Comment by freediver
7 months ago
You are correct and my confidence at the time came from the fact that we are not in the business of selling user data, do not collect it or ever need it so GDPR was not affecting us (in my mind).
I had no business discussing sophisticated policy matters on a public Discord, and yet I did it in good faith open to learning something new like it happened many times on our Discord. People do this all the time. The difference is when a CEO of a company does it, it has extra weight and this is why CEOs usually do not discuss these things with users. Lesson learned.
GDPR is not just for business that "sells data". Like the above said, you would need a GDPR expert consultant to go through your whole process. It will also correlate to your country's law, not something "you can do what you think it's true".
You can check Mullvad's privacy policy to see how they are handling GDPR. It's not written in "corporate words" and is very clear to me. For example, they don't even need email address to sign up but once payment comes to the table, GDPR comes - depending on which method of payment, regardless of how you insist on "no data collect": https://mullvad.net/en/help/no-logging-data-policy
The correct thing to do is transparenting that process with your legal/GDPR person.