Hello,
So I couldn’t find any other discussions specifically about this but might have missed something…
So I just knocked together a simple Anvil app - it’s just a simple search form against an open API.
And as I was adding Google Analytics to it, I realised ah - now I have to think about GDPR.
Which then made me think about the other aspects of Anvil apps, and whether there’s anything that comes out of the box with Anvil which we should really be displaying privacy notices about?
So my first question is: "If I deploy a simple Anvil app with basic open functionality (as with https://search-tools.opennhs.io) am I GDPR compliant from the offset or am I already breaching by not having a cookies policy and option for people to opt out?
And secondly, if in fact I should be doing something for GDPR - how about Anvil includes something that boostraps it for me so I can just build an app and have it automatically compliant by meeting the basics? 
There have been a few questions on GDPR here, but I don’t think any have been answered in any detail.
My concern is that if I build a database using Data Tables and someone exercises their right to be forgotten, are their details removed from all backups as is a requirement of GDPR?
Also, I believe that as Anvil is storing the data, there should be an agreement between Anvil and us stating their compliance.
I think this whole area needs some clarification.
Hi Matt (and David!)
The policy you’re looking for is at https://anvil.works/privacy, which we’ve tried to keep as clear and comprehensible as we can. It tells you what we do with your data (as an application developer), and your app users’ data. If we have to change it, you’ll get notified (as described on that page).
To answer your particular question, we do not store [non-session] cookies on your app visitors’ computers unless you use anvil.server.set_cookie() (or by enabling the “Remember Me” checkbox in the Users service - both of which count as explicit instructions from the Data Controller [you] to the Data Processor [us]).
Of course, if you want to store personal information about your users, or track them, you’re going to need to have a lawful basis for doing that, just like any other data controller.
Hope that helps clear things up
1 Like
Thanks @meredydd yes that’s helpful and I hadn’t noticed it.
Looks like I probably just need to knock up my own privacy policy taking bits from yours and adding some app specific stuff