Dear Adalo Staff,
Please understand this as a friendly help from someone with a long experience with data privacy and privacy laws.
Currently, Adalo is not compliant with EU-GDPR and UK-GDPR, which poses a fine to most of your customers AND ALSO TO YOU, of up to 10 MILLION EUROS or up to 2% of the global turnover, whichever is higher. Reference: Art. 83(4) GDPR.
The GDPR is nothing new as it was stated last year on the forum.
a) This also impacts all developers whose apps are for free
b) This impacts all app owners, regardless of whether they are based in the US or EU, or any other place in the world as long as there is (or can be) personally identifiable information (PII) of an EU user stored in their database
c) This also makes you - Adalo, a subject of these fines because you have EU customers too
The privacy law compliance is not something you or we should mess with. It is also something that must have been sorted out before the company started offering its service. Yesterday there have been new UI options released for the list components so we get the feeling that the non-compliance is not properly acknowledged and prioritized.
I have seen many data controllers consequently suing their data processors due to non-compliance with privacy laws after they have been sued by the authorities or their users.
The following must be implemented before anyone of us can legally collect data from the users:
- Legal data transfer method between EU+UK, and US (consider standard contractual clauses, or SCC)
- Data Processing Agreement (DPA) between the data controller (your customers) and data processor (Adalo)
Workarounds are not the options.
Server placement is not a good option, in the long term:
Please note that simply putting the servers in the EU or UK will NOT do the job. It would even complicate the situation. Essentially, every app with a signup option can be accessed by anyone in the world. As more privacy laws are being implemented (in Brazil, California, …), the technical complexity will grow. App users are not supposed to choose the server location. And even if your customer is on a server in EU, this will make him non-compliant to UK laws. Long story short: It takes less effort to sort out the data transfer and other GDPR requirements. It is not such a big deal as it sounds
AirTable doesn’t make it compliant:
The “Users” collection is at Adalo and cannot be outsourced to AirTable or anywhere else.
T&C does not make it compliant either.
Don’t misunderstand me, please. We love Adalo and want to make it better. But before it is better, let’s make it compliant together. Lawyers charge 700 EUR / hour, please consider it as a present
It feels wrong to ask for the feature on ideas.adalo.com as this is not a feature, rather a must.