the plugins db has this statement
"It uses Firebase to push the updates and stores the data anonymously, so no GDPR concerns there."
This feels like a misleading statement to me.... (IANAL but I suspect that statement hasn't been approved by your legal team) :-)
I think it's probably ok to say:
"we store user submissions/responses in an external system".... "we don't store usernames in the same place" and leave the organisation up to decide if it meets their GDPR requirements.
I also note that your privacy api identifies that "userid" is also passed to the external service - and that most definitely qualifies as identifying user information - so either your privacy api is wrong, or the statement itself is also very wrong.
https://github.com/open-lms-open-source/moodle-mod_livepoll/blob/master/classes/privacy/provider.php#L55
the plugins db has this statement
"It uses Firebase to push the updates and stores the data anonymously, so no GDPR concerns there."
This feels like a misleading statement to me.... (IANAL but I suspect that statement hasn't been approved by your legal team) :-)
I think it's probably ok to say:
"we store user submissions/responses in an external system".... "we don't store usernames in the same place" and leave the organisation up to decide if it meets their GDPR requirements.
I also note that your privacy api identifies that "userid" is also passed to the external service - and that most definitely qualifies as identifying user information - so either your privacy api is wrong, or the statement itself is also very wrong.
https://github.com/open-lms-open-source/moodle-mod_livepoll/blob/master/classes/privacy/provider.php#L55