Out of curiosity, I decided to check your website with adblocker turned off. After rejecting (!) GDPR consent, the website decided to send my personal information to the following companies: Google, Facebook, Amazon, Ad Lightning, Setupad, UniConsent, Adagio, ID5, Criteo, Magnite, RTB House, Casale Media, EMX Digital, Adform, Pubmatic, Between Digital, Lijit Networks, AppNexus, 33Across, Adx Premium, Sharethrough, Smart Adserver, OpenX, BRealTime, bumlam.com (couldn't find information about owner of this domain), BidSwitch, Getintent, Yahoo, and more - at some point I gave up trying to figure out who owns given domain names.

The privacy policy which is quite hidden on the website (https://www.photopea.com/privacy.html) says nothing about that. All it says is the following:

> We use third party tracking tools to improve the performance and features of the Service (e.g. Google Analytics). Such tools are created and managed by parties outside our control. As such, we are not responsible for what information is actually captured by such third parties or how such third parties use and protect that information.

This won't fly under GDPR, just saying. Not only you are responsible for third party behavior, but you didn't even mention all tracking scripts that are directly used (I see Facebook Pixel Code right in the source code for photopea.com). You are in Czech Republic, right? I think it is in European Union.