How to conceive customized applications without storing users data ?

by Andrei Sambra


A bit of personal history...

Status quo?


(centralization is bad)

Governments abuse their power leading to mass surveillance

One stop shop for hackers

143 million accounts

87 million accounts

Can't prevent good companies being acquired by "bad" ones, and the other way around

Solution: decentralize





Far from a perfect solution...



(always think about the user experience)

Is technology alone sufficient?




(as of 25 May 2018)

GDPR  "do's"

(TL;DR for developers)

  • Right to be forgotten (delete)
    • also notify 3rd parties of erasure
  • Restrict processing (data not visible to staff, or even publicly)
  • Data portability (art. 20)
    • export human-readable version
    • export machine-readable version
    • APIs (when possible!)
  • All user data must always editable by the user
  • Request user consent for processing their data (opt-in)
  • Data retention (delete data after processing)
  • Encrypt everything (in transit, at rest, backups)
  • Keep a record of all activities where you use personal data
  • Age checks (wishful thinking)

GDPR  "don't's"

(TL;DR for developers)

  • Don't use data for purposes that then ones agreed by the user
  • Don't log personal data (IDs are sufficient)
  • Don't use forms with more fields than necessary
  • Don't rely on 3rd parties being compliant (exercise due diligence)

GDPR is just the begining.


(We need "online" seat belts)

What options do we have today?

Build centralized services


(much more difficult to guarantee GDPR compliance)

Build decentralized services

And the answer that everyone is waiting for...

Let’s use the Blockchain


Use the Web as is, but decouple everything



App (UI)

Why decouple?

We can avoid tech debt by staying up to date with respect to a fast-paced technical evolution

Why decouple?

It allows App developers to focus on what they like the most (building a user experience through UI/UX)


Why decouple?

..while removing a lot of headaches most developers face


  • how to deal with identity management (email) ?
  • how to securely store user data ?
  • how can I ensure my users' privacy ?
  • how can I be GDPR-compliant overall (at least in EU) ?

Our approach at Qwant...

  • client-side, peer-to-peer data management
  • app data is stored encrypted on the user's devices
  • offline-first user experience
  • applications need to be authorized to access storage
  • encrypted data is synced in real time using PFS
  • all code is open sourced (MIT), including the sync service
  • optional backup (coming soon™)


Shifting and balancing responsibility

Image credit -


Decentralized governance

Decentralized technology


Andrei Sambra - @andreisambra

(all uncredited images in this presentation come from Wikimedia)

Made with