SecurityEngineeringArchitecture

How to Handle Data Deletion Requests Without Breaking Your App

Veld Systems||7 min read

In this article

A user asks you to delete their data. It sounds simple until you realize their user ID is a foreign key in 47 tables, their activity is woven into aggregate reports, and their uploaded files are referenced by other users. Delete carelessly and you corrupt your database. Refuse and you violate GDPR.

We have helped startups and growth stage companies implement data deletion systems that satisfy privacy regulations, keep applications functional, and do not require a team of lawyers to maintain. Here is how to do it without breaking everything.

Why This Is Harder Than It Looks

Privacy regulations like GDPR (EU), CCPA (California), and LGPD (Brazil) give users the right to request deletion of their personal data. The penalties for non compliance are not theoretical. GDPR fines can reach 4% of annual global revenue. CCPA fines start at $2,500 per violation and jump to $7,500 for intentional violations.

But these laws do not require you to destroy your entire database. They require you to delete or anonymize personal data, data that can identify a specific individual. Aggregate analytics, anonymized records, and data you are legally required to retain (financial records, tax documents) are all exempt.

The challenge is that most applications were not designed with deletion in mind. User IDs are scattered across dozens of tables. Cascade deletes can wipe out data that belongs to other users or to the business. And the line between "personal data" and "business data" is blurrier than you think.

Soft Delete vs. Hard Delete vs. Anonymization

Hard Delete

Remove the rows from the database entirely. This is the cleanest from a privacy perspective but the most dangerous from a data integrity perspective. Foreign key constraints, aggregate calculations, and audit trails all break when you remove records that other data depends on.

Use hard delete for: data that only relates to the requesting user and has no dependencies. Direct messages sent only to that user, draft content never published, personal preferences.

Soft Delete

Mark the record as deleted (typically with a deleted_at timestamp) but keep it in the database. The application filters out soft deleted records in queries. This preserves referential integrity but does not satisfy privacy regulations on its own because the personal data is still stored.

Use soft delete as an intermediate step. Soft delete immediately to remove data from the user facing application, then run an anonymization job to scrub personal data from the soft deleted records.

Anonymization

Replace personal data fields with generic or randomized values while keeping the record structure intact. The user's name becomes "Deleted User", their email becomes a hash, their profile photo is replaced with a default, but the record still exists and foreign keys still resolve.

This is the approach we recommend for most applications. It satisfies privacy requirements (the data can no longer identify an individual), preserves referential integrity, and keeps aggregate analytics accurate.

Designing a Deletion Pipeline

Step 1: Map Your Personal Data

Before you write any code, audit every table and column in your database. Classify each field as one of three categories:

- Personal data that must be deleted or anonymized (name, email, phone, IP address, photos, location data)

- Business data that can be retained after anonymization (order totals, subscription history, aggregate metrics)

- Legally required data that must be retained regardless of deletion requests (financial transaction records, tax documents, fraud prevention data)

This audit is tedious but essential. Missing a table means you are not compliant. We typically find that teams underestimate how widely personal data is spread across their systems. It shows up in logs, analytics events, third party integrations, email service providers, and backup systems.

Step 2: Build a Deletion Request Queue

Do not process deletions synchronously when the user clicks a button. Build an async pipeline:

1. User submits deletion request

2. System records the request with a timestamp and assigns a unique request ID

3. Verification email is sent to confirm the request (prevents unauthorized deletions)

4. A grace period begins (we recommend 14 to 30 days, allowing users to cancel)

5. After the grace period, an automated job processes the deletion

6. Confirmation is sent to the user when complete

The grace period is legally permitted under GDPR (you have 30 days to fulfill a request) and it saves you from accidental or malicious deletion requests. The number of users who request deletion, then email support a week later asking to undo it, is higher than you would expect.

