GDPR issues

-- HikaShop version -- : HikaShop Business: 3.3.0
-- Joomla version -- : 3.8.5
-- PHP version -- : 7

Hi.
The GDPR will be enforced in 3 months from now and most of us who reside in the EU are trying to sort through the mess and get prepared.

I'd like to share 2 thoughts that came into my mind today and ask for assistance:

1. When a user completes an order, Hikashop sends an email about the creation of the order to both the buyer and the seller. Then, when the buyer completes the payment (e.g. on PayPal), another email about the completion of the order is sent to both parties.
Here's the GDPR-related issue: these unencrypted emails display the buyer's billing address. Some customers may get angry about it. My question is: is there a way to stop Hikashop from displaying the billing address in these emails?

2. The second concern is about the collection of the IP of non-registered users. When a user who hasn't logged in adds a product to the cart, Hikashop stores the user's IP. This is very different from collecting a buyer's IP: registered users or guest buyers have already agreed to our terms and conditions, which inform them about the collection and storage of the buyer IPs when they place their orders. But casual visitors who browse our product pages and try our shopping carts, have not given their consent about it. Is there a setting to turn off this feature?

Thank you.

Is it safe to remove this code from the order creation & order notification emails, to have the billing address removed from these emails?

<table class="w550" border="0" cellspacing="0" cellpadding="0" width="550" style="margin-top:10px;font-family: Arial, Helvetica, sans-serif;font-size:12px;line-height:18px;">
<tr>
<!--{IF:BILLING_ADDRESS}--><td style="color:#1c8faf !important;font-size:12px;font-weight:bold;">{TXT:BILLING_ADDRESS}</td><!--{ENDIF:BILLING_ADDRESS}-->
<!--{IF:SHIPPING}--><!--{IF:SHIPPING_ADDRESS}--><td style="color:#1c8faf !important;font-size:12px;font-weight:bold;">{TXT:SHIPPING_ADDRESS}</td><!--{ENDIF:SHIPPING_ADDRESS}--><!--{ENDIF:SHIPPING}-->
</tr>
<tr>
<!--{IF:BILLING_ADDRESS}--><td>{VAR:BILLING_ADDRESS}</td><!--{ENDIF:BILLING_ADDRESS}-->
<!--{IF:SHIPPING}--><!--{IF:SHIPPING_ADDRESS}--><td>{VAR:SHIPPING_ADDRESS}</td><!--{ENDIF:SHIPPING_ADDRESS}--><!--{ENDIF:SHIPPING}-->
</tr>
</table>

Thank you very much.

It's think it's worth adding a setting that stops Hikashop from logging the IPs of casual visitors.
I am quoting a section from this analysis: www.ctrl.blog/entry/gdpr-web-server-logs

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.

Based on this analysis, it appears that access logs and server logs could, under certain circumstances, be considered legitimate.

If we disabled access logs (and error logs) on our servers, what would be the impact on Hikashop? Would Hikashop still be able to store the buyer's IP (which is a requirement in the EU Directive 2008/8/EC to those who sell digital goods)?

Similarly to the 2015 VAT changes, GDPR is a nightmare for small businesses, only in a much grander scale. Large corporations have the means to deal with the new requirements. Smaller fishes (like most of us who use Joomla and Hikashop) are going to have a tough time, while trying to adapt.