Hey @Sebastian_S_Engen, welcome to the Streamlit community!
This is one of those hard questions to answerā¦since youāve mentioned contacting us already, itās our belief that we are GDPR compliant. Of course, lawyers get paid to argue everything
Is there a way for me to use Streamlit, without ever storing my userās data anywhere online?
Streamlit itself never takes possession of the data. In itās lowest level, Streamlit Cloud (currently) runs on a public cloud, so we never take physical possession of that data in the sense that we donāt own that hardware. From a Streamlit open-source library perspective, when you use st.file_uploader
, the data is stored in Python via a BytesIO object, which is stored in RAM.
So to the extent that your code doesnāt save the CSV file anywhere, it will only persist in RAM until itās overwritten by another session or the container is shutdown.
We believe that satisfies GDPR, as the (very large, global) cloud service we use should be abiding by GDPR, and we donāt save containers in any manner (i.e every time you change your code, the container is rebuilt and the repo is pulled from GitHub).
Do the Streamlit GDPR privacy policies cover, themselves, me or my users rights?
This is where, unfortunately, youāll need your own legal representation. Iām not Streamlitās lawyer, but I can generally say that what we believe as a company (via our legal representatives) doesnāt mean that you couldnāt be liable. Itās just a matter of how your legal jurisdiction decides to interpret the written law and the specific case should it arise.
Best,
Randy