On 2018-03-07 16:34, Sönke Ludwig wrote:

Not sure about what actually applies, since this is non-commercial, but
I've switched to HTTPS-only now to get a feeling for the performance and
stability/connectivity implications.

Storing the login related data should hopefully still be allowed without
explicit consent of the user, even if the commercial rules apply, since
they are required for the basic operation of the site. We may still
require a proper privacy statement, though...

  • You should only request data from the user that is actually required
    for the functionality

  • You need to provide a way for the user to remove all data stored
    related to the user

And a whole bunch of other things I can't remember right now.

/Jacob Carlborg