I don't have any bad intentions... but you know.... most feels like it's needed.

You should have some basic "terms & privacy" policies. You can start with free options in: - https://termsfeed.com/ - https://termly.io/ - https://getterms.io/ In case you need some 'complex' or 'delicate' stuff from your users, you can update those policies (paying a '1' time fee) and update it. Plus having your policies served on other servers is a good choice in case something go wrong from your side. As @wojciechgabrys says "Go through the legal docs of your competitors/similar sites and come up with something similar." and you should be 'OK'. Plus some services like 'termsfeed' can help you set up a privacy policy for the incoming GDPR on May 25.

Any resources in this area?

Yes, I do think there are security implications as email clients aren't designed with this in mind. For example, when you have push notifications enabled on your phone someone could potentially get your secret link. That's an example that could be easily mitigated (include the link further down in the email so it will never show up in the notification preview), but it goes to show there are non-obvious concerns. Having said that, Slack uses this approach. So it might not be that bad when implemented correctly. (e.g. make them one-time use, expire them after a few minutes, etc) **Edit:** I just realised password reset emails are quite similar in nature 🤔. So if you were planning on having password reset emails, then you might as well use the magic link approach instead.

There are 58 days left until the EU General Data Protection Regulation enforcement starts. Beneath that i am generally interested in rising the security of our web apps/sites.

Here are the resources I've been using as guidelines for changes I'm making to my app: . https://www.process.st/gdpr-compliance/ . https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/ . https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ . https://www.whitecase.com/publications/article/gdpr-handbook-unlocking-eu-general-data-protection-regulation . . I've been finding it especially helpful to read posts from other major apps describing steps they're taking to ready for GDPR. . For example: . https://postmarkapp.com/blog/gdpr-get-ready . https://www.jitbit.com/helpdesk/gdpr/ . https://docs.intercom.com/pricing-privacy-and-terms/data-protection/how-were-preparing-for-gdpr . http://recapture.io/gdpr . http://www.christophengelhardt.com/aleth-gueguen-gdpr-talk-recap-femtoconf-2018/