms of the data you're collecting and the information you're providing. Palform is not a magic solution to all your problems, but it's here to help.

There's also other nifty features, like the customisable design tools and built-in analytical reports. All-in-all, it has all the benefits of Google Forms (and more), but without many of the drawbacks.

Give it a try and see what you think!

Paying the data protection fee is important because it funds the ICO’s work providing advice and guidance about how to comply with the law – such as their online guidance, their telephone helpline, and their digital toolkits.

Fines for an overdue payment can range between £400 and £4,000, so paying the fee on time is really important!

Use our form below to figure out whether you need to pay a fee, and if so, then how much. You can also open the form in a new tab.

Database IDs are one of those things you really don't want to think about. It feels like they should just "work". Why are there different types of IDs?? Why can't I just use an auto-incrementing number? The real world is just so annoying.

In this article, I'll explain why UUIDs look like the cool solution to all our problems (but actually aren't), and demonstrate a simple but powerful system I used at Palform to vastly improve the database experience.

The problems with UUIDs​

Nowadays, UUIDs are often the go-to for the majority of developers. Essentially all major databases, ORMs, clients, and SDKs have built-in or high-quality 3rd-party support for them.

Yes they're slightly more difficult to generate, but you don't have to write code for that anymore!

With 128 bits of data, it's practically impossible to ever get a collision so you're safe from that too.

Around the internet, there are several blog posts advocating for their use over sequential IDs. And it's true: it's probably nearly always the better choice between the two. It hides the number of records you have and prevents automated enumeration, while not impacting performance too much in smaller databases.

But with Palform, my aim was to handle hundreds of thousands of form responses smoothly and lag-free. "Good enough" won't do, so we need a better solution.

Enter TSIDs​

Already gaining traction between developers, TSIDs strike a balance between incremental IDs and UUIDs. They're more space-efficient than the latter, while having the same time-sortable property of the former (although it's not fully guaranteed).

I won't write about the details of how they work here, as other posts have already done a much better job than I could.

They can be a bit of a pain with distributed systems as they require a node ID, which is not always easy to obtain in a definitely unique way. However, Palform is not really a distributed system.

Support is also much weaker than UUIDs, but that's also fine: luckily, Rust has an excellent crate for it which is really all I needed.

UUIDs are serialised in a highly standardised way. They're so widespread that most developers can glance at the random-looking data and immediately tell it's a UUID. Just look at it:

de6fc6ac-2c80-48ce-9b48-f9793a0b8c71

Mmmm beautiful.

TSIDs are 64 bit integers. They're usually serialised into a 13 character base-32 URL-safe string. That's much shorter and arguably more readable than a UUID:

0GYDWW6VM4C0E

Even nicer.

So I made the decision: Palform would use TSIDs. But how to implement them?

SeaORM support​

Palform uses the excellent SeaORM to manage database records on the backend. It has support for Postgres' built-in uuid type, but understandably no support for the relatively new TSID.

SeaORM requires declaring Rust entities (basically a struct) for each of your tables. This then makes it easy to write very Rust-idiomatic and satisfying database queries. Here's what an entity looks like when using UUIDs:

#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
#[sea_orm(table_name = "auth_token")]
pub struct Model {
    pub hash: String,
    pub created_at: DateTime,
    pub expires_at: DateTime,
    #[sea_orm(primary_key, auto_increment = false)]
    pub id: Uuid,
    pub user_id: Uuid,
}

This uses the very popular uuid crate, and SeaORM takes care of converting to/from the PostgreSQL type.

Creating a new record is very easy:

let new_token = admin_user::ActiveModel {
    id: Set(Uuid::new_v4()),
    user_id: Set(user_id),
    // ...
    ..Default::default()
};

new_user.insert(conn).await?;

Now how to do this with TSIDs? The tsid create contains a create_tsid function, which returns a TSID struct. We can turn that into a u64, too:

{
    id: Set(create_tsid().number()),
    // ...
}

We also need a way to convert back from u64 to the TSID struct. It's all a bit awkward, and the typing is weird: what's a u64? It could be any number, how do we guarantee it's a TSID?

Building my own adapter​

It felt like an upward battle at this point, and I kept thinking how much easier it would be to just settle with the beautifully supported UUIDs. But this was getting interesting now, and so I decided to spend nearly an entire week designing a custom adapter. I had a plan.

