I have a lot of thoughts on this one... am I lawyer - but still haven't worked out how to advise my clients. Your post was very enlightening for me - a Luddite ... who is trying to work out how to apply the GDPR and other laws to Telegram bots. Would be happy to have a skype call to brainstorm, if you like.
On the analytics side of the issue, I believe any bot should be safe as long as it produces aggregated data readable to humans. Internally, I'd hash user IDs which are probably the only possible way if linking a particular user to identifying information. Hear hashes user IDs would stay hashes if they need to hit permanent storage at some point.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.