User Management

Comprehensive guide to user account management, data deletion cascade, and GDPR compliance in Plugged.in.

Overview

Plugged.in is a trademark of VeriTeknik B.V. in the Netherlands and fully complies with GDPR regulations.
The platform provides:
  • Complete user account management
  • GDPR-compliant data deletion
  • Cascading deletion of all related data
  • Audit trail for compliance
  • User data export functionality

User Account Structure

Data Hierarchy

User Data Categories

Core Data

  • User profile (name, email, bio)
  • Authentication credentials
  • Projects and profiles
  • Sessions and tokens

Generated Content

  • MCP server configurations
  • Documents and RAG data
  • Collections and shares
  • Activity logs

Social Features

  • Follower relationships
  • Shared servers
  • Public profiles
  • User ratings

Preferences

  • Email settings
  • Notification preferences
  • UI customizations
  • API keys

GDPR Compliance

Right to be Forgotten

When a user account is deleted, ALL related data is permanently removed:
1

User Request

User initiates account deletion from settings
2

Confirmation

Email confirmation sent to verify identity
3

Data Deletion

Complete cascade deletion of all user data
4

Audit Log

Deletion logged for compliance records
5

Notification

Admin notified of GDPR deletion

Data Deletion Cascade

Complete list of data deleted with user account:

Core User Data

TableDescriptionDeletion Method
accountsOAuth provider accountsCASCADE
sessionsActive login sessionsCASCADE
password_reset_tokensPassword reset tokensCASCADE
projectsAll user projectsCASCADE
profilesAll profilesCASCADE via projects

MCP Server Data

TableDescriptionDeletion Method
mcp_serversServer configurationsCASCADE via profiles
mcp_server_toolsServer toolsCASCADE
mcp_server_promptsServer promptsCASCADE
mcp_server_resourcesServer resourcesCASCADE
mcp_server_environment_variablesEnvironment variablesCASCADE
custom_instructionsCustom instructionsCASCADE

Document & RAG Data

TableDescriptionDeletion Method
docsUploaded documentsCASCADE
doc_chunksDocument chunksCASCADE via docs
doc_embeddingsDocument embeddingsCASCADE via docs
document_versionsVersion historyCASCADE
document_model_attributionsAI attributionsCASCADE

Social Features

TableDescriptionDeletion Method
followersFollower relationshipsCASCADE
shared_mcp_serversShared serversCASCADE
shared_collectionsShared collectionsCASCADE
mcp_activityActivity logsCASCADE
notificationsUser notificationsCASCADE

Email & Preferences

TableDescriptionDeletion Method
email_trackingEmail tracking dataCASCADE
user_email_preferencesEmail preferencesCASCADE
scheduled_emailsScheduled emailsCASCADE

Registry Data

TableDescriptionDeletion Method
registry_oauth_sessionsOAuth sessionsCASCADE
registry_user_ratingsUser ratingsCASCADE
registry_serversClaimed serversCASCADE

Account Deletion Process

User-Initiated Deletion

Account deletion is permanent and cannot be undone. All data will be lost.
// Account deletion endpoint
POST /api/settings/account/delete

// Request body
{
  "password": "current_password",
  "confirmation": "DELETE MY ACCOUNT"
}

// Process
1. Verify user password
2. Check confirmation text
3. Log deletion request
4. Delete user avatar files
5. Execute CASCADE deletion
6. Send admin notification
7. Clear all sessions

Admin-Initiated Deletion

For GDPR requests or violations: 
// Admin deletion endpoint
DELETE /api/admin/users/{userId}

// Headers
{
  "Authorization": "Bearer ADMIN_TOKEN",
  "X-Admin-Secret": "ADMIN_SECRET",
  "X-Deletion-Reason": "GDPR request | TOS violation | User request"
}

// Audit log entry
{
  "action": "admin_user_deletion",
  "admin_id": "admin_123",
  "user_id": "user_456",
  "reason": "GDPR request",
  "timestamp": "2025-01-28T10:00:00Z",
  "ip_address": "192.168.1.1"
}

Data Export

User Data Export

Users can export their data before deletion: 
GET /api/settings/account/export

// Response: ZIP file containing
- user_profile.json
- projects.json
- mcp_servers.json
- documents/
- activity_log.csv
- followers.json
- email_preferences.json

Export Format

{
  "export_version": "1.0",
  "export_date": "2025-01-28T10:00:00Z",
  "user": {
    "id": "user_123",
    "email": "user@example.com",
    "name": "John Doe",
    "created_at": "2024-01-01T00:00:00Z"
  },
  "projects": [...],
  "servers": [...],
  "documents": [...],
  "activity": [...]
}

User Management API

Get User Profile

GET /api/users/{userId}

Response:
{
  "id": "user_123",
  "username": "johndoe",
  "name": "John Doe",
  "email": "john@example.com",
  "bio": "Software developer",
  "avatar_url": "/avatars/user_123.png",
  "is_public": true,
  "created_at": "2024-01-01T00:00:00Z"
}

Update User Profile

PATCH /api/users/{userId}

Request:
{
  "name": "Jane Doe",
  "bio": "Full-stack developer",
  "is_public": false
}

Manage Email Preferences

PUT /api/users/{userId}/email-preferences

Request:
{
  "notifications": true,
  "newsletter": false,
  "security_alerts": true,
  "activity_digest": "weekly"
}

Privacy Controls

Profile Visibility

Users can control their profile visibility: 
// Profile visibility settings
{
  "is_public": boolean,        // Public profile accessible at /to/username
  "show_email": boolean,        // Display email on profile
  "show_activity": boolean,     // Show recent activity
  "show_followers": boolean,    // Display follower count
  "allow_following": boolean    // Allow others to follow
}

Data Sharing Controls

// Sharing preferences
{
  "default_visibility": "private" | "workspace" | "public",
  "allow_server_cloning": boolean,
  "allow_collection_forking": boolean,
  "share_usage_analytics": boolean
}

Audit & Compliance

Audit Trail

All user management actions are logged: 
interface AuditLog {
  id: string;
  action: 'user_created' | 'user_updated' | 'user_deleted';
  user_id: string;
  admin_id?: string;
  changes?: Record<string, any>;
  ip_address: string;
  user_agent: string;
  timestamp: Date;
  gdpr_compliant: boolean;
}

Compliance Reports

Generate GDPR compliance reports: 
GET /api/admin/compliance/report

Response:
{
  "period": "2025-01",
  "deletions": {
    "total": 15,
    "gdpr_requests": 5,
    "user_initiated": 10
  },
  "exports": {
    "total": 45,
    "completed": 45,
    "failed": 0
  },
  "data_categories_deleted": [
    "personal_data",
    "usage_data",
    "content_data"
  ]
}

Testing User Deletion

Deletion Checklist

Test Script

# Test user deletion cascade
npm run test:gdpr-deletion

# Verify no orphaned data
SELECT * FROM projects WHERE user_id = 'deleted_user_id';
SELECT * FROM mcp_servers WHERE profile_uuid IN
  (SELECT uuid FROM profiles WHERE project_uuid IN
    (SELECT uuid FROM projects WHERE user_id = 'deleted_user_id'));

Security Considerations

Authentication Requirements

  • Password verification for deletion
  • Email confirmation for sensitive changes
  • Session invalidation after deletion
  • Rate limiting on deletion requests

Data Retention

Deleted data is permanently removed and cannot be recovered.
  • No soft deletes for user data
  • Immediate deletion from database
  • File system cleanup for avatars
  • Cache invalidation across all services

Best Practices

Support

For user management assistance: