Storing that kind of info takes things to a whole new level IMO since it is so sensitive. If I held that type of data I’d do a ton of research/reading on privacy and build in as many protections as possible. I’d also have to make a basic decision on whether Bubble can provide the level of security I need from both a security and a legal perspective (I don’t know the answer to this question in your case).
In addition to the “basics” of privacy rules and workflow conditions there’s other aspects I’ve seen discussed like encryption, 2FA, password policy, and then the non-technical stuff like who has access to the data and do I have controls around ensuring they aren’t doing anything improper with it. And then I’d run the whole setup past Bubble support as well as a hired pro.
A couple of posts that I recall as touching on sensitive data questions include:
PS: and I am guessing there are regulations in different countries governing how sensitive info needs to be held, which may be why Bubble has this disclaimer in their privacy policy, so there could be a legal/compliance aspect to this as well:
13. SENSITIVE PERSONAL DATA
Subject to the following paragraph, we ask that you not send us, and you not disclose, any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) (“Sensitive Personal Data”) on or through the Bubble Service or otherwise to us.
If you send or disclose any Sensitive Personal Data to us when you submit user-generated content to the Bubble Service, you consent to our processing and use of such Sensitive Personal Data in accordance with this policy. If you do not consent to our processing and use of such Sensitive Personal Data, you must not submit such user generated content to our Services.