Skip to main content

POST /api/v1/gdpr/erasure

Permanently deletes all records associated with a customer ID across ten interaction and decision tables, plus any customer-type dynamic schema tables. This implements the GDPR “right to erasure” (right to be forgotten) as defined in Article 17 of the General Data Protection Regulation. The ten Prisma-modeled tables are deleted in a single transaction — either all of them are cleaned or none are. The dynamic-schema (ds_*) deletes run outside that transaction on purpose: a failing raw statement inside an interactive transaction would abort it and roll back the modeled deletes. When a ds_* table has no customer_id column (or its delete fails), the erasure continues and records the issue in the top-level warnings[] array rather than failing. An audit log entry is recorded after erasure to maintain a compliance trail (the audit entry records that an erasure occurred but does not retain the deleted data).
This is the single source of truth for erasure: the admin endpoint below and the DSAR delete-request workflow both run the same eraseSubjectData path, so a subject deleted through either route has the identical set of categories erased.
ConsentRecord, the DsarRequest row itself, and hash-chained AuditLog entries are deliberately not erased here — they are retained as legal-obligation proof (consent history, the audit trail of who requested what) and are purged only by the retention cron on their own clock. The stored DSAR export payload (DsarExport) is erased.

Authentication

Requires a valid tenant and the admin role.
HeaderRequiredDescription
X-API-KeyYesAdmin-scoped API key (starts with krn_). Identifies the caller and the tenant.
Content-TypeYesapplication/json
This operation is irreversible. All interaction history, decision traces, suppressions, attribution results, interaction summaries, variant assignments, identity links, journey enrollments, and dynamic schema rows for the specified customer will be permanently deleted. There is no undo.

Request Body

FieldTypeRequiredDescription
customerIdstringYesThe unique identifier of the customer whose data should be erased

Example Request

Example Response


Response Fields

FieldTypeDescription
successbooleantrue if the erasure completed successfully
customerIdstringThe customer ID that was erased
deletedCountsobjectBreakdown of records deleted per table
deletedCounts.interactionHistoryintegerNumber of interaction history records deleted (impressions, clicks, outcomes)
deletedCounts.interactionSummaryintegerNumber of interaction summary records deleted (aggregated interaction stats)
deletedCounts.suppressionintegerNumber of suppression records deleted (frequency cap and cooldown entries)
deletedCounts.decisionTraceintegerNumber of decision trace records deleted (forensic traces of pipeline execution)
deletedCounts.attributionResultintegerNumber of attribution result records deleted (outcome-to-recommendation mappings)
deletedCounts.variantAssignmentintegerNumber of experiment variant assignment records deleted
deletedCounts.identityLinkintegerNumber of identity cluster link records deleted
deletedCounts.journeyEnrollmentintegerNumber of journey enrollment records deleted
deletedCounts.channelDeliveryintegerNumber of channel-delivery records deleted (outbound-message delivery attempts)
deletedCounts.dsarExportsintegerNumber of stored DSAR export payloads deleted (the export bundles that contained the subject’s full data)
deletedCounts.dynamicSchemaRowsintegerNumber of rows deleted from customer-type dynamic schema tables
totalDeletedintegerSum of all deleted records across all tables
warningsstring[]Non-fatal issues encountered during erasure (e.g. a ds_* table without a customer_id column, or dynamic tables that could not be enumerated). Empty when everything erased cleanly.

Data Categories Affected

The erasure targets these customer-scoped categories within the tenant boundary:
CategoryDescription
Interaction historyRaw interaction events (impressions, clicks, conversions, dismissals)
Interaction summariesAggregated interaction statistics per customer-offer pair
SuppressionsActive suppression rules (frequency caps, cooldown periods)
Decision tracesForensic traces of the decision pipeline for debugging and auditing
Attribution resultsLinks between outcomes and the recommendations that generated them
Variant assignmentsExperiment variant assignments for A/B tests
Identity linksIdentity-cluster membership records (cross-device/cross-channel identity resolution)
Journey enrollmentsCustomer-journey enrollment records
Channel deliveriesOutbound channel-delivery attempt records
DSAR export payloadsStored DSAR export bundles for the customer (the request row itself is retained; only the payload is erased)
Dynamic schema rowsRows from all active customer-type schema tables (prefixed with ds_) where customer_id matches
All deletions are scoped to both the tenantId and customerId, so no cross-tenant data is affected.

Audit Trail

After a successful erasure, an audit log entry is created with:
  • action: gdpr_erasure
  • entityType: customer
  • entityId: The erased customer ID
  • changes: The deletedCounts breakdown
This entry appears in the Change History feed and can be filtered with action=gdpr_erasure.

Error Responses

StatusCause
400Missing customerId, invalid JSON body, or customerId is not a string
401Missing or invalid authentication credentials
403Insufficient role (requires admin)
500Erasure transaction failed (no data was deleted — the transaction rolls back entirely)

If the customer has no data in any of the tables, the endpoint still returns success: true with all counts at 0 and an empty warnings array. This is expected behavior — the erasure request is idempotent.
The GDPR erasure endpoint automatically deletes rows from customer-type dynamic schema tables (those with entityType: "customer" and table names prefixed with ds_). However, data stored in external data sources (e.g., upstream systems connected via connectors or pipelines) is not affected — you must handle erasure in those systems separately.
See also: Change History | Interaction History | Decision Traces