Delete a user's data under GDPR request

Use this procedure when a customer Owner forwards a GDPR Article 17 (“right to erasure”) request for a single user’s data inside their org. You run it on the Owner’s behalf via scoped impersonation (D80) because the customer-facing UI does not yet ship a per-user purge. For full-org deletion see the customer-facing Delete organisation instead — this page is the per-user variant.

Danger

Irreversible. Once the purge script commits, the user’s account, events attributed to them, manual triggers, exports, and audit-log PII columns (actor email, IP, User-Agent) are gone. Related clips and camera footage are retained — only PII tied to the subject user is purged, per D25 (clip container is MP4, not user-bound).

Caution

Never act on a deletion request that arrives directly from the subject. GDPR obligations bind the controller (the customer org), not NovaVMS. The request must come from an authenticated Owner of the org.

Procedure

1. Verify the request reaches you via an authenticated Owner — either a signed ticket in the support tracker or an email from the Owner’s on-file address. Reject anonymous requests.

2. Open /platform/orgs/{org_id} and confirm the org has allow_platform_impersonation = true. If false, reply to the Owner asking them to re-enable it in Owner > Danger zone (US-PLAT-12). You cannot proceed otherwise.

3. Mint a scoped impersonation token (US-PLAT-8). Set reason = "GDPR Art.17 deletion for user <uuid> per ticket <id>" and ticket_ref to the support ticket number. TTL is 30 minutes and cannot be refreshed.

4. Run the purge script from the ops host:

   cd cloud && go run ./cmd/gdpr-purge-user \
     --org-id=<org_id> --user-id=<subject_user_id> \
     --impersonation-id=<token_id> --confirm

   The script refuses to run without --confirm and without a valid impersonation_id.

5. Verify in the platform audit log: one platform.impersonation_started, one user.gdpr_purged, and one platform.impersonation_ended row, all correlated by impersonation_id. Verify the target org’s audit log shows the same sequence with actor_type = 'platform_admin_impersonating' (US-PLAT-11).

6. Reply to the Owner on the ticket. Attach the impersonation_id and the three audit row IDs. Close the ticket.

Common variations

• Owner asks for full-org deletion instead: direct them to Delete organisation — the Owner runs it themselves, not you. If the Owner cannot reach the UI (locked out, lost MFA), use Archive an unpaid org as the precursor.
• Subject is the Owner themselves: refuse. An Owner deleting themselves orphans the org. Ask for Transfer Ownership first, then re-request.

Related

• Scoped impersonation — the D80 token lifecycle.
• Audit expectations — what the dual-write looks like for the customer.
• Delete organisation — full-org variant, customer-driven.