I wanted my IDs to be type-safe. That is, each table in my database should somehow have its own type of ID, and Rust should complain violently if, for example, I try to use a User ID in a place where a Question ID is needed.

First, I'd need a struct that I can base everything off. This would still involve the tsid crate, just with a lot of wrapping code. Here's how I started:

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct PalformDatabaseID {
    pub(crate) id: tsid::TSID,
}

Next came the typing. Stripe, famous for its much-loved developer API, does something similar by prefixing IDs with a short code that identifies the resource. For example, customer IDs are prefixed with cus_. Not only does it avoid confusion in code, it's also super readable, as you can tell what an ID is referring to without any additional information.

Inspired by this very satisfying system, I wanted to create something similar.

I created a trait:

pub trait PalformIDResource: Eq + PartialEq + Clone + Copy + Hash + Send {
    fn prefix() -> Option<String>;
}

The prefix is an Option to support certain edge cases where I need to be able to refer to any type of ID in a single field (e.g. audit logs). Where the prefix is unknown, I use None.

Next, I simply created a type implementing this trait for each of my tables:

#[derive(Eq, PartialEq, Clone, Copy, Debug, Hash)]
pub struct IDOrganisation;
impl PalformIDResource for IDOrganisation {
    fn prefix() -> Option<String> {
        Some("org".to_owned())
    }
}

With some macros added in for better readability, you can see all the resource declarations on GitHub (give me a star while you're there ❤️).

Then, I modified the PalformDatabaseID struct to include the prefix.

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct PalformDatabaseID<Resource: PalformIDResource> {
    pub(crate) id: TSID,
    resource: PhantomData<Resource>,
}

Then came the laborious part: adding all the integrations needed for this to work with Serde, SeaORM, Rocket, the OpenAPI generator, etc. You can see everything on GitHub.

Rewriting the entities​

Now, I could modify the SeaORM entities to use my shiny adapter.

pub struct Model {
    #[sea_orm(primary_key, auto_increment = false)]
    pub id: PalformDatabaseID<IDAuthToken>,
}

A PalformDatabaseID<IDAuthToken> is completely distinct from a PalformDatabaseID<IDOrganisation>, for example. Rust will fully block the compilation if it's somehow mismatched, which is exactly what I wanted.

Generating them is super easy:

let new_form = form::ActiveModel {
    id: Set(PalformDatabaseID::<IDForm>::random()),
    // ...
}

In the database, it's still just stored as a type-independent u64. But whenever it's handed to the application, it has to choose a typed prefix, which is also conveyed in the serialised form (e.g. org_0GYDWW6VM4C0E). When being deserialised, the prefix is checked to ensure it matches the requested type; if it's wrong (or there is no prefix), a scary error is returned.

This actually helped catch some errors! In several places, I was using the UUID of the wrong resource without noticing; everything was just Uuid before, and I had to rely on variable names to keep track of what was what.

For future development, it will also inevitably reduce bugs and small but high-consequence typos. It will likely even improve the security posture of Palform, which is absolutely essential with such a security-focussed application. Developers are only humans and even the most careful ones will make mistakes; this change, however, will stop the mistakes with big scary red error messages before they can cause any damage.

It's also simply more Rust-like, which I'm sure will make the Rust people very happy.

Sharing the code​

Palform is open source in its entirety, currently under the AGPL license. The ID management is under the packages/tsid directory, but I might release it as a more liberally licensed separate module in the near future, so that everyone building web apps in Rust can benefit from these performance, security, and stability improvements.

In the meantime, if you're ever in need of a form builder that actually cares about encryption, privacy, scalability, and other ethical principles, give Palform a try (it's free with unlimited responses).

Thanks for reading! This article was written by Pal Kerecsenyi, the founder of Palform. Last updated 04/09/2024.

If you have any questions or found a mistake, please email me at pal@palform.app.

We'll keep it nice and brief: having researched dozens of competing services in this very crowded market, I've selected the best options. Most other comparison sites agree on most of these services.

Palform​

A strong new player in the field, Palform places a special focus on privacy and security. It uses sophisticated end-to-end encryption technology, while also having the full range of features and simplicity you'd expect of any other form builder. It's also fully open source!

However, due to it's young status and thorough encryption, the range of 3rd-party integrations is limited, with email/webhook being the only currently available options.

More features are being developed constantly.

