GDPR

Companies conducting business within the European Union are legally required to comply with the General Data Protection Regulation (GDPR).

While many aspects of this regulation may not significantly affect your integration with Stream, the GDPR provisions regarding the right to data access and the right to erasure are directly pertinent.

These provisions relate to data that is stored and managed on Stream’s servers.

The Right to Access Data

GDPR gives EU citizens the right to request access to their information and the right to have access to this information in a portable format. Stream covers this requirement with the export method.

The Feeds export method will export the following data where the user id the owner:

User data
Feeds
Follows
Activities
Comments
Reactions
Bookmarks
Bookmark folders
Collections

This method can only be used with server-side authentication:

// Start the export task
const response = await client.feeds.exportFeedUserData({
  user_id: userToExport.id,
});

// You have to poll this endpoint
const taskResponse = await client.getTask({ id: response.task_id });
console.log(taskResponse.status === "completed");

// Start the export task
response, err := client.Feeds().ExportFeedUserData(context.Background(), &getstream.ExportFeedUserDataRequest{
    UserID: userToExport.ID,
})
if err != nil {
    log.Fatal(err)
}

// You have to poll this endpoint
taskResponse, err := client.GetTask(context.Background(), response.Data.TaskID, &getstream.GetTaskRequest{})
if err != nil {
    log.Fatal(err)
}

fmt.Println(taskResponse.Data.Status == "completed")

// Start the export task
ExportFeedUserDataResponse response = feeds.exportFeedUserData(
    ExportFeedUserDataRequest.builder()
        .userID(userToExport.getId())
        .build()
).execute().getData();

// You have to poll this endpoint
var taskResponse = client.getTask(response.getTaskId()).execute().getData();
System.out.println("completed".equals(taskResponse.getStatus()));

// Start the export task
$response = $feedsClient->exportFeedUserData(
    new GeneratedModels\ExportFeedUserDataRequest(
        userID: $userToExport->id
    )
);

// You have to poll this endpoint
$taskResponse = $client->getTask($response->getData()->taskID);
echo $taskResponse->getData()->status === 'completed';

// Start the export task
var response = await _feedsV3Client.ExportFeedUserDataAsync(
    new ExportFeedUserDataRequest { UserID = userToExport.ID }
);

// You have to poll this endpoint
var taskResponse = await _client.GetTaskAsync(response.TaskID);
Console.WriteLine(taskResponse.Status == "completed");

# Start the export task
response = client.feeds.export_feed_user_data(user_id=user_to_export.id)

# You have to poll this endpoint
task_response = client.get_task(response.task_id)
print(task_response.status == "completed")

# Start the export task
response = client.feeds.export_feed_user_data(
  GetStream::Generated::Models::ExportFeedUserDataRequest.new(
    user_id: user_to_export.id
  )
)

# You have to poll this endpoint
task_response = client.get_task(response.data.task_id)
puts task_response.data.status == 'completed'

Accessing the exported data

You can check the status of an export request using the task ID returned when the task was created. The result of the task contains the URL to the JSON file.

The URL to the export file has an expiration of 24-hours. The link is generated every time you request the export status. The export will be available for 60 days.

var taskStatus = await taskClient.GetTaskStatusAsync(taskId);
if (taskStatus.Status == AsyncTaskStatus.Completed)
{
    var exportedFileUrl = taskStatus.Result.Values.First().ToString();
}

The Right to Erasure

The GDPR also grants EU citizens the right to request the deletion of their personal information. Stream offers mechanisms to delete users and feeds data in accordance with various use cases, ensuring compliance with these regulations.

The following data will be deleted:

Follows where the user is owner of either source or target feed
Feeds owned by the user - will follow the logic for deleting feeds as described here
Activities owned by the user
Comments owned by the user
Reactions owned by the user
Bookmarks owned by the user
Bookmark folders owned by the user
Collections owned by the user

NOTE: This does not delete the user's account, only their Feeds data. If you want to delete the user please refer to deleting a user

What `hard_delete` controls

The hard_delete flag only affects how the following entities are removed:

Feeds owned by the user
Activities, comments and reactions owned by the user
Bookmarks and bookmark folders owned by the user
Collections owned by the user

When hard_delete: false (the default), these entities are soft-deleted — their rows remain in the database with a deleted_at timestamp set, and they are filtered out of reads. When hard_delete: true, the rows are physically removed.

Follows are always hard-deleted regardless of the hard_delete flag. Both follow rows where the user is the source and rows where the user is the target are physically removed from the database; there is no soft-delete state for follows. As a result, the deleted user's activities will immediately stop appearing in the feeds of users who used to follow them, and the deleted user's own following list is cleared in full.

