Hacker News new | past | comments | ask | show | jobs | submit login

From the twitter comments: https://twitter.com/bicycult/status/1255122953798328320

They were still logged in and refreshed the page; they found out by going to their user settings.




I've seen this same method used on multiples apps I've requested an account deletion on. It's super frustrating. Most companies either don't respond back, say they deleted it when they merely disabled it, or they updated the account name to something else.


Disabling is understandable, because as a company you need a record of transactions or interactions such as TOS agreements for legal purposes. This requires keeping the records.

Changing object name data though is a terrible practice to implement this.


actually GDPR forces You to have option to delete all data and not just d8sable user


It's a bit more complicated than that. You have a period of time to delete the data. And you can keep enough info to know what data you've deleted, so that if you restore from backups you are able to re-delete without having to go through your backups and delete everything. Probably more that I'm forgetting.


You can keep contact info even after a GDPR deletion request, so long as you're not using it for business purposes.

Otherwise imagine how easy it would be to violate the deletion request if you're running a business and can't remember the names of the people you had deletion requests for. Their data could come up again through normal channels and you'd treat them no differently than another sales contact, thus violating GDPR.


Depends on type of data and other laws. If you are a paying customer you can assume your data will be stay in database, until it is no longer required for audits. GDPR allows for anything that is 'absolutely totally required for providing service'.


In most countries you are required to keep payment records for tax purposes for 5 years or more. As this is a business necessity this trumps the GDPR. And since most business involves some kind of payment it's likely most businesses will not actually fully delete the information they have on file for you.


I noticed a similar thing being done for Bird scooters a while back. I forget the suffix but they did the same and I noticed because I was still authed on my phone after requesting deletion. My token has expired since then though so for all I know they have fully deleted the account since.


Having known people who worked at Bird, I doubt it. They had a real culture of “hack it up and then move on”, going back and fixing stuff like that isn’t in their culture.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: