There’s two separate issues: jurisdiction and enforcement.
The EU assets jurisdiction based on the collection of personal data of individuals inside the EU. That doesn’t seem much of a stretch, frankly. They’ve decided to enact a measure to protect their own residents, from anyone who is collecting personal data.
The enforcement issue is a different one. How can they enforce that? Well, most of the big players, like Google and Facebook, are doing business in the EU. They have assets and a business presence there, and will have to comply with this provision or else be hit with regulatory fines.
There will of course be small players, like your board, who don’t do business there, but it’s not all about you! It’s the big operators who will be subject to the law, and also with a significant presence that will enable enforcement.
It’s also the smaller players in Europe, running the EU equivalent of your board. They will be required to have the ability to delete accounts.
And, I wouldn’t be surprised if subsequent versions of your board software develop the ability to delete an account, because that feature will be needed by boards run by Europeans in the EU. So passing this measure will influence the development of the software to allow greater privacy protections.
But as for long-arm jurisdiction generally - most nations assert it. uS citizens have to pay taxes on their income, even if they’ve never set foot in the US.
General Noriega discovered that he could be found guilty of breaking both US and French laws, and doing time in both countries’ fine penal institutions, without actually being in the US or France at the time of the offences. Then he was shipped to Panama to serve time for crimes committed in Panama.