Ask HN: GDPR for solo founder

I don't know either, and this is not legal advice. The regulations[0] are actually pretty clearly written, and not actually that long. Make yourself a good coffee, and read them in a few sittings, thinking about your specific context, and taking notes.

My understanding, based on my reading and your comment, is as follows:

* You are retaining personal information - this requires consent.

* If you do something with the information you have, it requires consent.

* If you don't do anything with the information, and you are not legally obliged to retain it, you should delete it.

* When an individual asks, you must be able to tell them everything you hold on them, and where you got consent.

* When an individual asks you to delete their data, you must be able to do it within a short time-span (unless legally obliged to retain it).

* Consent can be implicit - for example if someone signs up for a service.

* You absolutely need a statement saying what information you hold, and what you do with it.

* If you can't say when, where, and how someone gave consent, you should seek to obtain explicit consent with an "opt-in" email.

Some of the above will probably be wrong, but I don't think anything is very wrong.

[0] https://gdpr-info.eu/

Stop accepting EU currencies and don’t offer any locally translated content. GDPR doesn’t actually apply to all businesses worldwide. It applies to those that are directly targeted to EU residents. Some of the things that can make you subject to the GDPR include having a European domain extension (eg. .de or .co.uk), offering content that is translated to languages commonly spoken only in the EU, and accepting payments or listing prices in EU currencies.

If you are based outside the EU and do none of these things, GDPR generally does not apply to your business.