Best for​

• Showing your customers they can trust you.
  • The higher security guarantees let form-fillers know their data is safe, and places your reputation ahead of your competitors'
• Handling any kind of sensitive data
• Users experienced with Google or Microsoft Forms, and wanting an easy-to-use solution with no coding
• Generating beautiful actionable reports without any stats knowledge
• Cases where open-source software is a must
• Saving money

Pricing​

• Unlimited responses included in the free plan
• Higher plans up to ~$80/m have more features, e.g. for corporate compliance
• Discounted pricing offered for students and non-profits

Typeform​

A long-running and controversial option, Typeform popularised the "one question at a time" way of doing forms. It features easy-to-build aesthetic designs and slick animations, as well as powerful data analyses.

However, the animations and layout may be overwhelming and confusing for some users who are not super comfortable with technology.

Best for​

• Forms that are more about the "experience" and where one-at-a-time questions make sense
• Very small expected response counts
• Environments where budget doesn't matter

Pricing​

Notoriously, the pricing is amongst the highest out of all form builders, with the free plan only offering 10 responses/month.

Even the Basic plan, for 21EUR/mo only includes 100 response/month.

Plans go up to 75EUR/mo for 10,000 responses and more advanced features.

Jotform​

A versatile, tried-and-test form builder, Jotform is capable of building forms in loads of different designs and layouts. The application is also very feature-rich, with extras such as PDF forms and built-in templates. E-signatures are also supported, with highly-rated 24/7 customer support.

It even supports encrypted forms, although in a much more lightweight and barebones way than the integrated experience offered by Palform.

Best for​

• Large enterprises needing compliance with strict standards such as HIPAA
• Users who are happy to plan to meet the complex pricing requirements
• Users wanting to save some time with pre-built templates

Pricing​

The free plan includes 100 submissions/month, 10x more than Typeform. However, to continue beyond that, you need to pay at least $34/mo for the next plan.

Many, many different values are limited by the plan specifications, including:

• Form submissions
• Form views
• Users
• Storage space
• Stored submissions at a given time
• Fields per form
• E-signatures

If you need more of just one of these limits, you'll need to upgrade your plan, meaning it can get surprisingly expensive quite quickly.

However, it's definitely much better value-for-money than Typeform.

Youform​

A relatively new product, Youform has the same focus on simplicity as Palform, except targetting the Typeform one-question-at-a-time model.

It has a commendably ethical pricing model that makes planning your costs much simpler.

The design is very clean, and absolutely anyone can use it without experience.

Having tested it for a few days, the interface is genuinely very smooth and user friendly. The user reviews are right to sound so excited! Unlike most form builders though, the admin panel doesn't work on mobile. Checking your responses on the go is quite difficult sadly.

It lacks the ultra-high security and privacy guarantees of Palform.

Best for​

• People looking for a close Typeform alternative for a fraction of the price
• Simple use cases without high security guarantees
  • Data is hosted in the USA, so it might not be suitably GDPR compliant. But that's not legal advice!
• Saving money

Pricing​

Unlimited responses and most features for free, then $29/mo for further features.

Google Forms​

Ahhhh a good old classic. Google Forms continues to be the backbone of low-stakes data collection around the world.

The interface is really simple, and hasn't changed much over the years. As Google does not directly make any income from Google Forms, it's likely the development of new features isn't a huge priority. Customer support is also very limited or in most cases completely impossible.

Of course, as with all Google products, there are serious data protection concerns. Your data might be stored in the US, making it essentially unusable for any commercial data handling in the EU unless you fulfill an extremely complicated and technical legal framework.

Generally, Google Forms don't really look professional anymore. If a business is seriously using them, it just screams "low effort". Fortunately, there's many alternatives that are just as easy to use but produce a far prettier result.

The question types are also somewhat limited, and the boolean branching rules are very primitive.

Okay. Sorry. That's enough roasting Google Forms. I'm sorry if you're a passionate fan. We can continue in peace now.

Best for​

• Very very simple use cases between family and friends, or for small informal events.
• Cases where brand identity doesn't matter at all
• Cases where no personal data is being collected

Pricing​

The consumer version is free! With no meaningful limits beyond the Google Drive file upload limit.

Google Workspace (a paid service) includes a very slightly more advanced version, where you can set data sovereignty constraints so that you can legally handle the personal data of EU citizens.

Fillout​

Another tool similar to Jotform, Fillout creates pretty, mobile-friendly forms of any shape and size. Unlike most competitors, it also supports real-time collaboration, making it particularly suitable for teams working together on authoring forms.

