Where I can, I'll sidestep GDPR (and CCPA and Australian Privacy Act and whatever) problems by explicitly avoiding collecting data that might fall foul of that.

Make "user accounts" effectively anonymous. Don't collect email addresses or phone numbers or names. Just use cookies with GUIDs or autogenerated username like the default Reddit ones (without allowing people to put their own name or other PII in). Maybe let the user keep refreshing until they get a random username they don't hate, but it'll end up being something like "Abrasive-teapot-86" and never $walletName or $emailAddress. If you need to let people move accounts between devices/browsers, let them grab their GUID and call it "secret account key" and tell them never to share it. Also let them know there's no such thing as "resetting their password" and to store that secret account key if they want to be able to recover a "lost" account.

You can't _always_ get away with that. But if you can, it saves a lot of headaches.