Re: Salt free
Do you store the user's data in a way which can be linked to a person?
If yes, you're subject to proper control of that data.
Whether it's a hash, an employee number, a photo, a fingerprint, or their favourite toilet paper, you have indicated that Fred Bloggs has this property X. And you're storing both the name and property X and transmitting it off-site.
Bang. Subject to DPA/GDPR (in the UK/EU), and similar laws elsewhere. That person has the right to review, authorise, request deletion, etc. any usage of that data.
(P.S. Even if you anonymise entirely, you still need permission to store and use for given purposes. Otherwise, literally, I could take your work photo... spread it around the Internet and use it for stock-photos without your permission. Or a picture of your fingerprint. Or a copy of your DNA. Or a picture of your house keys. Or anything. It's all the same.).