(Link to other Ressource: Adalo & GDPR Compliance)
@miro, I’m afraid I can’t fully agree with your statements (you gave good advice at the beginning of this post, but your last statement is dangerous, so I decided to enrich you comment, if you don’t mind…).
If you as a company (or “as an institution that wants to make a profit”) request data from your users, you absolutely must follow the rules of the GDPR, otherwise you will face severe penalties within the EU.
As a provider of your services based in the EU, it is not enough to ask permission from your users, as your contract cannot override basic EU and national consumer protection laws.
Take, for example, the question of what data you process:
If you process/store personal data (or data that can be used to identify a person), then you must use servers in the EU. Here you must also take into account “personal data” is again divided into simple personal data and highly sensitive data (e.g. health infos, religion, sexual orientation, names, date of birth, etc.) that are particularly protected (and I’m not even scratching hassle that may occur with copyright infringement for private images etc.).
Adalo is not GDPR compliant (Date of the Info: 13th of April 2021), because the data is not stored on servers in the EU (Adalo won’t tell us, where they Database is located, but we have to ensure, that the data is explicetly stored in the EU). Any provider that has a company in the EU and processes (sensitive) data of EU citizens must also store the data in the EU.
In addition, the concept of data economy applies. I.e. you may only process data that is urgently needed for your business. If a user wants to know how you process his data, you must show him how and where his data is processed in your systems (and those of secondary contractors, e.g. Airtable etc.).
A user may request deletion of his/her data at any time. For newsletters, the double opt-in procedure applies…and so on…
You see, before you naively plunge into the processing of user data from the EU, you should definitely acquire knowledge, hire a specialist or move your company headquarters to non-EU country.
Keep in mind that you could face very high penalties in the event of a violation!
Long Story short: You, as the business and process owner, are fully responsible for the data processing, storage, usage and security, you can not give this responsibility away. You have to ensure, that all secondary contractors you cooperate with, stick to the GDPR as long as they store personal or sensitive information.
There are some exceptions. For example, if the app, that you biult on Adalo is simply used for processing the data, but the storage could happen on servers in the EU. You can work with IDs, so that the processed data can not be used to trace back a person…