GDPR erasure does not cascade-delete financial records and active sessions

[RUKAYAT-CODER]

Overview

src/modules/gdpr/gdpr.service.ts eraseUserData() nulls profile fields but does not delete or anonymize payments, enrollments, audit logs, or active sessions. This creates orphaned financial records referencing a deleted profile and leaves active sessions usable after erasure.

Specifications

Features:

• Erasure must anonymize/delete all PII across related tables within a database transaction.
• All active sessions must be revoked on erasure.

Tasks:

• Wrap the erasure in a TypeORM transaction.
• Anonymize Payment, Enrollment, AuditLog, Notification records tied to the user.
• Call SessionService.deleteAllUserSessions(userId) to revoke sessions.
• Add a GdprErasureJob for async cascade processing with idempotency.
• Add integration tests verifying no PII remains after erasure.

Impacted Files:

• src/modules/gdpr/gdpr.service.ts
• src/session/session.service.ts

Acceptance Criteria

• No PII remains in any table after erasure.
• Active sessions are immediately invalidated.
• Repeated erasure calls are idempotent (no errors on second run).

[TheShnider]

@TheShnider has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi. I have reviewed this issue and would like to work on it.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @TheShnider to this issue.

[sammycee769]

@sammycee769 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi team 👋

I’d like to take on the GDPR erasure improvement task.

I understand the current gap: user erasure only nulls profile fields, leaving PII in related records and active sessions intact, which breaks GDPR compliance and can lead to orphaned or sensitive data exposure.

My approach will include:

• Wrapping the entire erasure flow in a TypeORM transaction to ensure atomicity
• Anonymizing or removing PII across related entities (Payment, Enrollment, AuditLog, Notification)
• Revoking all active sessions via SessionService.deleteAllUserSessions(userId)
• Introducing a GdprErasureJob to handle async cascading with idempotency guarantees
• Adding integration tests to confirm that no PII remains and that repeated erasure calls are safe

I have experience working with NestJS, TypeORM transactions, and data privacy patterns, so I’ll ensure the solution is robust, compliant, and well-tested.

Please assign this issue to me — I’m ready to get started 🚀

ℹ️ Repo Maintainers: To accept this application, review their application or assign @sammycee769 to this issue.

[kodinaka30-ship-it]

@kodinaka30-ship-it has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello Maintainer,
I would like to work on this issue because incomplete GDPR erasure that leaves orphaned financial records and active sessions is both a compliance failure and a security risk. I can wrap the erasure in a TypeORM transaction, anonymise all related Payment, Enrollment, AuditLog, and Notification records, call SessionService.deleteAllUserSessions, implement an idempotent GdprErasureJob for async cascade processing, and add integration tests confirming no PII remains after erasure.
Please kindly assign.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @kodinaka30-ship-it to this issue.

[Shecodes174]

@Shecodes174 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi Maintainer I have read the description and I can resolve this issue please kindly assign to me.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Shecodes174 to this issue.

[Ajibose]

@Ajibose has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Kindly assign this issue to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Ajibose to this issue.

[JudeDaniel6]

@JudeDaniel6 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Please can you assign me this

ℹ️ Repo Maintainers: To accept this application, review their application or assign @JudeDaniel6 to this issue.

[drips-wave]

Congratulations, @JudeDaniel6! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @JudeDaniel6: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