Deleting user data is an irreversible operation. This goes for both soft and hard deletes.

// Start the delete task
const response = await serverClient.feeds.deleteFeedUserData({
  user_id: userToDelete.id,
  hard_delete: false,
});

// You have to poll this endpoint
const taskResponse = await client.getTask({ id: response.task_id });
console.log(taskResponse.status === "completed");

// Start the delete task
response, err := client.Feeds().DeleteFeedUserData(context.Background(), &getstream.DeleteFeedUserDataRequest{
    UserID:     userToDelete.ID,
    HardDelete: getstream.PtrTo(false),
})
if err != nil {
    log.Fatal(err)
}

// You have to poll this endpoint
taskResponse, err := client.GetTask(context.Background(), response.Data.TaskID, &getstream.GetTaskRequest{})
if err != nil {
    log.Fatal(err)
}

fmt.Println(taskResponse.Data.Status == "completed")

// Start the delete task
DeleteFeedUserDataResponse response = feeds.deleteFeedUserData(
    DeleteFeedUserDataRequest.builder()
        .userID(userToDelete.getId())
        .hardDelete(false)
        .build()
).execute().getData();

// You have to poll this endpoint
var taskResponse = client.getTask(response.getTaskId()).execute().getData();
System.out.println("completed".equals(taskResponse.getStatus()));

// Start the delete task
$response = $feedsClient->deleteFeedUserData(
    new GeneratedModels\DeleteFeedUserDataRequest(
        userID: $userToDelete->id,
        hardDelete: false
    )
);

// You have to poll this endpoint
$taskResponse = $client->getTask($response->getData()->taskID);
echo $taskResponse->getData()->status === 'completed';

// Start the delete task
var response = await _feedsV3Client.DeleteFeedUserDataAsync(
    new DeleteFeedUserDataRequest
    {
        UserID = userToDelete.ID,
        HardDelete = false
    }
);

// You have to poll this endpoint
var taskResponse = await _client.GetTaskAsync(response.TaskID);
Console.WriteLine(taskResponse.Status == "completed");

# Start the delete task
response = client.feeds.delete_feed_user_data(
    user_id=user_to_delete.id,
    hard_delete=False
)

# You have to poll this endpoint
task_response = client.get_task(response.task_id)
print(task_response.status == "completed")

# Start the delete task
response = client.feeds.delete_feed_user_data(
  GetStream::Generated::Models::DeleteFeedUserDataRequest.new(
    user_id: user_to_delete.id,
    hard_delete: false
  )
)

# You have to poll this endpoint
task_response = client.get_task(response.data.task_id)
puts task_response.data.status == 'completed'

Deleting a user

// Delete users
deleteRequest := &getstream.DeleteUsersRequest{
    UserIds: []string{"<id>"},
}
_, err = client.DeleteUsers(context.Background(), deleteRequest)

// Restore users
restoreRequest := &getstream.RestoreUsersRequest{
    UserIds: []string{"<id>"},
}
_, err = client.RestoreUsers(context.Background(), restoreRequest)

// Delete users
client.deleteUsers(
    DeleteUsersRequest.builder()
        .userIds(Arrays.asList("<id>"))
        .build()
).execute();

// Restore users
client.restoreUsers(
    RestoreUsersRequest.builder()
        .userIds(Arrays.asList("<id>"))
        .build()
).execute();

// Delete users (soft delete by default)
$client->deleteUsers(
    new GeneratedModels\DeleteUsersRequest(
        userIds: ['<id>']
    )
);

// Delete users with options (hard delete)
$client->deleteUsers(
    new GeneratedModels\DeleteUsersRequest(
        userIds: ['<id>'],
        user: 'hard',
        messages: 'hard',
        conversations: 'hard',
        newChannelOwnerID: 'new-owner-id'
    )
);

// Restore users
$client->restoreUsers(
    new GeneratedModels\RestoreUsersRequest(
        userIds: ['<id>']
    )
);

// Delete users
await _client.DeleteUsersAsync(new DeleteUsersRequest
{
    UserIds = new List<string> { "<id>" }
});

// Restore users
await _client.RestoreUsersAsync(new RestoreUsersRequest
{
    UserIds = new List<string> { "<id>" }
});

# Delete users
client.delete_users(
  GetStream::Generated::Models::DeleteUsersRequest.new(
    user_ids: ['<id>']
  )
)

# Restore users
client.restore_users(
  GetStream::Generated::Models::RestoreUsersRequest.new(
    user_ids: ['<id>']
  )
)

By default users are soft deleted. If you need control over deleting chat/video data please refer to the Chat documentation.

User permissions

Intro & Defaults