It also comes with advanced tangential features, such as event scheduling and payment, built right in.

Best for​

• Real-time collaboration
• Versatile designs within one app
  • Instead of a Typeform-style app and Google-style app separately, Fillout can do both
• Building more complex automated pipelines involving your forms using integrations

Pricing​

• Generous free plan with most features included, and up to 1000 responses/month
• Plans with increasing response limits and more features
• For $75/month you get unlimited responses

Microsoft Forms​

Another classic, Microsoft's flagship data collection service actually keeps surprising. Unlike Google, new features are constantly added to this, such as the new AI-generated question suggestions.

The design can feel clunky occasionally (that's a personal opinion) and the loading times are often slow (both on the editing and filling side), especially if signing in with a Microsoft account is required.

Despite that, it's fairly easy to make good-looking forms, and it even features decently rich branching rules and question types. Still, lots of obvious genuinely useful types, such as address auto-complete inputs, are missing. But it's great to see that a product that has mostly non-paying users is still developed so actively!

And again, similarly to Google, Microsoft is an enormous ad-tech corporation. They haven't always been reliable with handling personal data, and employers using certain Office 365 plans get wide-ranging worker surveillance powers.

Similarly to Google Forms, the data location is a bit of a pain point which makes targetting EU customers very tricky. Unless you're an EU-based Microsoft 365 customer, your Forms data will be stored in the US (or Australia if you're based there). That might mean any EU user who fills in your form will have their data transferred to the US without their explicit knowledge or consent, which could be a GDPR violation.

Best for​

• Large corporations wanting to keep all their data within Microsoft 365
• Similar simple use cases as Google Forms
• Speedy form writing with AI-generated questions

Pricing​

• Responses always essentially unlimited
  • The limit is defined by the amount of cloud storage space your account has
• Free for personal use
• Available on all paid Microsoft 365 plans, starting at $6/user/month
  • Most other form builders don't use a per-user pricing model; Microsoft does, as it's part of a wider office suite package. It's not currently possible to purchase a Forms subscription separately.

Pricing overview​

Response limits are the most common billing model for commercial form builders. In this table, we compare the reviewed form builders and their limit vs price value.

The values in this table are based on annual plans in USD.

So which one should I go with???​

It depends. Sorry. There is no straightforward answer.

We can roughly categorise these 7 tools by use case:

• General purpose: use these for any non-trivial data collection, big or small
  • Palform, Youform, Fillout
  • These all have unlimited plans, making it easy to scale without having to worry about surprise charges
• High security/privacy: use these when you're collecting sensitive data, such as medical or financial information
  • Palform
• Low-stakes informal surveys
  • Microsoft Forms and Google Forms
• Advanced automation
  • Jotform, Fillout
• Beautiful, flashy, animated design
  • Typeform

This is not exhaustive, and a lot of these form builders are versatile enough to be used for different use cases! I hope this guide gave you a decent insight into the world of form builders, and what to look for when choosing one.

My best advice is this: go out and try them! All of these services have free trials: make a MVP form that replicates whatever form you're actually intending to build, and see how easy the process is.

Thanks for reading! If you have any questions about data collection or forms, feel free to send me an email! I'm happy to discuss and advise your problem, even if you're using other form builders.

Email: pal@palform.app

Follow Palform on Linkedin to keep up to date with our helpful articles and resources!

Go check it out on GitHub! And maybe give me a ⭐ if you feel like it

I strongly believe all software with even the slightest security requirement should be open source. Instead of security through obscurity, keeping the code open will help reduce vulnerabilities. The entire community will be easily able to find mistakes and bugs and get them fixed way faster.

When I started working on Palform, it was a fun side project to improve the way I collected data. Mostly just to fix my personal problems with all the other form builders out there. Deep down, I always intended for it to be open source. Especially since the client-side performs a lot of crucial encryption work, it's essential to be able to see exactly what's going on.

I lovingly use many other open source SaaS tools such as the Proton suite, Plausible Analytics, Keycloak, etc. I think the "open source but supported by an official paid SaaS offering" is one of the most sustainable way to do open source projects (besides very large ones such as Linux, which already have a huge amount of volunteers). Otherwise, burnout sets in eventually, because developer time is never truly free. Of course, there are exceptions to this, but in general I feel this is a more stable model, despite the possible conflicts of interest that occasionally arise.

