[zdimension]

As I understand it, the moment you're processing someone's personally identifiable information, you're in the red zone, GDPR-wise. The users consented to publish their info on BlueSky, but not on OP's website.

I get the idea behind the GDPR and it's nice to protect consumers but I'm scared for hobby projects like this.

[jchw]

I think GDPR itself is a bit unclear here. Google Search still operates in Europe as far as I know even though it scrapes and indexes people's websites without explicit consent, and I suspect GDPR doesn't intend to make it illegal to do this. Could be wrong...

IANAL but at least in the U.S. I'm pretty sure publicly-available data is generally excluded from whatever protections do exist on PII. I'm not sure what, if anything, has been said about this in the EU.