To my understanding they would still be GDPR-compliant if they delete your data upon receiving an email that you would like to exercise this right under GDPR, even if they don't automate that process but IANAL. Perhaps someone can confirm whether this has in fact worked for them in the past.
There is no requirement to automate GDPR requests.
However all organisations must be able to handle GDPR requests via any communication channel. Eg. They need to treat a data deletion request sent via twitter DM as a valid request if they have an official Twitter presence.
It is insufficient to require the customer fill out a special web form.
IANAL but I don't think it matters whether the purpose of collection is specifically to facilitate paid features. From the European Commission:
> The GDPR applies to:
[...]
> 2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
Assuming account names or the content of comments constitute personal data within GDPR, I think YCombinator falls into this group.
Edit: I forgot HN collects an optional email address too, which is definitely personal data.
The GDPR applies to the data of people residing in the EU. The location and profitability of the organization collecting the data isn’t a factor. (Though it may introduce questions of enforcement.)