My aim with Palform is to ensure everyone can comfortably trust it with very sensitive categories of personal data, the kind you just wouldn't submit in a regular Google Form. This will hopefully move the project closer to building that trust.

Licensing​

It's always a big question.

For now, I've opted for the GNU AGPL. Perhaps my inner fears of some evil megacorporation taking my code to build a data-stealing version of Palform are what kept me from going for something simpler like the MIT license. Realistically, that's unlikely to happen, but you never know...

In any case, I don't think there should be a situation where a modification to my source code on a cloud-hosted service shouldn't be made public. That would just inherently be dodgy.

Contributions​

...are welcome! Of course, it'll take some time until I can document everything about the codebase to a point where it's easy and accessible to contributors. But if you feel like browsing through some Rust code to fix any bugs, I would love that too!

More often than not, I often found myself in need of a way to collect data from large groups of people related to my work. I needed to create survey-style questionairres, quickly and without too much hassle. Almost every single time, I defaulted to Microsoft or Google forms, like it was muscle memory. These tools were simply good enough.

They were both

• easy
• extremely popular
• always free
• just there, requiring zero added research into other products
• integrated into whatever ecosystem I was using

In this article, I'll explain why these tools were actually quite problematic, and what I created to try and solve these problems.

So what's the problem?​

Both these tools felt like I was missing something. Many of my end-users made frequent complaints about the privacy records of these companies, and said they felt uncomfortable providing their data through them.

The truth is, Google could see all of your form responses if it wanted to. As a policy, they don't. But still, I felt weird trusting the world's largest ad-tech corporation with so much data; it's not exactly rare for mega-companies to violate their own terms.

Then there was the question of sovereignty. Google Forms is hosted in the US, EU, and various other places around the world. In the vast majority of non-enterprise use cases (e.g. if you're not using Google Workspace or your plan isn't good enough), you don't even get a say in where the data is stored. Data transfers between the EU and US (based on the EU adequacy decision) require complying with a complex legal framework. Since you could be transferring EU user data to the US (or maybe not, you just don't know!), you have to comply with this framework if you use Google Forms outside of a Workspace plan that supports limiting your data to a specific region. To me, this was evidently extremely overkill for almost all use-cases.

Of course, there are several excellent European companies providing form builders. But none of them properly address the growing problem of security. In a data breach, it would still be easily possible for hundreds of thousands of sensitive responses to be leaked. It's a growing problem in 2024.

My solution​

I wanted to solve this problem, and create a form builder I actually enjoyed using. One that didn't make me and my end-users stress about a random third-party having access to extremely sensitive personal information.

Naturally, I turned to encryption. What if there was a way to mathematically guarantee the security and privacy of my users?

The design is simple:

• Everyone in your team has a public/private key pair
• When a form is submitted, it's encrypted with the public keys
• Palform stores the encrypted response. I can't see its contents. Nobody can. Not even government authorities.
• Your browser downloads the response, and decrypts it using your private key. You get nice pretty graphs, and full peace of mind!

It's backed by a tried and tested algorithm suite known as OpenPGP. Millions of emails are regularly sent this way, e.g. using Proton Mail. Its security has been backed by decades of research, and remains unbroken by governments (as far as we know).

You can read about all this in more detail in our documentation if you care.

I wanted this to be something everyone could use, so I had to avoid requiring users to understand what all these complex algorithms were. You should be able to go from Google Forms to Palform without even really thinking about it. WhatsApp, Signal, Proton, and many other tools had already mastered the art of providing secure encryption despite many of their users not understanding what encryption means.

Palform handles all the encryption in the background. You just have to click a Generate Key button once (when you set up your account), and it's stored nice and safely in your browser. An encrypted backup also gets saved to the server, for which you need to save a key password (similar to the backup key in WhatsApp, for example).

Making it full-featured​

Encryption is cool, but it's not really a selling point unless the form builder itself is just as good as (or preferably better) than competitors. That's why Palform emphasises supporting loads of question types.

Some particularly interesting ones are:

• Address auto-complete
• E-signature (I'm considering working on eIDAS compliance)
• Encrypted file upload
• "Hidden" questions that take a value from a URL parameter

I want the company to have a focus on privacy above all else, so I've included compliance-centric features such as:

• submission auto-delete (after a given number of days)
• OpenID/OAuth so you don't even have to trust me with your credentials
• team/user permission management
• Cloudflare-based privacy-friendly captcha
• and more!