Step 3: Implement Table by Table Handlers

Create a deletion handler for each table that contains personal data. Each handler should know which fields to anonymize, which records to hard delete, and which to leave intact. A configuration driven approach works well:

Define a schema that maps each table to its deletion strategy. For the users table, anonymize the name, email, phone, and avatar fields. For orders, anonymize billing address and keep the financial records. For messages, hard delete private messages and anonymize the sender name on messages visible to other users.

This configuration becomes your single source of truth for what happens during a deletion. It is auditable, testable, and updatable as your schema evolves.

Step 4: Handle Third Party Systems

Your database is not the only place personal data lives. You also need to delete or anonymize data in:

- Email service providers (Sendgrid, Mailchimp, etc.)

- Analytics platforms (Mixpanel, Amplitude, Segment)

- Payment processors (Stripe retains data for legal reasons but you can request deletion of non essential data)

- Customer support tools (Zendesk, Intercom)

- Log aggregation services (Datadog, CloudWatch)

- Backup systems (this is the hardest one)

Build API integrations for each service that can be triggered as part of your deletion pipeline. For services that do not support programmatic deletion, document the manual steps and assign ownership.

Step 5: Handle Backups

This is where most teams get stuck. Your database backups contain personal data of deleted users. GDPR does not require you to scrub individual records from backups as long as you have a process to reanonymize if a backup is ever restored. Document this process and test it periodically.

For teams running on cloud infrastructure, our cloud and DevOps service includes backup management that accounts for data retention policies and privacy compliance.

The Edge Cases That Will Bite You

Shared content. A user coauthored a document with another user. Deleting the departing user's contributions would damage the remaining user's work. Anonymize the attribution instead.

Marketplace transactions. In platforms like Traderly, buyer and seller data is intertwined. You cannot delete one side of a transaction without affecting the other. The solution is anonymizing the deleted user's identity while preserving the transaction record.

Audit trails. Compliance and security audit logs often contain user actions with identifying information. Most regulations allow you to retain audit logs for security purposes but you should anonymize the user identity within them.

Aggregate data. If a user's activity contributed to aggregate statistics (total revenue, average session duration, conversion rates), those aggregates should remain intact. They do not contain personal data.

Search indexes. If you use Elasticsearch, Algolia, or any external search service, you need to remove the user's data from those indexes too. This is frequently overlooked.

Testing Your Deletion Pipeline

Build automated tests that verify every step of the deletion process. Create a test user, populate every table that contains personal data, run the deletion pipeline, and then query every table to confirm no personal data remains. Run this test in CI on every deploy.

We also recommend periodic manual audits where you pick a random completed deletion request and trace it across every system. This catches drift, new tables that were added without updating the deletion handlers, or third party integrations that were not included.

For more on building comprehensive test coverage around critical flows like this, see our guide on automated testing strategy.

Build It Early or Pay Later

The cost of implementing a proper data deletion system during initial development is roughly 2 to 3 weeks of engineering time. The cost of retrofitting one into a mature application with years of accumulated data and dozens of integrations can be 2 to 3 months or more.

Every week you delay, you accumulate more personal data across more systems, making the eventual cleanup harder and more expensive. If you are building a new product, include data deletion in your architecture from day one.

We build privacy compliant data systems as part of our system architecture engagements. If you need to implement data deletion across an existing product or want to get it right in a new build, talk to our team. We will map your data, design the pipeline, and make sure you are compliant before regulators come asking.

Ready to Build?

Let us talk about your project

We take on 3-4 projects at a time. Get an honest assessment within 24 hours.

Related articles

Building Software for Regulated Industries

How to build software for regulated industries like healthcare, finance, and insurance. Covers compliance, security, audit trails, and the architecture decisions that matter.

Audit Logging: Building a Complete Activity Trail

How to build production grade audit logging that tracks every user and system action. Covers schema design, write performance, querying, retention, and compliance.

5 Software Architecture Mistakes That Kill Startups

The architecture decisions that silently doom startups, and how to make the right calls early. Real lessons from real projects.