(no title)

* It's complicated so it takes a while and you need lawyers and such to make it right

* Rules for training are probably hugely vague and undefined. Because you could ingest personal data and it cannot be deleted

* AFAIK it needs to be hosted in Europe (not directly GDPR related, but america has laws that allows them to spy on all traffic in the US, so this is somewhat the counter to that)

In the end from my experience just working at a company that needs to be compliant this usually means:

* All the services need to be hosed in EU including 3rd parties we send any data to

* There needs to be a way (email is enough) to delete user data (including from 3rd parties which need an endpoint so you can trigger it from your side)

* You need to inform the user about the data useage and allow them to opt out of the "usage" of this data for non-essential things (i.e marketing emails). This does not mean you cannot save this data if you also use it for other things, but you can not use it for the non-essential case.

* You could be in trouble if you save data "just because" and do not use it for anything essential or if it is not transparent to the user.

Not a lawyer. Just the things I notice in my day to day. In the end companies need data protection professionals to navigate these things. Which is probably another thing a startup does not worry about it early on.