No. The GDPR just says that you've got to care about user data. If your startup can only survive by selling out user privacy, then perhaps it doesn't deserve to exist.