Getting a copy of all tool calls and bash prompts by default without explicit opt-in is almost certainly against GDPR.

Good luck arguing this is legitimate interest.

Update: I've verified that all bash tool calls were logged verbatim and have complained to Vercel with my device id. I'm also writing to the relevant authorities.