GDPR and requiring consent banners
The intent of the GDPR is to protect the privacy of EU citizens, and we agree with that (our whole software product is built around accomplishing this goal). We have a lawful basis for the processing we do. And we run privacy risk assessments whenever we need to make a significant change (e.g. when we had to enable basic, heavily redacted IP access logs after we were DDoS attacked. We go into considerable detail on this on our Data journey page, but some key pieces for GDPR are as follows:- We process personal data (IP Address and User-Agent) on your behalf.
- We keep pseudo-anonymized data for around 48 hours. After that, the hash salts (explained here) are removed from our system, and there’s no reasonable way for anybody to brute force them.