Kodular, Crashlytics and GDPR

Thank you for your reply, MeteorCoder,
In fact, my doubts concern how GDPR applies to Kodular’s use of Crashlytics in the app I/we developed with their system.

Probably my poor English is not very understandable by a native speaker :slight_smile:

1 Like

I’ve read your topic. You were among the few, along with Cian, to raise the GDPR issue in more than one situation.

I think that in this context (I am not referring to Kodular in particular, but to all the alternatives to Appinventor) there is not enough talk about it.

Appinventor creators tend to ignore the GDPR and you can see things at the limit of legal. Just take a look at the apps available to make yourself aware that the GDPR (although I agree that it may represent a problem for small developers) is needed today more than ever. I would just like to understand how to apply it correctly :slight_smile:

1 Like

The most important aspect here is to understand how Kodular have set up their Crashylitics. The key to GDPR is being able to identify the end user. Fabric retains geolocation information for only 10 seconds as an example.

What additionally has Kodular added as part of their core setup?

In short, from my investigation, I do not see how the Crashlytics information contain enough information to identify an individual. I am curious as to what Kodular have setup, overall I am not concerned. I am very careful with what I build, what I ask for, and where I store it.

@hammerhai . You are wrong. Data deletion is not “immediate” . it is “without undue delay”.


Nothing, as confirmed directly by the team (I wrote it somewhere in my message). And I trust Kodular. But trusting Kodular is not enough, I think.

For me the point here is to understand how to make everything, including my the final app, GDPR compliant: if Kodular presents itself as a data controller or data processor and if it is possible to give up the opt-in/opt-out for end users for some reason. And finally, if you really want the cherry on top, if it is appropriate to include as an option the possibility to use Crashlytics :slight_smile:

Can I ask what you mean?

As you clearly say, GDPR affects to Personal Data
However, Crashlytics and Fabric Analytics never request/send/store such kind of data

They just log and report metadata, such us device information, location, events, etc., to their server, and stores them just in an analytical way
What is analytical way? It is anonymous and send in a massive/bulk packages

There is no way to track a single user from Fabric (which is what GDPR was designed for) or to log personal information
In our dashboard, we can only see Android Versions, real time locations (based from IP geolocation) and other useful information for developers only
I attach below some sample screenshots:

As you can clearly see, there is no way to point out a single user, or to better analyze that “bulk data”
Moreover, there’s no way in Fabric’s dashboard to go back in time and check, for example, which were the most active apps for the 4th January 2019

Also, I recommend reading this:
Privacy and Security — Fabric for Android documentation (docs related with GDPR and Fabric)
Privacy and Security — Fabric for Android documentation (Analytics and GDPR)
Privacy and Security — Fabric for Android documentation (Crashlytics and GDPR)
Fabric Blog | Build. Understand. Grow.

Also, if you are worried about Crashlytics, there’s no way to identify any user from there:


Hehe Samsung is first, :blush:

1 Like

There’s no more information, as we don’t need it though
We want to have some kind of analytical data in order to analyze which are the most used Android versions, phone brands, which Kodular Creator versions are running in our apps, etc.
But NEVER personal data, as we don’t need it

There’s actually no way
Fabric was intended for so, a way to get ANONYMOUS analytics for development usages

1 Like

My question is, are you seeing somewhere personalized content inside our platform/apps which may demonstrate the usage of personal data without any prior notification?
As I’ve said, if there’s no need, why would we do it?

We like Fabric as it provides all we need: general anonymous analytics
Also, in the links I’ve attached, you can see which information can Fabric store. And, as I hope you can see, there’s no way to track any kind of sensitive information with their platform

1 Like

The legal expression without undue delay does not mean immediate. Any delay needs to be with reason. i.e, having to go to backups to remove, or assessing if you are required to keep some information for other legal purposes, like taxes etc.


Of course there’s going to be delay, but what I meant is it being done within that same day :sweat_smile: of course, if it’s by request, they won’t be able to do it immediately.

1 Like

Maybe I should have written, “Trusting someone is not enough for the law.” I don’t know if the translation makes sense. It was certainly not an accusation. I’m sorry if it was misinterpreted. anyway
I never thought or written that Kodular could use illegally personal end-user data collected from our applications.

From what you write Fabric does not collect any user data, but the page you linked (and that I had also linked) clearly says that in certain contexts Fabric collects personal data. But if I understand correctly, they are encrypted (and therefore anonymized) both during sending and storage. Is this enough to allow us to avoid an opt-in/opt-out in our applications under the GDPR?

And, Diego: I’m not accusing anyone, I’m just trying to understand.

1 Like

You cannot avoid an opt-in opt-out. The location is captured, and while it is not retained it is still captured and used. Combine that with the device type, and you have an indirect way of identifying an individual, even only for a short period of time.

Thats my interpretation.

1 Like

That is my interpretation too (with some doubts, as always :slight_smile: ), but currently is not possible implement an opt-in/out.

1 Like

That’s not true
How many websites redirect you to your language/country subwebsite without asking?
Lots of webs just forward you to their respective country subpage, and you never get a consent screen to stop your IP geolocation, because it is not stored


But it also says that the unique “personal data” is a single UUID in order to identify and prevent double analytics
That UUID is never visible to anyone, and also it is not any kind of sensitive information, it’s a random string to prevent false analytics


I think Diego is right. Actually, it would seem that new versions of Crashlytics do not send to Fabric personal data that could identify a user, unless the developer using Crashlytics (in this case Kodular) uses custom keys/tags (we know that this is not the case). The change was made to make Fabric GDPR compliant.


From a legal perspective, if you track enough information to indirectly identify a user, it falls under GDPR. That we agree on. Is location and device type enough? I would say it could be argued Yes. My target audience is Lawyers (I am a former lawyer) so I have to be very very careful with how the user interprets.

At the end of the day, we know there is no binary answer. It is not a yes or no. It is about a level of interpretation. For my use and audience, I have to be over the top cautious. For others, they can probably argue a much looser interpretation.

So we are all right :slight_smile:


Yeah, I know
But the data sent is always anonymous, and the strongest sensitive data as said it’s ip geolocation, which isn’t preserved more than 10 seconds
And Fabric is adapted to GDPR, as you can see on their docs, in a way which doesn’t require from user consent as the kind of data used is not “crucial”