[3np]

> Very true, it is not a good reason, we do this for now due to the security, users calendar, notes, and partner related information is truly personal, so for now it's much more secure.

...No?

"Much more secure" would be not saving anything on the server that doesn't need to go there in the first place (move things and logic to the client from the server - what value does the user get from uploading everything?)

Or if this is for syncing/backup purposes, at least encrypting data on the client before with a key only available to the client before uploading the encrypted data to the server (this sounds overkill and unnecessary for the goals of this app).

User data is a (in places legal) liability for you. Handling it properly will cost you time and money. Without extracting additional value ("selling") it, it is not in your interest to centralize it.

Simple rule of thumb: If you don't strictly require it to provide service to the user, don't strictly require it from the user. For optional functionality (email reminders, server-side push) requiring server-side to collect additional information, that information and functionality should also be opt-in. This is the gist of GDPR. As you note, many companies either (obliviously or not) flaunt it or employ dark patterns or legal chicanery to maliciously comply (courts are still out on the latter in many cases).