Trust
GDPR Compliance
How Avnology ID supports GDPR requirements -- data access, portability, erasure, and consent.
GDPR Compliance
Avnology ID provides built-in tools to help you comply with the EU General Data Protection Regulation (GDPR).
Data subject rights
Right of access (Article 15)
Users can view all data Avnology ID stores about them through the self-service settings page. Programmatically:
Right to data portability (Article 20)
Export user data in a machine-readable JSON format:
const exportData = await auth.admin.exportUserData({
userId: "user_abc123",
format: "json",
});
// Includes: profile, credentials metadata, sessions, consents, permissionsRight to erasure (Article 17)
Delete a user and all associated data. This triggers a cascade cleanup:
await auth.admin.deleteUser({
userId: "user_abc123",
cascade: true, // Deletes all associated data
});The cascade deletes:
- User identity and profile
- All credentials (passwords, passkeys, TOTP)
- All active sessions
- All OAuth consents
- All refresh tokens
- All permission tuples
- Organization memberships
- Recovery codes
- Verification records
- Social login connections
- Device fingerprints
- Audit log references (anonymized, not deleted)
- Webhook delivery records
- SCIM provisioning records
Scheduled deletion
Users can request account deletion with a grace period:
await auth.admin.scheduleUserDeletion({
userId: "user_abc123",
gracePeriodDays: 30, // User can cancel within 30 days
notifyEmail: true, // Send daily reminders
});Right to rectification (Article 16)
Users can update their profile through self-service settings or via the API:
await auth.admin.updateUser({
userId: "user_abc123",
traits: { name: { first: "Jane", last: "Smith" } },
});Data processing
Consent management
Avnology ID records OAuth consent grants with timestamp, scopes, and purpose:
const consents = await auth.admin.listUserConsents({
userId: "user_abc123",
});
// Users can revoke consents
await auth.admin.revokeConsent({
userId: "user_abc123",
clientId: "app_xyz789",
Data retention
Configure data retention policies:
| Data type | Default retention | Configurable |
|---|---|---|
| Audit logs | 365 days | Yes |
| Sessions | Until expiry or revocation | Yes |
| Webhook delivery logs | 90 days | Yes |
| Verification codes | Until used or expired (10 min) | No |