What Is GDPR and Does It Apply to My App?

GDPR is the UK and EU data protection law that governs how businesses collect, store, and use personal data. If you run any kind of app, website, or digital product, there's a good chance it applies to you.

Here's what you actually need to know.

What is GDPR?

GDPR stands for General Data Protection Regulation. It came into force in the EU in 2018 and was adopted into UK law (as UK GDPR) after Brexit. The two versions are nearly identical.

It gives individuals rights over their personal data and places obligations on the businesses that collect it.

Does it apply to my app?

GDPR applies if:

• You collect, store, or process personal data from people in the UK or EU
• And you're established in the UK or EU — or you offer goods/services to UK/EU residents, or you monitor their behaviour

Personal data means any information that can identify a living person: names, email addresses, IP addresses, location data, device identifiers, or any combination that could single someone out.

So if your app has user accounts, collects emails, tracks usage, or uses analytics — GDPR applies.

Does it apply if I'm a small business?

Yes. GDPR has no minimum size threshold. A solo founder with 100 users is subject to the same principles as a corporation with millions.

The practical difference is enforcement priority and the amount of documentation required. Businesses with fewer than 250 employees are exempt from some record-keeping requirements — but the core obligations (lawful basis for processing, privacy policy, user rights) apply to everyone.

Does it apply if my users are in the US?

If your product is available to UK and EU users and you have any, GDPR applies to the data you hold on those users — regardless of where you're based.

If you're UK/EU-based and your users are exclusively in the US, UK GDPR technically doesn't apply to those users. But practically, most products serve a mixed audience and both GDPR and US state privacy laws (like California's CCPA) become relevant.

The six principles of GDPR

These govern how you must handle personal data:

1. Lawfulness, fairness, transparency — users know what you collect and why 2. Purpose limitation — data collected for one purpose can't be used for another without consent 3. Data minimisation — only collect what you actually need 4. Accuracy — keep data correct and up to date 5. Storage limitation — don't keep data longer than necessary 6. Integrity and confidentiality — protect data from breaches

What you need to do

For most small apps and websites, GDPR compliance comes down to:

A privacy policy — telling users what you collect, why, who you share it with, and how they can exercise their rights. This is the most important document.

A lawful basis for processing — usually consent (for marketing) or legitimate interests (for analytics/operations). You need to know which one you're relying on for each type of data.

A way for users to exercise their rights — access, deletion, correction. This can be as simple as an email address in your privacy policy.

Cookie consent — for non-essential tracking tools.

What are user rights under GDPR?

Users have the right to:

• Access — request a copy of their data
• Erasure — request deletion ("right to be forgotten")
• Rectification — correct inaccurate data
• Portability — receive their data in a usable format
• Object — opt out of certain types of processing (e.g. direct marketing)
• Restriction — limit how you use their data

Your privacy policy should tell users how to exercise these rights and you should respond within 30 days.

Generate your GDPR-compliant privacy policy

Need this document for your business? InkTerms generates it in minutes — tailored to your answers, in plain English.