GDPR Compliance

LAST EDIT Aug 02 2021

Companies doing business in the European Union are bound by law to follow the General Data Protection Act. While most parts of this law don't have much impact on your integration with Stream Chat, the GDPR right to data access and right to erasure involve data stored and managed on Stream's servers.

Because of this, Stream provides a set of methods that make complying with those portions of the law easy.

The Right to Access Data

Copied!

GDPR gives EU citizens the right to request access to their information and access to this information in a portable format. Stream Chat covers this requirement with the Export User method.

This method requires server-side authentication.

The export will return all data about the user, including:

  • User ID

  • Messages

  • Reactions

  • Custom Data

Running a user export will return a JSON object like the following example.

Users with more than 10,000 messages will throw an error during the export process. The Stream Chat team is actively working on a workaround for this issue and it will be resolved soon.

The Right to Erasure

Copied!

GDPR also gives EU citizens the right to request the deletion of their information. Stream Chat provides the <Delete User> method which removes a user from a Stream Chat Application. However, the default settings for this method leave the user's message history and one-on-one chat histories in the system which is not GDPR compliant. Stream supports a GDPR compliant version of Delete User by setting mark_messages_deleted, hard_delete, and delete_conversation_channels options to true.

This method requires server-side authentication.

After deleting or hard deleting a user, the user will no longer be able to:

  • Connect to Stream Chat

  • Send or receive messages

  • Be displayed when querying users

  • Have messages stored in Stream Chat (depending on whether or not mark_messages_deleted is set to true or false)

From the perspective of other users, all messages from the user will be deleted from channels they were in and 1:1 conversations between the deleted user and another user will also be deleted.