[jdminhbg]

Until you are big enough to have lawyers look over everything for you, I think the only reasonable course of action is to exclude EU nationals from your service. There are a lot of armchair HN lawyers (including in this thread) who will say "just don't track, it's easy," but what the word "track" means to a normal person and what it means to GDPR enforcement are not the same. As a market, it's not worth the risk until it's worth the legal advice.

[mokash]

> As a market, it's not worth the risk until it's worth the legal advice.

i think that is a calculation only op can make. the european union covers over 400 million people. making some early design decisions in what data you collect, how you store it, for a lot of people is an acceptable cost to open up to such a large quantity of people.

in fact, it think advising a founder that is bootstrapping their business that the only "reasonable" course of action is to exclude large swathes of the developed world is frankly, misguided.

[erik_seaberg]

Design decisions don’t make you compliant, you have to hire experts whose job is to convince regulators you are remaining compliant over time.

[jdminhbg]

> making some early design decisions in what data you collect, how you store it

This is exactly the kind of thing I'm talking about. "How you store it" very well may include "on any cloud server owned by a US company," including AWS, Google, and Azure. That's a pretty big issue for a solo founder with no legal advice beyond GDPR wishcasting on HN.