🩺 Vitals
- 📦 Version: v3.16.1 (Released 2026-04-09)
- 🚀 Velocity: Active (Last commit 2026-05-01)
- 🌟 Community: 9.9k Stars · 3.1k Forks
- 🐞 Backlog: 202 Open Issues
🏗️ Profile
- Official: typebot.io
- Source: github.com/baptisteArno/typebot.io
- License: Functional Source (FSL-1.1-Apache-2.0)
- Deployment: Docker | SaaS
- Data Model: PostgreSQL
- Jurisdiction: France 🇫🇷 / EU 🇪🇺 (TYPEBOT SAS)
- Compliance (SaaS): ISO 27001 | GDPR Ready
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: Medium (3/5) - Docker Compose; S3-compatible storage required for file upload flows
- Maintenance: Medium (3/5) - Next.js full-stack app; active release cadence from a profitable bootstrapped team
- Enterprise Ready: Moderate (3/5) - Full visual builder and unlimited responses in self-hosted; SSO, WhatsApp integration, and custom domains require paid tiers
1. The Executive Summary
What is it? Typebot is a conversational form and chatbot builder developed by TYPEBOT SAS, a bootstrapped company incorporated in France. It replaces static form UX with a step-by-step chat interface — collecting lead qualification data, scheduling, file uploads, and survey responses through a drag-and-drop flow builder. All response data is stored in a PostgreSQL database under the operator's control. The tool is source-available under the Functional Source License (FSL-1.1-Apache-2.0) — not OSI-certified open source — with each release converting to Apache 2.0 two years after publication. SSO, WhatsApp Business API, and custom domain hosting require paid tiers.
The Strategic Verdict:
- 🔴 For Simple Data Collection: Overkill. Standard form requirements are better served by a lighter tool — the conversational interface adds deployment complexity that only pays off when completion rate or lead qualification quality is the primary metric.
- 🟢 For EU-Regulated High-Touch Funnels: Strong Buy. French incorporation, ISO 27001 certification, and EU-based infrastructure eliminate the CLOUD Act exposure that US-domiciled SaaS form tools carry. Unlimited responses and self-hosted data ownership at zero licence cost make it the structurally superior choice for GDPR-sensitive lead generation and customer onboarding flows.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Typeform (SaaS) | Typebot (Self-Hosted) |
|---|---|---|
| Response Limits | Strict monthly caps | Unlimited (PostgreSQL storage) |
| Branding Removal | Paid tier required | Paid tier required (Starter) |
| WhatsApp Integration | Expensive add-on | Pro tier (paywalled) |
| Custom Domain | Paid tier required | Pro tier (paywalled) |
| Data Residency | Typeform-managed cloud | 100% owned (self-hosted) |
3. The "Day 2" Reality Check
🚀 Deployment & Operations
- Installation: Docker Compose deployment with PostgreSQL as the primary data store. File upload flows additionally require an S3-compatible storage bucket (AWS S3, MinIO, or equivalent) — this dependency adds infrastructure overhead compared to simpler form tools and should be provisioned before production deployment.
- Builder: The visual flow editor runs entirely in the browser. Flows are composed from typed blocks (text, input, logic, integrations) and can be embedded as a web widget, full-page experience, or deployed directly to WhatsApp Business via the Pro tier integration.
🛡️ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (France 🇫🇷 / EU 🇪🇺): TYPEBOT SAS is incorporated in France — EU jurisdiction with no US parent entity and no CLOUD Act exposure. SaaS infrastructure runs on AWS Paris and London, delivering EU data residency for the cloud offering. French incorporation places Typebot firmly outside US federal subpoena reach for data held in the SaaS environment — a structural advantage over US-domiciled form and chatbot SaaS vendors for European enterprise procurement.
- The Compliance Shift: ISO 27001 is verified for the SaaS offering via the Typebot security page. HIPAA and SOC 2 are not claimed or verified — do not use these as procurement arguments. For self-hosted instances, the full compliance posture transfers to the operator: infrastructure hardening, database encryption at rest, and network access controls are the deploying organisation's responsibility. GDPR data retention for self-hosted deployments is the operator's obligation; Typebot provides retention policy configuration tooling but does not enforce deletion automatically.
- License Risk (FSL-1.1-Apache-2.0 — Source-Available, Not OSI Open Source): The Functional Source License prohibits using Typebot to provide a competing managed conversational form or chatbot service. Internal enterprise use — deploying Typebot for your own lead generation, customer onboarding, or team workflows — is explicitly permitted. Each release converts to Apache 2.0 two years after its release date, providing a clear and contractually defined path to fully permissive status for older versions. For standard enterprise deployment the risk is low; any organisation considering building a product or resale service on Typebot's infrastructure must complete legal review of the FSL competition clause before committing.
4. Market Landscape
🏢 Proprietary Incumbents
- Typeform: The design-first form and survey platform — the primary migration source for Typebot adopters. Response limits, per-seat pricing at scale, and all submission data residing in Typeform's US-managed cloud are the primary drivers for switching to a self-hosted, unlimited-response alternative.
- Intercom: The dominant customer messaging and support automation platform. Substantially higher price point with full chat, inbox, and AI automation bundled. Typebot is the lightweight alternative for organisations that need conversational data collection and basic bot flows without the overhead of a full customer messaging platform.
🤝 Open Source Ecosystem
- Formbricks: Focused on in-product surveys and feedback collection — preferred when the use case is measuring user sentiment at specific product touchpoints rather than building lead qualification or onboarding conversation flows.
- OpnForm: The lightweight choice for standard static form requirements — lower deployment complexity, no S3 dependency, and a simpler operational footprint when conversational UX is not required.