Hi @phm,
The good news about this is that GDPR is 75% common sense, and the answers to these questions are therefore pretty straightforward!
Looks like [youtube etc] are de-facto [loaded] in all apps?
Including YouTube/Maps/etc by default is indeed a bug, that’s already fixed in the current version of the hosted service and will be fixed in the next release of the App Server (which is overdue, but coming!). Anvil doesn’t load, eg, the YouTube API unless you’re using the YouTube component.
From Anvil, there are
anvil-test-cookieandring-session(a session cookie for a not logged-in visitor?).
These are essential cookies that contain (and track) no personally identifiable information (PII). The same goes for the session record in the backend – session cookies are necessary to (eg) match up successive anvil.server.call()s with each other.
how to prevent having user emails to reach App logs and sessions for not logged-in visitors
User email addresses are not recorded in App Logs unless you print() them into the logs. And if a user doesn’t log in, we (or the App Server) has no idea what their email is, so it can’t possibly reach the session or the logs!
Final question about telemetry. Is there any user and/or usage data coming from Anvil runtime server to Anvil?
Nope!
Same question with uplinks connecting to Anvil hosted apps.
Yes, if you connect to an app on our hosted service, that connection will appear in your Anvil app’s logs!
As well as the App Logs you see, we also keep some internal diagnostic logs to keep the platform going – depending on what we’re debugging at the time, these may contain some incidental data about what your app is doing (and therefore possibly what your users are doing with it), but we’re not data-mining it; that data only used for keeping the service running. Our privacy policy goes into this all in more detail.