The GDPR conversation is hilarious. Sure they’re a US based company, but after 5 years of operation I would’ve expected them to have consulted a lawyer about this at some point. Forgetting (assuming it’s not “forgetting”) about the required documentation is not the worst thing in the world morally but it doesn’t exactly make them look competent either.