Protecting your metrics logging data

We have two log concepts:

• Profiles logs: These contain sensitive information and are designed to be mutated depending on User requests. An example of a Profile record is our User log record.

• Transactions logs: These are designed not to contain sensitive information. They’re also designed to be immutable and easy to separate from the actual user.

In order to make it easy to detach data and recommendations from specific users, we introduce a separate user ID, called a retained_user_id, which you can think of as a pseudo-anonymized user_id. Retained_user_ids can be kept in User tables or on devices. When a user wants to be forgotten, you delete the association of the user to retained_user_id.