Bubble API - data routing for GDPR

When connecting with third party API end points does bubble api connector act as an intermediary - i.e. does the data from a browser session traverse a backend Bubble API service or does it connect directly with the third party api?

The reason why I am asking is because of GDPR related issues - I am considering building out the database separately in AWS and then connecting to it via api and only making use of bubble for the front end. Is this a good/bad idea?