Comment by eipi10_hn

GDPR is not just for business that "sells data". Like the above said, you would need a GDPR expert consultant to go through your whole process. It will also correlate to your country's law, not something "you can do what you think it's true".

You can check Mullvad's privacy policy to see how they are handling GDPR. It's not written in "corporate words" and is very clear to me. For example, they don't even need email address to sign up but once payment comes to the table, GDPR comes - depending on which method of payment, regardless of how you insist on "no data collect": https://mullvad.net/en/help/no-logging-data-policy

The correct thing to do is transparenting that process with your legal/GDPR person.