Hey @Sebastian_S_Engen, welcome to the Streamlit community!
This is one of those hard questions to answer…since you’ve mentioned contacting us already, it’s our belief that we are GDPR compliant. Of course, lawyers get paid to argue everything
Is there a way for me to use Streamlit, without ever storing my user’s data anywhere online?
Streamlit itself never takes possession of the data. In it’s lowest level, Streamlit Cloud (currently) runs on a public cloud, so we never take physical possession of that data in the sense that we don’t own that hardware. From a Streamlit open-source library perspective, when you use
st.file_uploader, the data is stored in Python via a BytesIO object, which is stored in RAM.
So to the extent that your code doesn’t save the CSV file anywhere, it will only persist in RAM until it’s overwritten by another session or the container is shutdown.
We believe that satisfies GDPR, as the (very large, global) cloud service we use should be abiding by GDPR, and we don’t save containers in any manner (i.e every time you change your code, the container is rebuilt and the repo is pulled from GitHub).
Do the Streamlit GDPR privacy policies cover, themselves, me or my users rights?
This is where, unfortunately, you’ll need your own legal representation. I’m not Streamlit’s lawyer, but I can generally say that what we believe as a company (via our legal representatives) doesn’t mean that you couldn’t be liable. It’s just a matter of how your legal jurisdiction decides to interpret the written law and the specific case should it arise.