What I'd really like to see is more honesty: "we store X because feature Y needs it, here's the risk we're accepting," instead of pretending every service needs emails, analytics, and cookies by default

> I don’t understand why any company would want the liability of holding on to any personal data if it wasn’t vital to the operations of the business, considering all the data breaches we’ve seen over the past decade or so.

They're OK with the liability exactly because of this very sentence. As you said, there's so many data breaches... so where are the company-ending fines and managers/execs going to prison?

Infra engineer here. The obvious reasons for needing the data is debugging. I collect logs, metrics, traces, and errors from everywhere, including clients. All of these come with identifying information including the associated user. From the perspective of this thread this is a huge amount of data although it's pretty modest compared to the wider industry.

This data is the tool we have to identify and fix bugs. It is considered a failing on our end if a user has to report an issue to us. Mullvad is in an ideal situation to not need this data because their customers are technical, identical, and stateless.

It's not my department but I think we would get laughed out of the room if we told our users that we couldn't do password resets or support SSO let alone the whole forgetting your 'credential' means losing all your data thing.

>Any business that isn’t willing to be as anonymous as Mullvad, I assume has a compromised business model that I don’t really like

Well, that's like 99% of the businesses out there. Mind listing of some of the businesses you like aside from obvious mullvad?