Hi, I've created an app where uses sign in by firebase (the only channel is google). After signing in I've persist in firestore the uuid of google user and user's nickname which he creates after first entry to the app .
Should I have a terms and conditions, privacy policy and rodo? What if I don't prepare it? Could somebody delete the app? What are the consequences?
TDLR:
Should I have a terms and conditions: Yes,
privacy policy: Yes,
Rodo? is just how OAuth works, if you didn't get this right you messed up (just googled rodo is this GDPR? if so that depends)
What if I don't prepare it? legality issues... maybe
Could somebody delete the app? maybe
What are the consequences? small to a huge mess up.
Overview:
You created an app and are using firebase authentication. You mentioned that google is the only authentication method you utilised.
This means that the user signs in with their google account and enables you permission to read x amount of their data. After singing in from google the user is redirected to your app if you have configured it all correctly.
This sounds fine, a user can revoke their permission to your app through their google settings. No biggie, your app no longer can sign them in unless they give you permission that you requested.
Your privacy policy should cover what you do with such a users data, maybe keep for x amount of months / years depending on where your user lives or if you want to conform to GDPR (depending on the country of your user some laws are more tighter then others)
Redo, in this case is to get the user back in the system? well they need to give you access to their google account then google should do the rest for you so if you got it all setup,
- a user signs in with google if they are not signed in
- gives permission to their account data with x scopes
- Gets redirect to your app redirect url
- user uses the app for a bit then revokes access (from their google settings or anywhere they can access their google apps),
- user gets logged off (google will notify you on next time you try to verify your user / refresh token)
- On the next logging in user goes back to step 1
what if I don't prepare it?
No idea I ain't a lawyer but I would have basic privacy setting in place especially if is a commercial app get yourself a copy and paste that covers your a$$.
Can someone delete the app?
Issue 1: Yes, someone can revoke their access your app has to their data, as mentioned earlier it just means they can no longer login and would need to give back access.
Issue 2: Just in case, please don't store any connection strings that has access all your data / functionality to nuke your data in the front end i.e. in js. If you do it please have scoped access i.e. limit said access. Anything that can be compromised or hard to trust with users put it in a server, it is easier to trust your own systems then a stranger.
If you are dealing with issue 1 then no problem!
if you somehow left connection string in your front end that exposes your data and run into issue 2.
Long live the queen. You got pawned.
Hope that helps
😀
