> legitimate interest - anything to make your application function.
Plus the data that you're required to retain by other laws. E.g. banks/financial institutions might be required to retain a lot of data for several years for audit and compliance purposes.
I figured the parent poster already covered that with
> If it's strictly necessary, e.g. logging in or legal obligation, you're fine and don't need to ask
