GDPR: We are risking huge fines

Dear Adalo Staff,

Please understand this as a friendly help from someone with a long experience with data privacy and privacy laws.

Currently, Adalo is not compliant with EU-GDPR and UK-GDPR, which poses a fine to most of your customers AND ALSO TO YOU, of up to 10 MILLION EUROS or up to 2% of the global turnover, whichever is higher. Reference: Art. 83(4) GDPR.

The GDPR is nothing new as it was stated last year on the forum.

a) This also impacts all developers whose apps are for free
b) This impacts all app owners, regardless of whether they are based in the US or EU, or any other place in the world as long as there is (or can be) personally identifiable information (PII) of an EU user stored in their database
c) This also makes you - Adalo, a subject of these fines because you have EU customers too

The privacy law compliance is not something you or we should mess with. It is also something that must have been sorted out before the company started offering its service. Yesterday there have been new UI options released for the list components so we get the feeling that the non-compliance is not properly acknowledged and prioritized.

I have seen many data controllers consequently suing their data processors due to non-compliance with privacy laws after they have been sued by the authorities or their users.

The following must be implemented before anyone of us can legally collect data from the users:

1. Legal data transfer method between EU+UK, and US (consider standard contractual clauses, or SCC)
2. Update the Privacy Policy with everything that GDPR requires (mostly describe your data processing, but also explain GDPR rights, who is your DPO or EU/UK Representative, etc.)
3. Data Processing Agreement (DPA) between the data controller (your customers) and data processor (Adalo)

Workarounds are not the options.

Server placement is not a good option, in the long term:
Please note that simply putting the servers in the EU or UK will NOT do the job. It would even complicate the situation. Essentially, every app with a signup option can be accessed by anyone in the world. As more privacy laws are being implemented (in Brazil, California, …), the technical complexity will grow. App users are not supposed to choose the server location. And even if your customer is on a server in EU, this will make him non-compliant to UK laws. Long story short: It takes less effort to sort out the data transfer and other GDPR requirements. It is not such a big deal as it sounds

AirTable doesn’t make it compliant:
The “Users” collection is at Adalo and cannot be outsourced to AirTable or anywhere else.

T&C does not make it compliant either.

Don’t misunderstand me, please. We love Adalo and want to make it better. But before it is better, let’s make it compliant together. Lawyers charge 700 EUR / hour, please consider it as a present

It feels wrong to ask for the feature on ideas.adalo.com as this is not a feature, rather a must.

This has been worked on for the last 2 quarters and the announcement about our GDPR compliance documents will be sent out by email this week or next week at the latest.

Hi Colin, that is fantastic news! I haven’t seen anything regarding this subject for months, on the forum this topic was getting closed regularly, and even on ideas.adalo.com this requirement got just few upvotes. => Hence my extensive post. In my experience many online platforms ignore this until it is very late. I was wrong and am happy that Adalo is an exception. Thank you for that. You can delete this post completely if needed.

That’s awesome! Was already worrying about it, since I want to put out my app soon and was looking a bit into it

That’s the best news! I cannot believe it may actually happen Looking forward to!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.