[elvischidera]

What's the limit that an indie could go without caring about GDPR. Is it actually until they want to be "commercial"?

[kreeben]

It's not until you decide you want to start tracking people or in other ways use their PII that you should become worried, indie or not.

[sofixa]

No, it's until they decide they want to abuse personal data.

[igorkraw]

Until they start saving PII that is not necessary for their core business relationship with the user.

If your app is literally about self quantification and the user pays you to collect that data and keep it private? You might not even need to state it anywhere, although the safe thing is of course to list all the ways you do or do not collect data.

If your app is about self quantification and you monetize by selling user data or its aggregates... GDPR. If you use a third party data provider instead of hosting the data yourself: GDPR etc. Because user data might not be important to you, but it is to your users, so you probably shouldn't be allowed to YOLO handling it

[dane-pgp]

> you probably shouldn't be allowed to YOLO handling it

Exactly. If a company doesn't care enough about its users to even tell them what they are doing with their data (or in some cases even know what they are doing with it) then the user can't expect that company to secure it or to provide a valuable service with it.