Wow, thank you very much for this detailed response, this is really helpful. I'll try to answer some of the question you raised and will update the documentation as well: Admin interface It's available for all packages. Looking at the pricing page now I feel like a fool :) Kickstarter Got it, I'll try to rephrase the copy to better relay that. Token expiry Yes this is not documented at all. The token is generated when you sign up and valid until revoked / regenareted from the admin (by you). Customer and data protection laws The service stores passwords hashed (brcypt), emails, forms and documents are not ecrypted or anonymized at this point. The service is GDPR compilent in the sense the you can delete your data fully. I need to look into the CCPA. User deletion request The service is more like a database in this sense, the other entities are not linked to a user but to an account. The developer has to orchestrate the deletion of files which belong to a user. Securing passwords The passwords are store as hashes, hashed by bcrypt, so I can't see the passwords. I see your concerns and they are valid, I need to look into other options. Missing error responses This can be documented more for sure. Summary I undestand where you are coming from. I should make it more clear that if some one self-hosts: they can have an encrypted database so they are compliant with GDPR, CCPA they can store files/images locally they have the admin interface to manage all entities