Ensure we regularly expunge non-persistent user data for GDRP

Basically, we need to not store anything that is unnecessary, including IP addresses and locations. Perhaps we just clear them out regularly. Persistent data will be ok, stuff users explicitly agree to give us.

https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
