GDPR

Companies conducting business within the European Union are legally required to comply with the General Data Protection Regulation (GDPR).

While many aspects of this regulation may not significantly affect your integration with Stream, the GDPR provisions regarding the right to data access and the right to erasure are directly pertinent.

These provisions relate to data that is stored and managed on Stream’s servers.

The Right to Access Data

GDPR gives EU citizens the right to request access to their information and the right to have access to this information in a portable format. Stream covers this requirement with the export method.

The Feeds export method will export the following data where the user id the owner:

  • User data
  • Feeds
  • Follows
  • Activities
  • Comments
  • Reactions
  • Bookmarks
  • Bookmark folders
  • Collections

This method can only be used with server-side authentication:

# Start the export task
response = client.feeds.export_feed_user_data(user_id=user_to_export.id)

# You have to poll this endpoint
task_response = client.get_task(response.task_id)
print(task_response.status == "completed")

Accessing the exported data

You can check the status of an export request using the task ID returned when the task was created. The result of the task contains the URL to the JSON file.

The URL to the export file has an expiration of 24-hours. The link is generated every time you request the export status. The export will be available for 60 days.

response = client.get_task(response["task_id"])

if response['status'] == 'completed':
  print(response['result']['url'])

The Right to Erasure

The GDPR also grants EU citizens the right to request the deletion of their personal information. Stream offers mechanisms to delete users and feeds data in accordance with various use cases, ensuring compliance with these regulations.

The following data will be deleted:

  • Follows where the user is owner of either source or target feed
  • Feeds owned by the user - will follow the logic for deleting feeds as described here
  • Activities owned by the user
  • Comments owned by the user
  • Reactions owned by the user
  • Bookmarks owned by the user
  • Bookmark folders owned by the user
  • Collections owned by the user

NOTE: This does not delete the user’s account, only their Feeds data. If you want to delete the user please refer to deleting a user

Deleting user data is an irreversible operation. This goes for both soft and hard deletes.

# Start the delete task
response = client.feeds.delete_feed_user_data(
    user_id=user_to_delete.id,
    hard_delete=False
)

# You have to poll this endpoint
task_response = client.get_task(response.task_id)
print(task_response.status == "completed")

Deleting a user

# Delete users
client.delete_users(user_ids=["<id>"])

# Restore users
client.restore_users(user_ids=["<id>"])

The delete users endpoints supports the following parameters to control which data needs to be deleted and how. By default users and their data are soft-deleted.

NameTypeDescriptionOptional
userEnum (soft, pruning, hard)- Soft: marks user as deleted and retains all user data.
- Pruning: marks user as deleted and nullifies user information.
- Hard: deletes user completely - this requires hard option for messages and conversation as well.		Yes
conversationsEnum (soft, hard)- Soft: marks all conversation channels as deleted (same effect as Delete Channels with ‘hard’ option disabled).
- Hard: deletes channel and all its data completely including messages (same effect as Delete Channels with ‘hard’ option enabled).		Yes
messagesEnum (soft, pruning, hard)- Soft: marks all user messages as deleted without removing any related message data.
- Pruning: marks all user messages as deleted, nullifies message information and removes some message data such as reactions and flags.
- Hard: deletes messages completely with all related information.		Yes
new_channel_owner_idstringChannels owned by hard-deleted users will be transferred to this userID. If you doesn’t provide a value, the channel owner will have a system generated ID like delete-user-8219f6578a7395gYes
callsEnum (soft, hard)- Soft: marks calls and related data as deleted.
- Hard: deletes calls and related data completely
Note that this applies only to 1:1 calls, not group calls		Yes

Deleting users in bulk can take some time, this is how you can check the progress:

# Example of monitoring the status of an async task
# The logic is same for all async tasks
response = _ # Result of a Stream async API request

# You need to poll this endpoint
task_response = client.get_task(response.task_id)
print(task_response.status == "completed")
Previous
User management
Next
Activities
© Getstream.io, Inc. All Rights Reserved.