Ask HN: Co-founder wants to leave messaging startup because of GDPR

We are a building a messaging platform ina specific vertical which allows users to exchange text/photo and voice messages. We have hired a lawyer to write a privacy policy and terms of use but they have not been updated for GDPR yet. However, my (technical) co-founder thinks we are leaving ourselves open to litigation because of how are system is designed. When a message is deleted, only the user's access to the message is deleted. The message is preserved until all recipients have deleted it at which time the full contents of the message are permanently deleted. This was done for efficiency, otherwise we would need to keep a full copy of each message for each recipient. To me this isn't much different from email: when you delete an email you only delete your copy, not other people's. We are about a month from launch (we have both been working on it part time for 6 months) but my co-founder is having second thoughts. He doesn't want to spend the time and money