Privacy

30856 readers

409 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

Gumb is not GDPR compliant - Meeting Manager for Communities (postit.quantentoast.de)

submitted 1 year ago by [email protected] to c/[email protected]

0 comments fedilink hide all child comments

GDPR Compliance Check

For those who haven't heard of it before, Gumb is

A platform for managing meetings, gatherings, and events for communities of any size. - gump.app/en

I have investigated this app because it is used by a club where I am occasionally active.

Landing Page / Homepage

Fonts: The landing page is using google fonts, so those fonts are loaded (8 requests) from fonts.gstatic.com when opening the website. The first issue here is that google fonts are not listed in the privacy policy at all. Second, by a German court ruling google fonts are not compliant with the GDPR:

The use of external font services cannot be based on Art. 6 § 1 p.1 f GDPR, as the use of the fonts is also possible without having to establish a connection from visitors to external servers. - LG München Az. 3 O 17493/20

Images: Furthermore the website is loading images from firebasestorage.googleapis.com (105 requests). Following the argumentation of the previously mentioned court ruling, using firebase for images could also be considered non-compliant because images could easily be served without having to establish a connection from visitors to external servers.

Youtube Embed: The website includes a youtube iframe (13 requests to www.youtube.com) with an introduction video. While youtube themself offer an iframe option called "Enable privacy-enhanced mode", the Gumb homepage embeds the »normal« iframe that places tracking cookies which again violates the GDPR. The iframe furthermore sends

6 requests to play.google.com/log,
4 requests to https://googleads.g.doubleclick.net
1 request to https://static.doubleclick.net
4 request to https://jnn-pa.googleapis.com

Tracking: The website uses, as stated in their privacy policy, Google Analytics (GA) which results in a request to https://region1.analytics.google.com/g/collect... and https://www.googletagmanager.com. However, writing "we use GA" in the privacy policy is not sufficient. GA requires consent from the website visitor.

There are a few more unnecessary requests, but I think the point is clear.

All of that is happening without any consent from the visitor!

Mobile App

Gumb offers mobile Apps for Android and iOS, of which I only checked the Android version. While I can't say for sure that the app violates the GDPR because it immediately asks for credentials, the Exodus Privacy Report (of the latest version 1.0.84) still looks rather bad:

Amazon Analytics
Amazon Mobile Analytics
Google Analytics
Google CrashLytics
Google Firebase Analytics
Google Tag Manager

Web App

Next to mobile apps, Gumb offers a web app too. Well, what can I say - there are requests to

https://fonts.googleapis.com
https://www.googletagmanager.com
https://region1.analytics.google.com/g/collect...
https://www.google.de/ads/...
https://stats.g.doubleclick.net/g/collect...
https://ipgeolocation.io/

even without being logged in or any given consent.

Conclusion

For a tool from Switzerland with paid subscription plans and the purpose of managing events/meetings etc. it uses a lot of google (tracking) services... Very sad to see as the app looks otherwise really modern and useful. Do today's developers know that applications like Gumb can be implemented without selling their users' soul to google?

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here