On 2018-03-07 16:34, Sönke Ludwig wrote:
Not sure about what actually applies, since this is non-commercial, but
I've switched to HTTPS-only now to get a feeling for the performance and
Storing the login related data should hopefully still be allowed without
explicit consent of the user, even if the commercial rules apply, since
they are required for the basic operation of the site. We may still
require a proper privacy statement, though...
You should only request data from the user that is actually required
for the functionality
You need to provide a way for the user to remove all data stored
related to the user
And a whole bunch of other things I can't remember right now.