First thing first, Intuit Link is not and has not been updated to be GDPR compliant, AFAIK.  Neither are most Intuit websites, except for those that are designed for EU customers where there would be an option for "Manage Cookies".  This means your client's IP address along, other identifiable data, and various classes of cookies are tracked by default and there is no option to change any of that.

In terms of record retention, Article 5(e) of GDPR does allow you to retain the data for a period necessary, which in this case, should mean the period necessary to comply with Circular 230 and IRC regulations' record-retention requirements.

Intuit Link is, in theory, designed to be compliant with US laws.  However, it is not designed to be your DMS, which means you should treat that only as client portal for data collection and download all messages/documents offline as soon as practical.  After all, you do lose access to Link once you no long has a current year subscription regardless of whether Intuit decides to archive/delete prior year data.

Furthermore, it is not clear that Intuit actually has a stipulated policy that tells you when they actually delete data/documents saved on Intuit Link: https://accountants-community.intuit.com/questions/1637941-how-long-will-client-documents-remain-on-...

In Link, you do have the option to delete documents but you won't be able to delete messages traded with your clients, whether they originate from you or your clients.

There are also questions about breach notifications, which must be reported within 72 hours pursuant to GDPR.  I have no doubt that Intuit takes data and internet security very very seriously.  Nevertheless, history has shown that US companies are often very late in disclosing breaches and you may not be able to count on meeting the 72-hour requirement.

All in all, you should consider whether Intuit Link is the right tool for you or switch to other EU-based solutions (e.g. client portal or DMS), in light of various GDPR compliance concerns.