I'm guessing being a US organization they don't care about GDPR just as they don't care about adhering to Chinese internet standard laws.

If you serve EU customers, you have to comply with GDPR no matter the jurisdiction you are based in.

Unless you are prepared to completely sever business ties with Europe.

What business ties exist in this case? There's no product being sold nor any ads.

Y Combinator's main business is seeding thousands of private companies many of which do their business in Europe.

According to Article 3 of GDPR, it applies to processing if any of three conditions are met:

1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.

2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.

3. Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

If none of those cover an entity, that entity's processing is not covered by GDPR.

#2 would probably be the only relevant one for HN.

Is HN offering goods or services to subjects in the Union? Sure, people in the Union can access HN and even make accounts. But that might not be enough. One of the recitals for Article 3 elaborates:

> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

Does HN envisage offering services in the Union, or is it simply a site that happens to work when accessed from the Union but was not envisaged to do so?

Another recital elaborates on the monitoring of behavior of subjects in the Union:

> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

HN seems to collect minimal data. It might not rise to the level of monitoring that would be needed to count as monitoring behaviour.

Collecting minimal data (or no data at all) is also a way of being 'GDPR compliant' :)