This quote by Duo's Dug Song is a perfect starting point for thinking about user privacy and security.
"There are basically three areas that folks should start considering how to bucket those risks. The first is corporate risk in defending your users and applications they access. The second is application security and product risk. A third area is is around production, security and making sure that the operation of your security program is something that keeps up with that risk. And then a fourth — a new and emerging space — is trust, and not just privacy, but also safety." – Dug Song
One of the hardest things to approach when developing software is having clear definitions of what data you need to collect and figuring out how to responsibly manage and discard this data after it serves the intended purpose and just that purpose. It's real easy to say "yea just collect all that, we might need it for something."
I'd like this piece to be both an exploration of how you should think about your startup's data privacy.
Empathizing with the fact that you're dealing with another persons' information, and understanding, it's your responsibility to do the right thing by them even when they aren't looking is how you should always see it.
The most important thing to understand is that you're dealing with a user's data, their data! Not yours.
Now I fully know some clauses exist to limit liability and allow for things like the sale of a company and promotional advertising. Some of these things (within specific contexts) are simply necessary to stay competitive. These open clauses have unfortunately become the de facto standard across startups, and while no sensible lawyer would recommend that you get rid of them, all these legalese also let you stretch the way you use personal data in many ways.
It's time to lead by example, and it'll work in your favor. When the industry leaders and startups alike have attracted a bad rep for being ruthlessly profit-hungry and willing to sell anything to keep the line moving up and to the left, we, the new founders, should be the change.
In my opinion, that's pretty simple; build solutions that create value in themselves. Then charge your users a fair dollar amount for your services. Don't even dip your toes in the murky waters, hoping to bait people with freemium and sell their data out the other end. It's just bad business. You're better off taking a stand and doing things differently.
If you're always worried thinking about security and protecting the privacy of everyone using your product, then I think you're doing it right. If you don't genuinely care about it, it'll rarely get prioritized.