All posts
Compliance·· 7 min read

GDPR Data Deletion for Fintechs: The 2026 Compliance Playbook

"Delete my account" sounds simple. In fintech, it triggers a legal collision between GDPR's right to erasure and AML laws that require you to keep records for 5–7 years. Here's how we solved it — and how you can too.

By AtlasForge Trust & Safety

The collision at the heart of fintech privacy

GDPR Article 17 grants EU residents the right to have their personal data erased. Simple in principle. In fintech, it collides with three laws that require you to retain the same data:

  • AMLD5 (EU Anti-Money Laundering Directive) — 5 years of transaction and KYC records, minimum.
  • 6AMLD — extended obligations for cross-border payments.
  • PSD2 / SCA logs — 5 years of authentication events.

When a user clicks "Delete my account," you can't just DELETE FROM users WHERE id = .... You'd violate three laws before breakfast.

The good news: GDPR anticipated this. Article 17(3)(b) exempts deletion "for compliance with a legal obligation." The playbook below is how most compliant fintechs (including AtlasForge Financial) actually implement it.

The 30-day clock

GDPR gives you one month to respond to a deletion request. In practice you should target 7–14 days to leave margin for edge cases (e.g. a request that lands during a fraud investigation).

The three-tier data model

Every piece of personal data in your product falls into one of three tiers:

TierExample fieldsDeletion action
Marketing / preferenceName, email, phone (marketing), UI theme, saved goalsHard delete within 7 days
Product-operationalLinked bank tokens, transaction cache, session IDsHard delete within 7 days
RegulatedKYC scan, AML risk score, transaction ledger, wire recordsAnonymize + retain 5–7 years per regulation

The trick is the third tier. You don't delete it — you anonymize it. Replace direct identifiers (name, email, SSN, phone) with a pseudonymized token so the record can still satisfy a regulator's audit while no longer being personally identifiable to your ops team.

Reference architecture

Here's the flow AtlasForge uses (source: our own DPA):

  1. User submits deletion via /delete-account. Form captures email, reason, and last-4 of phone (for identity binding).
  2. Backend endpoint creates a deletion_requests record with status pending and mails admin+user via Resend.
  3. Ops reviews the request (24 hr SLA). If identity is confirmed:
    • Marketing + product tables run a targeted hard-delete.
    • Regulated tables run a "pseudonymize" job — the user's PII is replaced with a random token, and the mapping between the token and the original PII is destroyed. The transaction records remain queryable by regulators via the token, but no one can link back to a real person.
  4. User receives a confirmation email with a reference ID.
  5. deletion_requests record marked completed. This record is itself retained (regulators want to see the audit trail).

Common mistakes we've seen

❌ Soft-deleting everything. Setting is_deleted = true and leaving the PII in place is not compliant. That's suspension, not deletion.

❌ Deleting the KYC records. Then failing your next MLR audit and getting fined 4% of global revenue. Retain them. Anonymize them.

❌ Forgetting backups. GDPR is explicit: personal data in backups also has to expire. Set a 30-day rolling backup window and document it.

❌ Not confirming identity. Anyone can email "delete jane@example.com." Bind the request to something only the account holder knows (last-4 phone, last transaction date, security question).

❌ Manual-only process. If ops has to run SQL by hand, they'll miss tables. Build a deletion service that lists every table containing PII and runs the correct action for each.

The user-facing UX

The deletion page should:

  • Be findable from every page (footer link is standard).
  • Explain the 30-day statutory window clearly.
  • Explain what's retained (AML records) vs. deleted (everything else).
  • Not require login. GDPR doesn't require the user to be authenticated — they may have lost access.
  • Send a confirmation email so the user knows the request was received.

AtlasForge's Delete Account page is a good reference implementation — it captures the minimum needed to identify the user without over-collecting.

What to log

Every deletion request should log:

  • Request ID (UUID)
  • Timestamp received
  • Timestamp completed
  • IP and User-Agent of the request
  • Ops handler ID
  • Tables affected
  • Records anonymized (count only, not IDs)
  • Reason (optional, user-supplied)

This log itself is retained for the AML window. It becomes your defense in a regulator inquiry.

The 5-minute audit

Run this on your product this week:

  1. Can a user request deletion without logging in? ✅
  2. Do you send confirmation to both the user and your DPO? ✅
  3. Do you have a documented list of every table containing PII? ✅
  4. Do you have a distinction between hard-delete and anonymize? ✅
  5. Can you complete a request within 14 days? ✅

If any answer is no, you're carrying regulatory risk. Fix the process before you get the request.

How AtlasForge helps

If you're a partner building on our platform, you can offload GDPR deletion for AtlasForge-managed data via our admin API. POST /api/auth/request-deletion submits a request; GET /api/admin/deletion-requests (admin JWT required) surfaces the queue. See our Developer Docs for the full flow, or contact us if you need a custom DPA.

Ready to build on AtlasForge?

Get sandbox API keys in 60 seconds — or install the Safe to Spend app.