hectoday
DocsCoursesChangelog GitHub
DocsCoursesChangelog GitHub

Access Required

Enter your access code to view courses.

Invalid code

← All courses Production Auth Patterns with @hectoday/http

Before They Start

  • Why Production Auth Is Different
  • Project Setup

Email Verification

  • Why Verify Emails
  • Building Email Verification
  • Restricting Unverified Accounts

Session Management

  • Tracking Sessions Across Devices
  • Listing and Revoking Sessions
  • Session Security

Step-Up Authentication

  • What Is Step-Up Auth
  • Building Step-Up Auth
  • Applying Step-Up to Sensitive Routes

Account Deletion

  • The Right to Be Forgotten
  • Building Account Deletion
  • Data Cleanup

SAML and Enterprise SSO

  • What Is SAML
  • Building a SAML Service Provider
  • Just-in-Time Provisioning

Putting It All Together

  • Production Auth Checklist
  • Capstone: Production-Ready Auth

The Right to Be Forgotten

Users want to leave

Every production app needs an account deletion flow. Users leave for many reasons: they no longer need the service, they are concerned about privacy, they are switching to a competitor, or they simply want to clean up their digital footprint.

What “delete” means

“Delete my account” seems simple, but it involves several questions:

What data is deleted? User profile, notes, bookmarks, sessions, TOTP secrets, passkeys, API keys, recovery codes, email verifications, invites. Everything directly tied to the user.

What about shared data? Notes in a shared organization. Comments on other people’s content. Messages in group chats. Deleting the user should not delete data that other users depend on.

What about audit logs? If you anonymize or delete the user’s entries, the audit trail has gaps. But keeping the entries with the user’s name conflicts with deletion.

Is it immediate? Most apps use a grace period (7-30 days). The user can change their mind. After the grace period, data is permanently deleted.

GDPR and the right to erasure

The EU’s General Data Protection Regulation (GDPR) gives users the “right to erasure” (Article 17). When a user requests deletion, you must delete their personal data unless you have a legal basis to keep it (like financial records required by law).

This means:

  • You must provide a way for users to request deletion
  • You must delete personal data within a reasonable time (typically 30 days)
  • You can keep anonymized data (data that cannot identify the user)
  • You can keep data required by law (tax records, financial transactions)

GDPR applies to any app that serves EU users, regardless of where the app is hosted.

[!NOTE] This course is not legal advice. GDPR, CCPA, and other privacy regulations have specific requirements. Consult a lawyer for your specific situation. This lesson teaches the technical implementation, not the legal compliance.

The deletion model

We will implement:

  1. Soft delete with grace period: The user requests deletion. Their account is marked for deletion. For 30 days, they can cancel. After 30 days, hard delete runs.

  2. Hard delete with cascade: Delete all user data from all tables. Anonymize shared data (replace the user’s name with “Deleted User”). Keep anonymized audit log entries.

  3. Notification: Email the user when deletion is requested, when the grace period is ending, and when deletion is complete.

Exercises

Exercise 1: List all tables in your database that contain user data. Which ones should cascade on deletion? Which ones contain shared data?

Exercise 2: Look at how a service you use handles account deletion. How long is the grace period? What data do they say they keep?

Why do most apps use a grace period instead of immediate deletion?
← Applying Step-Up to Sensitive Routes Building Account Deletion →

© 2026 hectoday. All rights reserved.