Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • The element hierarchy
          • The element tree
        • The page
        • Containers
          • Groups
          • Repeating groups
          • Table elements
          • Popups
          • Floating groups
          • Group focus
        • Visual elements
        • Input forms
          • Text and numbers
          • Dates and time
          • File uploads
          • Selection controls
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Vulnerability Disclosure Policy
  • Beta features
    • About the Beta features section
    • Native mobile apps 🔒
      • Introduction
        • What is a native mobile app?
        • Native mobile vs. web development
        • Differences in native and web elements
        • Native mobile app terminology
      • Building
        • Views and navigation
        • Native mobile actions
        • Components and gestures
        • Device resources
          • Location services
          • Camera/photo library
      • Previewing
      • Publishing
Powered by GitBook
On this page
  • What is the GDPR?
  • Is Bubble GDPR compliant?
  • Do I have to have a server in the EU to be compliant?
  • Standard contractual clauses
  • What must I do for my app to be compliant?
  • GDPR terminology

Was this helpful?

  1. User manual
  2. Infrastructure
  3. Compliance

GDPR

The General Data Protection Regulation

Last updated 1 year ago

Was this helpful?

Legal disclaimer: This article series is meant only to be educational content to help give you a start on these regulatory compliance matters and is strictly not intended to be legal advice. The information presented may not be applicable to your specific situation and may not reflect the most recent developments in this area.

Always consult a qualified legal professional for advice regarding specific regulatory compliance obligations relevant to your circumstances. Details about your specific idea, app or context could make a difference in how you approach these obligations.

Moreover, this article is meant to be an introductory- level guide and will not cover all the fine details of these topics.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a data protection and privacy regulation established and enforced by the European Union (EU). Implemented in May 2018, the GDPR prescribes how individual’s personal data can be collected and used, including the options websites must offer users regarding their personal data. The GDPR was implemented in the United Kingdom after it left the EU.

GDPR represents a major milestone in tech regulation history, as it applies not only to companies based in the EU but also to companies with users in the EU. Given that many Bubble apps cater to a global audience, it's possible that your app may be subject to these regulations, even if your company and/or server are situated outside the EU.

GDPR applies to tech companies handling personal data in a commercial context. It requires websites to provide notice of personal data collection, usage, and sharing, establish a legal basis for data processing, and respect individual’s rights to access, portability, and deletion of their personal data, for example.

If you're interested in learning more about Bubble and GDPR, we recommend checking out our dedicated blog post that delves deeper into various aspects of GDPR regulations.

Blog post:

At the bottom of this page is a .

Is Bubble GDPR compliant?

Bubble takes the protection of personal data seriously. We have implemented measures designed to meet the requirements of the GDPR (and other applicable data privacy laws).

However, this does not mean however that your app built on Bubble is automatically compliant. To use the GDPR terminology, you are likely a Data Controller for personal data on your app (and Bubble is a Data Processor and our processors are Sub-processors to you).

What this means is that the tools you use (including your Data Processors and Sub-processors) must comply with the GDPR (which is a big step toward your own compliance), but you still have to set up each individual app and documentation in the right way in order for it to be compliant with the GDPR.

You can take advantage of Bubble’s capabilities to help meet your GDPR obligations.

Do I have to have a server in the EU to be compliant?

No, you do not necessarily have to use an EU-based server to host the personal data to be GDPR compliant. However, the GDPR imposes rules on transferring to or accessing personal data from outside the European Union. If your app processes personal data of EU residents and stores it on a non-EU server, you must ensure that the data transfer is in compliance with the GDPR.

Standard contractual clauses

Under the GDPR, transferring personal data from the EU to countries with lower data protection standards is restricted. To overcome this, the EU has developed Standard Contractual Clauses (SCCs), which are pre-approved sets of contractual provisions designed to ensure that personal data transferred outside of the EU is adequately protected and meets the GDPR requirements.

After the European Court of Justice (ECJ) ruled that Privacy Shield was not a permissible transfer mechanism, Bubble incorporated the Standard Contractual Clauses into its DPAs.

When using SCCs, you agree to follow specific rules and principles regarding the processing and protection of personal data. This helps ensure that the personal data of EU residents is treated with the same level of care and protection as it would be within the EU.

As a Bubble developer, incorporating SCCs into your data processing agreements with your customers and service providers can be an essential step in becoming GDPR compliant. By doing so, you provide assurances that the personal data of your EU users is being handled securely and responsibly in compliance with the GDPR, regardless of where your server is located.

Bubble serves as a data processor for your company when you deploy your app and end-users sign up for an account on your app, which might be one of several processors you opt to use (an analytics platform like Google Analytics or payment gateway like Stripe are examples of other data processors you may choose to use). It’s important to note that even if Bubble and other processors you work with have made efforts to adhere to GDPR (such as Bubble entering into Data Processing Agreements (DPAs) with its processors, who act as your sub-processors), you are still responsible for ensuring your Bubble app is GDPR-compliant.

