diff --git a/GDPR.txt b/GDPR.txt
new file mode 100644
index 0000000000000000000000000000000000000000..9cce01c3d5dcc9b2ba1cbfdfe1d230ae92f2352f
--- /dev/null
+++ b/GDPR.txt
@@ -0,0 +1,48 @@
+# This file lists processing purposes and the personal data gathered by
+# Castopod.
+# It is intended for hosting providers who want to provide a service
+# based on Castopod, helping them to comply with GDPR requirements. Note
+# that the services powered by Castopod may collect more data, HTTP logs
+# in particular. As a hosting provider, you must inform your users of their
+# rights and how their data are used and protected.
+
+purpose: Connect users to their accounts
+lawfulness: legitimate interest
+
+data: username
+required: yes
+visibility: authenticated users
+description:
+    The username is used to identify users during the login process.
+    The username is only required for users accessing the admin area.
+mitigation:
+    The username does not have to be a real or known identity.
+
+data: user e-mail address
+required: yes
+visibility: administrators
+description:
+    The e-mail address is used for administrative purposes, to identify users
+    during the login process and in case of forgotten password.
+
+data: password
+required: yes
+visibility: private
+description:
+    The password is used to check the identity of users during the login
+    process.
+mitigation:
+    Only hashes (using the Argon2 key derivation function) of the passwords
+    are stored in the database (but they transit over the network).
+
+purpose: Claim ownership of a podcast
+lawfulness: legitimate interest
+
+data: Podcast e-mail address
+required: yes
+visibility: public
+description:
+    The podcast e-mail address is used to claim podcast ownership on other
+    platforms (such as Apple Podcasts).
+mitigation:
+    The e-mail can be generic.