Does GDPR apply to me?
If anyone in the EU or UK can use your app or visit your site, GDPR applies to you — regardless of
where you're based. There's no "I'm too small" exemption. The good news: for a typical indie
product, compliance is a short, manageable list.
The core principles
GDPR is built on a few ideas:
- Lawful basis — you need a valid reason to process data (usually consent or legitimate interest)
- Data minimization — only collect what you actually need
- Transparency — tell people what you do with their data, in plain language
- User rights — let people access, correct, and delete their data
- Security — protect the data you hold
Your practical checklist
- Publish a privacy policy that accurately describes what you collect and why
- Get consent for non-essential cookies with a cookie banner (analytics, ads)
- Offer a way to delete an account and the data attached to it
- List your sub-processors — the third-party services that touch user data
- Use a lawful basis for marketing emails (usually explicit opt-in)
- Have a contact method for privacy requests
- Don't transfer data carelessly outside the EU without safeguards
Cookie banners
You only need a consent banner for non-essential cookies. Strictly necessary cookies (like a login
session) don't require consent, but analytics and advertising cookies do. The banner must let users
reject as easily as accept.
Common indie mistakes
- Copying a privacy policy from another site that doesn't match your actual data practices
- Using Google Analytics without disclosing it or getting cookie consent
- Forgetting that a mailing list needs explicit opt-in
- Having no way for users to delete their data
The bottom line
For most indie developers, GDPR comes down to: be honest about what you collect, give users
control, and write it down in a privacy policy. PolicyGen handles the "write it down" part with
the correct GDPR clauses based on your answers.