I just noticed I posted my initial response on another account instead of this one. I asked this with Bubble Support and they confirmed that in fact they are not inherently compliant with GDPR as a result of this. I understand it’s a mess for SaaS providers as a result of this, but to state that there isn’t a risk is a bit silly. Ultimately this is going down the road “If everyone is doing it, we can do that”. That advice causes people to collect too much personal data and lead down to the situation we have today.
This mentality of “Oh it’s only a bit of personal data” sets a precedent for companies to start collecting more and then more and more. Then before you know it, Facebook knows what time you got to bed when you don’t even have an account.
It concerns me that in bubbles latest figures, over billions of datapoints of users were created and a lot that could be from EU data subjects on non-dedicated European instances. It’s just a risk I’m not willing to take.