I’m not fully versed on GDPR but one idea is to not track the IP or other identifiable information. What purpose does the logs serve for you and do you need the identifiable information in it?

If you do need to retain this information then you could set some limits wherever they’re shipping to. I haven’t looked much locally, but typically the logs are “gone” after a deployment via kamal.