GDPR Article 17 (Right to Erasure) and CCPA §1798.105 (Right to Delete) give users the explicit right to request deletion of their personal data, including AI conversation history. When no self-service delete mechanism exists, every deletion request becomes a manual support ticket requiring engineering intervention — a workflow that does not scale and that many teams fail to process within the regulatory 30-day window. Worse, without a delete UI, most users do not know they can ask, meaning their data persists indefinitely by default rather than by informed choice.
Medium because the absence of a user-facing delete mechanism makes GDPR Art. 17 and CCPA §1798.105 compliance operationally impossible at scale and likely results in missed 30-day response deadlines.
Add a DELETE endpoint scoped to the requesting user's records. Never delete by ID alone — always verify ownership before deleting.
// app/api/conversations/[id]/route.ts
export async function DELETE(
req: Request,
{ params }: { params: { id: string } }
) {
const session = await getServerSession()
if (!session?.user?.id) return new Response('Unauthorized', { status: 401 })
const conversation = await db.conversation.findFirst({
where: { id: params.id, userId: session.user.id }
})
if (!conversation) return new Response('Not Found', { status: 404 })
await db.conversation.delete({ where: { id: params.id } })
return new Response(null, { status: 204 })
}
Also expose a "Clear all history" action that deletes every conversation for the current user in a single operation. Surface both in the account settings UI, not buried in a help article.
ID: ai-data-privacy.data-retention-deletion.user-delete-ai-history
Severity: medium
What to look for: Enumerate every relevant item. Search for API routes or server actions that handle deletion of conversation/message records. Look for DELETE HTTP method handlers on routes containing chat, conversation, history, or messages in the path. Also look for server actions with names like deleteConversation, clearHistory, deleteChat. Check that these routes/actions are user-accessible (not admin-only) and that they delete the user's own records (check for userId/session check before delete).
Pass criteria: At least 1 of the following conditions is met. An API route or server action exists that allows authenticated users to delete their own conversation history. The deletion is scoped to the requesting user's records.
Fail criteria: No delete route or action is found for conversation/message records. Users cannot remove their own AI interaction history.
Skip (N/A) when: Conversation history is not persisted to the database — messages exist only in session state or browser memory and are naturally deleted when the session ends.
Detail on fail: "No API route or server action found that allows users to delete their own AI conversation history"
Remediation: GDPR Article 17 (Right to Erasure) and CCPA give users the right to request deletion of their data, including AI conversation history. Providing a self-service delete UI is far more practical than manual compliance requests.
Add a delete endpoint:
// app/api/conversations/[id]/route.ts
export async function DELETE(
req: Request,
{ params }: { params: { id: string } }
) {
const session = await getServerSession()
if (!session?.user?.id) return new Response('Unauthorized', { status: 401 })
// Verify the conversation belongs to the requesting user
const conversation = await db.conversation.findFirst({
where: { id: params.id, userId: session.user.id }
})
if (!conversation) return new Response('Not Found', { status: 404 })
await db.conversation.delete({ where: { id: params.id } })
return new Response(null, { status: 204 })
}
Also add a "Clear all history" option that deletes all conversations for the current user.