According to gdpr.eu (GDPR compliance checklist - GDPR.eu) there is nothing in this checklist that directly makes Bubble not GDPR compliant.
Could you provide some resources that clearly state Bubble is not compliant? Thanks
Hi @hoke,
This blog post written by @allenyang on the Bubble Team might be useful:
Pretty sure it’s to do with the fact data is stored in the US by default, and since the US-EU Privacy Shield was revoked in July 2020 there’s not an easily compliant way of transferring personal data from the US to the EU. It’s a pretty complicated topic that I’m also trying to wrap my head around, and there’s a lot of grey area at the moment while the two blocs try to create a new alternative to Privacy Shield. From what I understand if you host the data in the EU/UK it should be compliant, but I’m not a lawyer, and that will involve using a third party database or a Bubble dedicated plan
2 Likes
I believe it would be helpful if Bubble held some sort of seminar about this topic. There are many resources on how to make a traditional website compliant, but with Bubble, this is not the case. Whether or not it is possible to be fully compliant using Bubble, I’d be happy with some transparency / guidance on that point 
1 Like
I don’t really see what we’re restricted to by building with bubble that would keep your webapp non-compliant in the EU.
I agree.
I’m not sure that they will, since they would be hesitant to give concrete legal advice. GDPR is a complex topic as already mentioned and starting any tech company regardless of platform should involve the proper legal council.
I’m fairly certain that Bubble is GDPR compliant though, and not sure where you heard otherwise. That doesn’t automatically make your app compliant though – Bubble in your case will be a sub-processor while your app is the controller. There are a range of different criteria your app must adhere to in order to be compliant.
The EU/US Privacy Shield was indeed deemed an impermissible transfer mechanism in 2020, but that ruling did not rule out other transfer mechanisms. Currently, Standard Contractual Clauses (usually a part of a company’s DPA) is considered valid and Bubble has adopted that standard as part of their DPA.
In other words, unless I have missed some important news, Bubble can be a compliant sub-processor even without a dedicated EU-based server.
I’m open to revising my view here if I’ve missed something, so you know… this is not legal advice.
6 Likes
I am thinking that you meant a “processor” and not a “sub-processors”, since your Bubble-coded app is a data controller and Bubble is your processors, while any other services that Bubble uses internally are sub-processors in relations to you.
Yes, you are absolutely right – was too quick on the keyboard there, thanks for the correction.
1 Like