We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

How Do I Delete or Anonymize User Data in Piano for GDPR Compliance?

Choose the Right Action

Piano provides several options for removing or restricting user data. Choose the one that matches your use case.

GDPR Deletion (API) — Permanent Removal

Use the GDPR Delete API endpoint to fulfill "Right to Erasure" requests and permanently remove a user's personal data from Piano systems.

  • Endpoint: /publisher/gdpr/delete

  • Irreversible: Yes

  • Typical processing: PII obfuscation/removal within approximately 24 hours, with full propagation to replicated stores up to approximately 15 days (backups are handled per retention/overwrite policies, commonly referenced as up to 30 days)

  • User notifications: The API does not send an email notification to the deleted user

Disable a User (API) — Block Access, Keep Data

If you need to prevent login and access but do not want to erase data, disable the user instead.

  • Endpoint: /publisher/user/disable

  • Irreversible: No (data remains; reactivation may be possible depending on your workflow)

  • GDPR-compliant erasure: No; disabling does not remove PII

Each publisher is responsible for handling deletion requests in compliance with applicable regulations, such as GDPR, CCPA, and equivalents, across their own properties and systems. The endpoints and behaviors documented on this page are the tools Piano provides to support that work. Decisions about scope, timing, retention, and verification rest with the publisher.

Delete in the Dashboard — Operational Removal

The Dashboard delete action is useful for housekeeping (removing duplicates, fake accounts, or correcting mistakes), but it is generally considered a soft/operational action and does not replace GDPR erasure. For GDPR requests, use the API endpoint described in this section.

Summary comparison:

Action

Method

Removes PII

Irreversible

GDPR Compliant

GDPR Delete

/publisher/gdpr/delete

Yes

Yes

Yes

Disable User

/publisher/user/disable

No

No

No

Dashboard Delete

Dashboard UI

No (soft removal)

Varies

No

GDPR Delete API: What It Does

Endpoint

/publisher/gdpr/delete (API Documentation)

This request triggers a GDPR-compliant workflow where personal data is obfuscated/anonymized and then removed across Piano systems on a schedule.

Scopes: PII vs. ALL

The GDPR delete endpoint supports different deletion scopes:

Scope

What Is Removed

scope=PII

Personal data that can identify the user (e.g., email, name, direct identifiers). De-identified/non-PII records may remain for reporting and legal purposes but are no longer attributable to the individual.

scope=ALL

PII and associated behavioral/event, subscription, and transaction associations from Piano surfaces as the deletion propagates.

Key behaviors to understand:

  • After a GDPR deletion, the user cannot be reactivated. If the person registers again later, they will be issued a new user ID.

  • If you need to keep a record of what was deleted, Piano does not automatically generate a JSON export of the user's data at deletion time. Capture and archive any required information before calling the deletion endpoint (subject to your legal basis and internal policies).

In "Global Mode" or multi-application setups, deletion is performed per application. Ensure you call the deletion workflow for each relevant aid (Application ID) where the user exists.

What to Expect After Submitting a GDPR Deletion

Timing and Propagation

While initial obfuscation/removal typically occurs within approximately 24 hours, full propagation takes longer due to distributed and replicated stores:

Phase

Timeline

Details

Primary systems

Within ~24 hours

PII and core account/subscription/transaction associations are obfuscated/removed in primary identity and subscription systems (e.g., Identity Management, Subscription Management + Billing).

Replicated stores

Up to ~15 days

Replicated stores (e.g., data warehouse) are purged on scheduled cycles. Interfaces may still show records until propagation completes.

Backups

Up to ~30 days

Backups are purged/overwritten according to retention policies.

Audience, Segments, and Targeting

If you use Piano Audience or segment-based targeting:

  • Once the user ID is removed from the warehouse, the next segment rebuild will exclude that user.

  • Segment rebuilds are typically performed at least daily.

External Exports (Ad Platforms, ESPs, etc.)

GDPR deletion only affects data on the Piano side.

  • If you previously exported an audience or segment to an external platform, Piano cannot retract IDs already delivered externally.

  • You must refresh or re-upload the segment, or follow the external platform's own deletion process to remove the user there.

Payment Providers and Other External Processors

Deletion in Piano does not delete data stored by external payment providers or processors. Manage erasure requests with those providers separately where applicable.

Bulk Deletion and Automation

For large-scale cleanup (for example, deleting 10,000+ users), use the same endpoint and automate calls with a script:

  1. Export or compile a list of user identifiers to delete.

  2. Submit deletion calls in a controlled loop. Batching is recommended to reduce the risk of rate limiting.

  3. Test your filtering and deletion logic on a small sample before running at scale.

The bulk deletion is run by the publisher against the API. If you have questions about what data is deleted, need clarification on scopes, or need assistance with a large-scale deletion project, contact security@piano.io.

The GDPR delete endpoint is commonly used when you need to remove users from one application so they can be re-created or remapped in another without retaining prior identity linkage.

Verifying the User Before Deletion

Before calling /publisher/gdpr/delete, confirm the user exists and that you have the correct identifiers:

  • Check the Users section in the Dashboard (where available) to confirm the user record.

  • Ensure you have the correct aid (Application ID) and the correct user identifier expected by your implementation.

Common Pitfalls and Troubleshooting

Issue

Explanation

"We deleted the user in the UI, but data still appears in reports."

UI deletion is not a GDPR erasure. Use /publisher/gdpr/delete with the appropriate scope, and allow time for propagation (up to ~15 days).

"Can Piano Support delete users for us?"

GDPR deletions must be executed by the client using the API. Ensure you have a valid admin-level API token/key and the necessary permissions.

"Will the user receive an email when we delete them?"

No. The GDPR delete endpoint does not trigger an email notification.

"We need a copy of the user's data after deletion."

Piano does not generate an automatic export during deletion. Export and archive what you need before deletion (in compliance with your legal basis).

"The user is still present in an ad platform/ESP."

Refresh external exports and follow external deletion processes. Piano cannot remove data already delivered to third parties.

Action

Endpoint

Disable user (retain data)

/publisher/user/disable

GDPR delete (permanent)

/publisher/gdpr/delete

For request/response parameters, authentication requirements, and examples, refer to the API reference for /publisher/gdpr/delete in the Piano API documentation. More details for /publisher/user/disable are available here.

Last updated: