Is displaying email addresses in an application log file allowed under GDPR?
The goal of GDPR is about protecting personally identifiable information (PII) as much as possible. The interaction of a specific user with your application are pretty sure such PII.
If you really need to log this information you should inform your user about this process, i.e. the purpose of the data collection, how long the information gets stored and who gets access to the data. And you and whoever you sell the application to should never use the data for any other purpose as agreed to by the user. And of course you need to properly protect the information against misuse, i.e. use outside of the specified purpose. This specifically but not only includes if someone hacks into your application or server and steals this data.
Since use of the data is limited and protection (and fines) can be costly, it might be easier to not store these information in the first place. An alternative is to at least pseudonymize the PII as much as possible, i.e. in a way that the logged data are still usable for you but that no association to a specific user can be done even when having all the logged data. But since it is not really clear what you use these logs for no recommendations can be done for a specific process of such pseudonymization.
Be aware though that simply replacing each unique email address with another unique identifier might not be a sufficient pseudonymization. Depending on the data you log it might be possible to create user profiles and based on specific traits in the profiles associate these to real world users. See AOL search data leak for an example how such simple pseudonymization attempt went wrong.
Logging data is not the issue under GDPR. The part that matters is what happens to the log, who can see it, how long it is stored, what the log is used for, and if you can satisfy the rights of the data subject once you process and store the data.
If you need to log the email in order to provide your service, then there is no problem to log it. But if you do log the data, you need to be very clear from the start, both with yourself and the data subjects, what will happen to it.
Article 5 of GDPR specified the basic principles for processing data.
Article 5 "Principles relating to processing of personal data"
(1) Personal data shall be:
... (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Storing personal information log files for the purpose of diagnosing problems with your application is not incompatible with the original purpose, but do protect the data using "appropriate technical and organisational measures ... according to risk".
But don't store your logs forever. E.g. Data Subjects (The GDPR term for a person) have the right to be forgotten. That also means that they should eventually be removed from logs, backups, etc. I believe that if you keep data for the last 90 days - that should be fine.
And lastly, if you are building a system that processes personal information about EU citizens, I would strongly recommend that you take a 1-2 day course on the matter, to learn the differences between controller, processor, data subject, personal information vs. sensitive personal information, etc.