Hi just reopening the topic of GDPR as this thread was closed earlier Security, Encryption, Sustainability & GDPR - #38 by anon78309838 @anon78309838 I think this is an important topic that should remain open as a channel for users to discuss their options.
For clarity there are no ‘workarounds’ available for GDPR, t&c’s won’t provide compliance and mostly compliant is still non-compliance.
My understanding is If you handle any personal data from EU / UK / Switzerland Adalo is not the platform for you… …yet. Happy to be proved wrong! (Very happy)
Don’t get me wrong, Adalo is an amazing platform and I welcome the focus on stability recently announced. Sure I’m impatient for GDPR but that’s probably a reflection of the strengths elsewhere on the platform.
I’m not looking for a launch date, I understand that resources are tight as your business grows. Knowing that it’s on your agenda is enough for now.
P.S. that focus on stability brings with it an opportunity to keep EU data within the EU as you add regional AWS data centres? Another box ticked for GDPR sensitive organisations in the EU.
P.P.S. Would you consider letting EU based nocoders use more of the pro features in the meantime so that we can hit the ground running when GDPR is ready? Just a thought.
I’m inquiring the GDPR issue myself. There are some things that are clearer after my researches, but some are still unsolved.
I only collect the sign-up/log-in info. Is there other data that Adalo collects by default ?
I understand the biggest non-compliance subject is the servers’ location in the US and that this is regarded as offering a non-equivalent protection as EU ones because authorities can access them without safeguards. However, what about a workaround that would consist in connecting Adalo to another API, say Airtable (I did not check if they are compliant) or another one to store the users’ data
If so, would the data still pass through Adalo ?
For reference, I’ve worked on several GDPR projects with banks and insurance companies. There are a few fine print items to be aware of:
GDPR is applicable if you TARGET EU citizens, regardless of your jurisdiction. So if you’re in the EU, it certainly applies. If you’re outside the EU, it could also apply, depending on if your situation.
If you aren’t collecting Personally Identifiable Information (PII), you can get away with a lot, regardless of location. An email and a password are not PII. If you’re collecting names, DOBs, etc, you’ll need to be GDPR compliant.
Your T&Cs need to explicitly state where data is stored and processed. Having users acknowledge this would be the best practice. You also need to state why their data is being stored, how it’s being used, and why. For example “We store data in Amazon Web Services hosted on servers in the United States. This is required for the operations of the application.” and spell out other important points like marketing, do you provide data to 3rd parties, etc.
You’ll need to be compliant with the rights of the individual (‘right to be forgotten’, right of access, right to data portability, right of rectification). This can be achieved through workflows and some manual steps.
Don’t store anything that needs to be encrypted. Right now, Adalo doesn’t have encrypted fields. Do not try and store sensitive information (especially credit card numbers).
Lastly, don’t use cookies. Users can’t opt out of tracking in the app, so I wouldn’t include those. You’ll need to mention Adalo has some basic tracking functionality, but doesn’t gather user specific information.
In short, you can be GDPR compliant, but a lot of that depends on your app and its functionality. There are apps that’re already compliant and there are apps that cannot be compliant.