List what data you collect (email, phone, cookies) and why — processing without purpose is unlawful. Publish a plain-language privacy policy.
For EU residents you need a legal basis: consent, contract, or legitimate interest. Signup forms require an active checkbox, not a pre-ticked one.
Set up deletion and export on data-subject request. Maintain a processing record — even small teams reduce audit risk this way.