Choose the Right Action
Piano provides several options for removing or restricting user data. Choose the one that matches your use case.
GDPR Deletion (API) — Permanent Removal
Use the GDPR Delete API endpoint to fulfill "Right to Erasure" requests and permanently remove a user's personal data from Piano systems.
-
Endpoint:
/publisher/gdpr/delete -
Irreversible: Yes
-
Typical processing: PII obfuscation/removal within approximately 24 hours, with full propagation to replicated stores up to approximately 15 days (backups are handled per retention/overwrite policies, commonly referenced as up to 30 days)
-
User notifications: The API does not send an email notification to the deleted user
Disable a User (API) — Block Access, Keep Data
If you need to prevent login and access but do not want to erase data, disable the user instead.
-
Endpoint:
/publisher/user/disable -
Irreversible: No (data remains; reactivation may be possible depending on your workflow)
-
GDPR-compliant erasure: No; disabling does not remove PII
Each publisher is responsible for handling deletion requests in compliance with applicable regulations, such as GDPR, CCPA, and equivalents, across their own properties and systems. The endpoints and behaviors documented on this page are the tools Piano provides to support that work. Decisions about scope, timing, retention, and verification rest with the publisher.
Delete in the Dashboard — Operational Removal
The Dashboard delete action is useful for housekeeping (removing duplicates, fake accounts, or correcting mistakes), but it is generally considered a soft/operational action and does not replace GDPR erasure. For GDPR requests, use the API endpoint described in this section.
Summary comparison:
|
Action |
Method |
Removes PII |
Irreversible |
GDPR Compliant |
|---|---|---|---|---|
|
GDPR Delete |
|
Yes |
Yes |
Yes |
|
Disable User |
|
No |
No |
No |
|
Dashboard Delete |
Dashboard UI |
No (soft removal) |
Varies |
No |
GDPR Delete API: What It Does
Endpoint
/publisher/gdpr/delete (API Documentation)
This request triggers a GDPR-compliant workflow where personal data is obfuscated/anonymized and then removed across Piano systems on a schedule.
Scopes: PII vs. ALL
The GDPR delete endpoint supports different deletion scopes:
|
Scope |
What Is Removed |
|---|---|
|
|
Personal data that can identify the user (e.g., email, name, direct identifiers). De-identified/non-PII records may remain for reporting and legal purposes but are no longer attributable to the individual. |
|
|
PII and associated behavioral/event, subscription, and transaction associations from Piano surfaces as the deletion propagates. |
Key behaviors to understand:
-
After a GDPR deletion, the user cannot be reactivated. If the person registers again later, they will be issued a new user ID.
-
If you need to keep a record of what was deleted, Piano does not automatically generate a JSON export of the user's data at deletion time. Capture and archive any required information before calling the deletion endpoint (subject to your legal basis and internal policies).
In "Global Mode" or multi-application setups, deletion is performed per application. Ensure you call the deletion workflow for each relevant aid (Application ID) where the user exists.
What to Expect After Submitting a GDPR Deletion
Timing and Propagation
While initial obfuscation/removal typically occurs within approximately 24 hours, full propagation takes longer due to distributed and replicated stores:
|
Phase |
Timeline |
Details |
|---|---|---|
|
Primary systems |
Within ~24 hours |
PII and core account/subscription/transaction associations are obfuscated/removed in primary identity and subscription systems (e.g., Identity Management, Subscription Management + Billing). |
|
Replicated stores |
Up to ~15 days |
Replicated stores (e.g., data warehouse) are purged on scheduled cycles. Interfaces may still show records until propagation completes. |
|
Backups |
Up to ~30 days |
Backups are purged/overwritten according to retention policies. |
Audience, Segments, and Targeting
If you use Piano Audience or segment-based targeting:
-
Once the user ID is removed from the warehouse, the next segment rebuild will exclude that user.
-
Segment rebuilds are typically performed at least daily.
External Exports (Ad Platforms, ESPs, etc.)
GDPR deletion only affects data on the Piano side.
-
If you previously exported an audience or segment to an external platform, Piano cannot retract IDs already delivered externally.
-
You must refresh or re-upload the segment, or follow the external platform's own deletion process to remove the user there.
Payment Providers and Other External Processors
Deletion in Piano does not delete data stored by external payment providers or processors. Manage erasure requests with those providers separately where applicable.
Bulk Deletion and Automation
For large-scale cleanup (for example, deleting 10,000+ users), use the same endpoint and automate calls with a script:
-
Export or compile a list of user identifiers to delete.
-
Submit deletion calls in a controlled loop. Batching is recommended to reduce the risk of rate limiting.
-
Test your filtering and deletion logic on a small sample before running at scale.
The bulk deletion is run by the publisher against the API. If you have questions about what data is deleted, need clarification on scopes, or need assistance with a large-scale deletion project, contact security@piano.io.
The GDPR delete endpoint is commonly used when you need to remove users from one application so they can be re-created or remapped in another without retaining prior identity linkage.
Verifying the User Before Deletion
Before calling /publisher/gdpr/delete, confirm the user exists and that you have the correct identifiers:
-
Check the Users section in the Dashboard (where available) to confirm the user record.
-
Ensure you have the correct
aid(Application ID) and the correct user identifier expected by your implementation.
Common Pitfalls and Troubleshooting
|
Issue |
Explanation |
|---|---|
|
"We deleted the user in the UI, but data still appears in reports." |
UI deletion is not a GDPR erasure. Use |
|
"Can Piano Support delete users for us?" |
GDPR deletions must be executed by the client using the API. Ensure you have a valid admin-level API token/key and the necessary permissions. |
|
"Will the user receive an email when we delete them?" |
No. The GDPR delete endpoint does not trigger an email notification. |
|
"We need a copy of the user's data after deletion." |
Piano does not generate an automatic export during deletion. Export and archive what you need before deletion (in compliance with your legal basis). |
|
"The user is still present in an ad platform/ESP." |
Refresh external exports and follow external deletion processes. Piano cannot remove data already delivered to third parties. |
Related Endpoints
|
Action |
Endpoint |
|---|---|
|
Disable user (retain data) |
|
|
GDPR delete (permanent) |
|
For request/response parameters, authentication requirements, and examples, refer to the API reference for /publisher/gdpr/delete in the Piano API documentation. More details for /publisher/user/disable are available here.