And of course there's dozens of features that make it much more full-featured than Google Forms:

• Very thorough branding customisation for a better white-label experience
• Advanced branching rules between question pages
• More specific customisable validation, depending on the question types
• Markdown-enabled description fields
• Automatic correlation analysis between questions in your responses
• Export responses to multiple formats
• and more coming soon!

It wasn't easy​

End-to-end encryption really upsets a lot of the things in forms that everyone (including myself) takes for granted.

• When handling huge amounts of data, Google Forms can simply generate a pretty overview chart server-side and avoid downloading dozens of megabytes into your browser. Palform cannot, because our server cannot see your data. Instead, we use caching algorithms to progressively stream just the correct minimal responses. We use WASM-based binaries to speed up the process, and depending on your browser, we even support multi-threading. You'll only have to wait a few minutes to decrypt tens of thousands of responses, and from then on it'll load instantly thanks to the cache.
• Some form builders support webhooks, where response data is sent to an endpoint of your choice immediately upon a form submission. Palform sends the encrypted data instead. Because OpenPGP keys are so open, you can easily use a server-side key to decrypt the data.
• Integrations with third-party apps are basically impossible to offer, unless the app supports decrypting data using a PGP key. I'm trying to solve this by including as many commonly-used 3rd-party features in Palform as possible, but this is still a work-in-progress.

How much should it cost?​

Firstly, Palform is not open source at the moment. I understand it's especially important for encryption/security-oriented products to be at least source available, but open sourcing an application hard, and involves a lot of non-trivial decisions. Palform will be open-sourced at some point in the very near future, most likely under AGPL or a similar license. I might introduce a self-hosted version too, but that's too complicated for now.

Obviously, Google Forms is free. So is Microsoft Forms. But they're not truly "free". Their existence is supported by income from vast advertising networks and shady practices. You're indirectly profiting from Google's exploitation by using Forms.

Okay maybe that's me being a little dramatic. You're allowed to use Google Forms if you want, but please make sure you understand the risks, especially if you're storing something sensitive.

Unfortunately, Palform needs to cost money. Hosting infrastructure and spending time working on new features is pricey, and I want it to operate without dodgy VC funding (and definitely without being subsidised by an advertising network).

Some of Palform's competitors have unreasonable, arguably bizarre pricing structures. I'm not the only one who feels that way. There's definitely no way the operating costs are quite that high.

I tried to keep it simple and predictable. So here's how I wanted it to work:

• All plans get unlimited responses.
  • Responses don't really cost much money to process, since your browser does most of the work.
• There's a free (forever) plan, also with unlimited responses, but with a limited number of forms/questions, and fewer features.
• Higher plans include more features and sometimes higher limits (e.g. for users).
• You always pay a single monthly/yearly price. There's no overages or surprises.
• 2 months free when you pay for a year
• Generous discounts for non-profits, students, and educational organisations
  • As a university student, and a former chair of a non-profit organisation, I know how useful these are!
• I'm friendly; if you want custom pricing for whatever reason, give me a shout!

The detailed pricing I ended up adopting is available on Palform's home page.

The future​

Palform's the first (of many) side projects that I ended up loving so much that I'm bootstrapping it into a fully-fledged startup. It's been a lot of work, and I've been coding and perfecting it since March 2024. I'm excited to launch it, and really hope you can see its value!

There's many features planned for the future, and I'm welcoming suggestions. I want to create a form-builder that's browser-first, privacy-first, and as ethically managed as possible. I'm really excited to see many similar tools spring up (e.g. Plausible), and I think it's cool to be a part of a European "privacy revolution".

Palform is developed in the UK and hosted on Scaleway servers located exclusively in the EU. It's fully GDPR-compliant and handles minimal data. There's no spyware on our websites.

No matter the size of your business, encrypting your forms and securing their responses has never been more important than today. Not doing so can alienate your users and trigger concerns about your commitment to their privacy. Potentially, it can even create catastrophic data breaches. The good news: it's really easy!

To conclude, please be careful when choosing a form builder. Shiny flashy features are nice, but consider the potential implications of the information you're collecting being leaked or stolen. Many forms collect extremely sensitive personal information, and this needs to be stored responsibly. Palform makes it easy, and even reduces the amount of time you spend complying with the GDPR.

Try out Palform​

You can try it out for $0/month with unlimited responses, and upgrade to our low-cost plans only as and when you need.

Get started on our home page.

Thanks for reading! If you have any questions or comments, please email me personally at pal@palform.app.