Bubble has implemented the SCCs into its DPAs with its customers and its processors (your sub-processors). In addition, starting in July 2023, the new EU-US Data Privacy Framework and Swiss-US Data Privacy Framework, the third iteration of a joint EU-US and Swiss-US programs to enable personal data transfers from the EU and Switzerland to the US, became operational. As a participating company in the prior EU-US and Swiss-US Privacy Shield Frameworks, Bubble is “grandfathered”’ into the new EU-US and Swiss-US Data Privacy Frameworks and will apply the updated Data Privacy Framework Principles, but we will continue to use the SCCs in our DPAs as extra protection.

A frequent inquiry we receive at Bubble is along the lines of” “If you only implemented X, wouldn’t that make you GDPR-compliant?” An example of this is users asking if having an EU data center by itself would guarantee GDPR compliance for Bubble and Bubble apps.

Based on our understanding, the answer is no – merely storing data in an EU data center doesn’t meet all the necessary requirements for GDPR compliance. Similarly, subscribing to Bubble’s Enterprise plan and requesting your own EU-based dedicated Bubble servers is not enough to achieve full compliance with GDPR.

What must I do for my app to be compliant?

While the following list provides a suggested starting point for planning your app’s compliance, it shouldn’t be regarded as all-inclusive or specific to your app.

Ultimately, ensuring your app’s compliance is your responsibility as the developer, and you should seek the guidance of qualified legal counsel and other professionals to assist you in this process.

  1. Understand the GDPR’s scope: Determine if the GDPR applies to your app. If your app collects, stores, or processes personal data from EU residents, even if your company is located outside the EU, you must comply with the GDPR.

  2. Establish a legal basis for processing data: Ensure that your app has a legal basis for processing personal data, such as user consent, contract necessity, or a legitimate interest.

  3. Provide notice and obtain consent: Create a clear and transparent privacy notice, explaining what personal data your app collects, how it’s used, and with whom it’s shared. Where necessary, obtain explicit, affirmative consent from users before collecting their data. Ensure that users can easily withdraw their consent at any time.

  4. Implement privacy by design: Incorporate privacy considerations into your app’s design from the outset. Use privacy rules and conditions to protect user data and limit data collection to only what’s necessary.

  5. Respect user rights: Ensure that your app allows users to exercise their rights under the GDPR, including the right to: - access – rectify – erase – restrict processing – port … their personal data.

  6. Set up data breach notifications: Develop a process for detecting and reporting data breaches within no more than 72 hours to the relevant supervisory authority, as required by the GDPR.

  7. Manage third-party relationships: If your app uses plugins or third-party services (such as APIs or external databases) that process personal data, make sure they are GDPR compliant and enter into an appropriate DPAs with them.

  8. Set up privacy rules: Configure privacy rules in Bubble to restrict access to personal data (especially “sensitive” personal data to ensure users access the data they need to and are authorized to see. ’

  9. Publish a privacy policy: Draft and publish a comprehensive privacy policy that explains your app's data processing practices, user rights, and contact information for privacy-related inquiries.

GDPR terminology

Term/phrase
Definition

Consent

Unambiguous and affirmative user agreement for the collection and processing their personal data for specific purposes within your app.

Data breach

A security incident leading to unauthorized access, use or alteration of personal data collected by your app.

Data controller

The entity (or entities) that determines the purposes and means of processing personal data. App developers are likely data controllers.

Data Processing Agreement

A contract between a data controller and a data processor outlining responsibilities and obligations for processing personal and GDPR compliance for your app.

Data processor

Third-party service provider you use in your app for processing personal data, such as analytics, payments, or emails. Bubble is likely a data processor to you for your app.

Data Protection Officer

A designated person responsible for ensuring GDPR compliance for your app. May be required for certain apps.

Data subject rights

Rights granted to users by the GDPR, such as accessing, rectifying, or erasing their personal data collected and processed by your app.

Legal basis

The legal reason for processing personal data in your app, such as user consent contractual necessity or a legitimate interest.

Personal data

Any information relating to an identified or identifiable individual collected through your app.

Privacy by design

Integrating data protection and data “minimization” measures in the development and operation of your app from the very beginning.

Processing

Any operation or set of operations which is performed on personal data, such as collection, recording, use, storage, adaptation or alteration, retrieval, disclosure, dissemination, combination, erasure or destruction.

Restricted data transfer

Restrictions on transferring personal data collected by your app from the EU to countries outside the EU, unless certain protections are in place.

Sub-processor

A data processor that handles personal data on behalf of another processor you use in your app.

Bubble GDPR intro guide
GDPR terminology table