seconding this, it would be useful to know exactly what is being stored and especially what's shared with other instances
Things that are stored and federated:
Things that are stored only on your instances database:
Things that are shard between instances but not federated:
I believe things like the modlog are also federated. So any comment or post that is removed by moderators or admins will be federated via the mod log.
Lemmy does not collect network information, geolocation data, device identification numbers, or any other demographic information.
This is what I understand after my own personal audit of the Lemmy code (Lemmy and Lemmy-UI). Others are welcome to perform their own audits of the code and confirm or clarify my understandings.
that sounds reasonable, thanks for the input 
One correction: private messages (if from one server to another) are also stored and federated, and the server admins of both servers can see them if they look in the database. That's why matrix should always be preferred for private messages.
All federated systems (email, matrix, the fediverse, etc) have these issues, to the point that you could consider them database replication systems (unless they have federation turned off).
The best security practice online is username / content anonymity: don't post any personally identifying information, and don't use a username that could identify you. The NSA could start an instance and start collecting content, but if all they have is a username and no identifying information, its useless.
That's fair, I guess I was thinking about federation in terms of communities when I wrote that. Federated in the grander context just means "these severs communicate with each other."
I didn't want someone to misconstrue what DM federation means, because I could see someone thinking it means their DMs are "synced" to other instances outside of the two instances communicating.
Regardless! Your last point is the most important. Treat systems you communicate with as suspect, even if they seem trustworthy.
looking into it
lol more seriously, we'll look at writing one but overall Lemmygrad doesn't collect anything beyond what is necessary for the site and federation to function, it runs the stock Lemmy code (which I know isn't saying much because I can't read that code like most everyone lol) without adding any additional tracking.
The only thing I could see being relevant (since Lemmygrad doesn't collect data) would be letting users know that Lemmy may still be missing some privacy features/have some existing privacy issues. This is a pretty big example.
I know out of the box Lemmy doesn't provide any real analytics like Google Analytics or anything similar.
Other then that, only your account actions are logged, which is necessary for the site/service to function.
It should be noted that the use of any native apps that are not FOSS in origin could offer your data up too the app vendor. Jerboa requires no permissions to install, and is maintained by one of the Lemmy devs. From what I can tell it also doesn't collect anything other than your account actions.
But that is separate from Lemmygrad.
I think what can be good is to know to what extend lemmy instances can follow through with users asking to apply GDPR rules like right to be forgotten, and to what extend lemmy instances naturally respect GDPR laws of any European countries
This is a community for Lemmygrad users and admins to discuss administrative issues in a more transparent manner