How do I delete a specific user's memories to comply with GDPR right-to-erasure requests?

GDPR Article 17 (the right to erasure) requires that you delete a user's personal data upon request without undue delay. For AI memory systems, this means being able to identify and delete all memories associated with a specific user — including derived facts extracted from their conversations.

Why this is harder than it sounds

Naive implementations store conversation history in append-only logs where individual records cannot be surgically deleted. Vector embeddings add another layer: the original text and its embedding may live in different stores, and both must be purged. If user data flows into a shared embedding space, erasure becomes technically non-trivial.

The clean implementation

A properly designed memory system scopes all stored data under a user identifier from the moment of insertion. Every memory entry, embedding, and metadata record carries the user_id as a first-class field. Erasure is then a scoped delete operation rather than a data forensics exercise.

from mem0 import Memory

memory = Memory()

# Delete all memories for a specific user
memory.delete_all(user_id="user_gdpr_request_12345")

# Verify deletion
remaining = memory.get_all(user_id="user_gdpr_request_12345")
assert len(remaining["results"]) == 0

Calling delete_all(user_id=...) removes all memory entries, vector embeddings, metadata, and graph nodes for that user_id. The deletion is immediate and permanent — Mem0 does not operate a recycle bin or soft-delete.

Granular deletion

For requests to delete specific categories of data — 'delete my health information but keep my general preferences' — retrieve memories by topic, identify the relevant entries, and delete them individually.

# Targeted deletion: remove only health-related memories
health_memories = memory.search("health medical fitness diet", user_id="user_99", limit=20)

for m in health_memories["results"]:
    if m["score"] > 0.75:
        memory.delete(m["id"])

What erasure does not cover

Memory deletion handles the memory layer. Complete GDPR compliance also requires purging server logs containing user inputs, removing the user from LLM provider fine-tuning datasets if applicable, and deleting data from any other storage systems where conversation content was written. The memory layer is one component of a complete erasure pipeline.