Making Bubble.io GDPR compliant - 3 important factors

We will show you the 3 most important factors to make Bubble.io compliant with the GDPR. Make your website or application privacy compliant.
Published by
Alexander Sprogis
Created on
June 21, 2023

The General Data Protection Regulation, DSGVO for short, does not allow personal data to be stored or processed on US servers. This makes it difficult to use tools from the US, such as Bubble.io. In this article, we will show you how to make Bubble.io compliant with the GDPR.

Note: This article does not constitute legal advice. Our research has been done to the best of our knowledge and belief, but of course cannot guarantee one hundred percent correctness and completeness. Therefore, we do not assume any liability for the content. Please have your own individual case checked by a legal expert.

The three most important factors you need to pay special attention to with regard to the GDPR are databases, authentications and tracking or cookies. Personal data is processed in these 3 places. In the following, we will present you with various alternatives to ensure that either no personal data is stored and processed, or if it is, then only on an EU infrastructure and servers.

Factor 1: Database

The problem from a privacy perspective with Bubble is the custom PostgreSQL database in each project created. This database, like Bubble itself, is hosted on the Amazon Web Services infrastructure. According to various forum posts, it is the aws-us-west-2 region, i.e. in the USA.

Therefore you should use alternative databases

Applications that are operated in a DSGVO-compliant manner must resort to alternatives. The advantage is that integrating an external database into Bubble is relatively easy. Through the free SQL Connector and API Connector plugins provided by Bubble, a variety of backend systems can be connected.

Integration of an own SQL database

SQL databases are based on a relational database model, which is a simple and intuitive way to store data in tables. If you have already used Bubble for several projects, you already know the principle very well.

There are different types of SQL databases, all of which can be operated either in-house or with a cloud service. You should only put your own database server into operation if you can provide the corresponding infrastructure, security and performance. The most popular SQL database systems include MySQL, PostgreSQL and MSSQL (Microsoft SQL).

It's best to use one of the following cloud services here:

The connection to your Bubble app works via the SQL Connector plugin. For this, Bubble needs the connection string to the database, i.e. the address at which your database is accessible. There are different authentication methods, but the most common one is a defined database user. Make sure that your data is transferred encrypted.

You can find out more about connecting SQL databases via the SQL Connector plugin here.

You only understand station? Then check out our free preview of our Bubble Masterclass!

Integration of a Mongo database

Another database system that can be integrated into your Bubble App is MongoDB. This is a document-oriented database system that was created for extremely scalable data volumes. This is already derived from the name: "Mongo" abbreviation from Humongous, in German "gigantic". Data is stored in JSON documents. Javascript Object Notation is a compact data format with easily readable text content, which is used for the exchange between applications. Unlike relational databases such as SQL databases, MongoDB uses a flexible data schema. Fixed data structures, as known from SQL tables, are therefore optional.

The connection to your Bubble App works in this case with the API Connector Plugin. MongoDB provides corresponding API endpoints for your created collections.

You can find providers of MongoDB at the developer directly or at IONOS.

Cloud services as an alternative to database systems

In addition to the various database systems, there are also various cloud services that can serve as a backend for your Bubble application. They can all be connected to your application via the API Connector plugin.

  • SeaTable is the German alternative to Airtable. If you know Airtable, then you will quickly find your way around SeaTable. It is a hybrid of spreadsheets and databases. An intuitive interface lets you quickly create databases and tables to store your data. SeaTable provides a rich API that lets you expose your data to Bubble.
  • Ninox is a great tool to digitize work processes. It is also a visual database that provides tables, views, forms and reports.
  • Xano is a no-code backend platform that uses PostgreSQL.
  • Bubble Dedicated Server is a dedicated bubble server with EU hosting. The infrastructure still belongs to a US company. It is therefore necessary to check whether the applications are then really DSGVO compliant.

Factor 2: Authentication

Authentication ensures that the identity of a user can be proven and verified against a system. This requires the exchange of sensitive data. To ensure that this data is not processed and stored on US servers, the following options are available.

Auth0 (zero)

According to Auth0, data from European customers is processed exclusively on EU servers, primarily in Germany, with Ireland as a failover alternative.
You can link to Auth0 via the Bubble Plugin or the Bubble API Connector.

Users are then directed to an Auth0 login screen for authentication. There, they can register or log in, and an access token then forwards the data to the web app.

Xano

Another possibility for authentication is the integration of an own API endpoint in Xano. For this you need a user table, in which the user data incl. password are stored.

In Bubble, you can include the forms for registration and login for the integration of Xano as usual. When the user clicks on the button, the data is sent to Xano via the API and the tool returns an authentication token. This is then stored as a cookie in the Current User for as long as the session exists.

What else you should know about authentication

  • Other interesting authentication providers are MojoAuth
  • Manual token integrationo article with Auth0

Factor 3: Tracking and cookies

For the DSGVO compliance of the tracking functionality and the cookie banners, there are a few different options that I would like to present to you below:

"Do no set cookies option in Bubble

When a bubble app is launched in the browser, a user session is created. In this user session, a temporary user is created. This user is assigned the status "not logged in".

This temporary user behaves like a registered user, he can change and save attributes.

For example, the query of a user's age can be made before registration. When this user later creates an account, the age is stored in the temporary user. In the bubble workflow, you simply save the value for the "Current user".

Then when it registers, you can pass the value from the temporary user to the created account in the background.

So if the user comes back to your site later and has not deleted any cookies in the meantime, the user will have all the properties as in his last session, in this example the age. Bubble automatically deletes these temporary users after 3 days. When the user comes back to your site, a new temporary user is created.

  • Google Analytics is the tracking tool developed by Google.
  • Cookie consent management platforms such as CookieFirst, Cookiebot and Usercentrics offer a comprehensive platform for the administration and individualization of cookies as well as their statistical analysis.
  • DIY cookie banners can be created with Bubble.io. To do this, you need to create an additional column in your database, where the opt-in setting is stored. With the Bubble Actions "Opt-in / Opt-out to cookies" you can then consider the user's choice.
  • Fathom Analytics is a tool from a Canadian company, where all data from EU customers is processed exclusively on EU servers. Furthermore, no personal data is logged, so you can theoretically omit your cookie banner. Provided you don't use any other tracking services besides Fathom! Fun fact by the way: One of the founders, Paul Jarvis, has written a very good book called "Company of one - why staying small is the next big thing". So if you are self-employed or founder:in of a company and accordingly limited to your own capacities, I can highly recommend the book to you.

Conclusion

With the above mentioned ways, you are on the right track. If data is only stored on EU servers and the cookie banner works correctly, your web application should be GDPR compliant. However, you should always seek advice from a legal expert to be sure.

Outlook

The EU and the USA are currently working on the Trans Atlantic Data Privacy Framework as a new version of the Privacy Shield Agreement. Data transfers to the USA should then be possible with a new set of rules and binding protective measures. However, it will still take a while before this is the case.

Do you want to learn Bubble.io?

Start for free with our Bubble Fundamentals course and learn how to develop your own websites and web applications.

Subscribe to the newsletter now
Here are updates on VisualMakers and No-Code!