GDPR Compliance

GDPR is coming to Europe this May, meaning all developers needs to ensure their websites/apps are compliant with this new stricter data and privacy regulation:

Can somebody from Corona please let us know: if we create an app in Corona, with no external plugins, is Corona sending or storing any user data on our behalf? 



I guess Corona needs to be GDPR compliant at some point as well as the ad networks and other plugins that collect data. According to the additional links in the article you provided, that seems to be the case.

I’ll bring it up to our team. I believe our privacy policy and privacy policy for App developers covers what we capture.


@Rob, I believe the OP was about Corona built apps and what the framework sends over the internet.

I can see the sim has 5 different network connections… what are these exactly?

I can only assume our compiled apps are constantly reporting to you too.

I understand @sgs, there is a link off of that privacy policy page for app developers. Here is that specific link:

Are we compliant with GDPR today? I have no idea. I’ve brought it up with the team who knows more about our analytics model than I do.


Ah I missed the link!

I notice this bit in the privacy policy page for app developers

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

Can we have access to this data then please?  I am sure we would all like that detail.

@sgs, I don’t know if the changes were made recently but that seems like there should be an analytics tool in place like it was introduced before.


We collect the following types of information from you when you use one of our Developer’s Apps: the bundle id or package name of the app, your IP address (including country of origin), device operating system (including version), unique device identifier identifier (“identifierForVendor” for iOS and tvOS or an Android code that uniquely identifies the device) not associated with any other personally identifiable information, and the current time each time you launch an App.

Cookies/SessionIDs – Although the Services do not place cookies on your device when you use an App, each time you launch an App, we assign a unique session ID (a “Session ID”) to that launch of the App which we associate with the other information that we collect during your use of the App during that launch session. We do not associate Session IDs with Personal Information.

So this raises the question of how do we access this valuable data that, supposedly,  “_ is made available to the Developer of that App”_?

I’m trying to find out from the team. Patience please.

Also interested in this. It’s hard to find good info on GDPR and what it means for mobile apps using ads SDKs, analytics etc. Seems no one really knows basically… 

@Chribbe, I’m not an expert but for ads and analytics SDKs, developers are probably not considered as the “data collectors” but more of “data viewers”. In the end, ads and analytics companies store all that data and probably, they will be the ones that need to compy with GDPR and not us. On the other hand, if you embed your own analytics system or collecting data of any kind, you’ll probably need to offer a new privacy policy that is in lines with GDPR.

Well, we can hope… But i’m not sure that will work out. Take a look at Googles new policy here for example, which i guess applies to Admob ads: 


For Google products used on any site, app or other property that is  under your control, or that of your affiliate or your client , the following duties apply for end users in the European Economic Area.

You must obtain end users’ legally valid consent to:

  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads or other services

Personally, I am more interested in 

Developers: all information (including Personal Information) which is collected through an App as part of the Services is made available to the Developer of that App.

And yes, AFAIK, we are responsible for the 3rd party platforms we integrate into our apps.  Just ensure your privacy policy is watertight and you specifically write about the plugins you use and what data they gather.  Most are only IP which is fine.  GDPR is more about personally identifiable information - name, age, location, email, etc. 

I note Corona is totally avoiding my request for app stats (something I remember we used to have) and that we should be good devs and “just be patient”.  If I promised something to my players and they didn’t get it I would be lynched in reviews!

From what i’ve read both IP and deviceIds are considered personal data by GDPR? And - even with a “watertight” privacy policy you would still need to collect end users consent, and store the date and info to be able to show that you’ve actually have the consent from the end user.  But yea,it seems very unclear at the moment.

Generally a public privacy policy will state (words to this effect) “that by playing our games you agree to…” and then you include all the legal jargon required to indemnify you.

As long as your privacy policy is publically available on the app stores I believe, legally, you are covered.

If you demand email addresses, etc. then that is a different convo.

But still unanswered are

i) what all those network connections are from corona simulator (and by default our apps too)?  I have profiled running corona apps and can see the same behaviour in compiled apps.

ii) where are the developer analytics you promise? 

@sgs I’m trying to find answers for you.


From the ad Networks that have GDPR already enabled I have noticed the following: after x amount of impressions (usually one or 2) the next interstitial or banner ad instead of being an ad will be a requesting permission dialog “ad” (for no better way to call it). The few times I have seen it is so awkward that I click no, but I still continue to receive ads (probably cheaper ads).

I was going to ask the question about Appodeal. Would each network have to show some sort of consent capturing dialog box or would you have a way to pass that the consent was acquired for all networks once? Interesting enough Appodeal already shows one consent capturing dialog box from Ogury if you enable it (or at least I assume so).

@agramonte, so now we need to ask for permission to show ads or is it just for SDKs’ targeting abilities?

@Chribbe, some publishers will clear that out soon before us but I guess we’ll need to include links to the SDKs’ privacy policies that we use, in the privacy policy link that we upload to the stores. Since it would be hard to always follow those pages if they’ve changed, this should be the logical way to go.

According to Admob, it is expected that the app not only asks for consent but also store the consent. Admob has plans to help in the future by showing consent free ads but initially expects the publisher record and store the consent.

You can read more here:

Here is an example of some consent UI that I have found:

I don’t have a choice since I have a bunch of users in Spain. So either I turn off my games in Spain or deal with this before May.