Privacy-by-Design sounded perfect… until it wasn't.

When building SecureSpells, I made a very intentional early decision: I didn’t want to store any readable personal data.

No names. No plain emails. No passwords. Etc...

Everything was built around strict Privacy-by-Design principles.

We implemented:

• OAuth login only (no local password storage)

• Emails encrypted and hashed

• Database containing anonymous identifiers only

• Zero personal profiles stored

From a security and compliance perspective, it felt like the “right” decision. Lead by example, right?

Until I started talking to potential investors.

One of the first questions everyone asked was: “Who are your users?” And I didn’t have a good answer.

Because of my architecture, I couldn’t tell:

• Are they founders or employees?

• Are they web agencies or small businesses?

• Are they high-intent customers or just curious visitors?

I had usage numbers, but zero user understanding. I had built something so privacy-respecting that I blinded myself to basic product-market fit insights.

Now I’m re-thinking where the balance lies between:

1. Absolute Privacy

2. Product Analytics

3. Building something people understand and trust

I’m curious how other founders here handle this.

Have you ever intentionally avoided collecting user data?

Did it help your brand, or did it end up hurting your product growth?

Let’s discuss. 👇