Privacy
AM separates personally identifiable information from authentication data, so you can delete a user’s PII while keeping the references you need for audit trails and legal compliance.
When a user exercises their right to be forgotten, delete their identity—not your ability to prove they existed.
Data Separation
┌─────────────────────────────────────────┐
│ User │
│ ┌─────────────────┐ ┌──────────────┐ │
│ │ Identity │ │ Credentials │ │
│ │ (Deletable) │ │ (Required) │ │
│ │ │ │ │ │
│ │ - given_name │ │ - email │ │
│ │ - family_name │ │ - password │ │
│ │ - display_name │ │ - verified │ │
│ │ - avatar_url │ │ │ │
│ │ - locale │ │ │ │
│ │ - timezone │ │ │ │
│ │ - external_id │ │ │ │
│ └─────────────────┘ └──────────────┘ │
└─────────────────────────────────────────┘Identity Operations
| Operation | Endpoint | Purpose |
|---|---|---|
| Get | GET /api/users/:user_id/identity | Retrieve PII |
| Update | PATCH /api/users/:user_id/identity | Modify PII |
| Delete | DELETE /api/users/:user_id/identity | Remove all PII |
| Recreate | POST /api/users/:user_id/identity | Restore after deletion |
Right to Erasure (GDPR Art. 17)
Delete identity while preserving:
- User ID (for audit logs)
- Credentials (email + password hash)
- Payment history (legal retention)
- Account membership (access control)
What Gets Deleted
| Deleted | Preserved |
|---|---|
| given_name | user.id |
| family_name | user.application_id |
| display_name | user.status |
| avatar_url | memberships |
| preferred_language | credentials |
| locale | payment records |
| timezone | audit logs |
| external_id |
Data Minimization
Identity fields are optional. Only collect what you need:
- Users can clear fields anytime
- Empty identity is valid
- Less data = less liability
Credentials are managed separately through the user credentials endpoints.
Related
- User Identity - Identity resource
- Users - User management
- User - User resource