Chargebee understands that you as a merchant are responsible to your customers for the data you collect on them. Modern data protection and privacy laws such as the GDPR require that personally identifiable information (PII) not be retained in systems longer than is necessary for meeting business needs.
Personal Data Management helps you align Chargebee with your customer data retention policies.
In a nutshell, this feature allows you to configure Chargebee to delete PII for customers who no longer use your services. Let's look at this in detail.
First, we must define which set of customer records are eligible for PII deletion.
PII for a customer record can be deleted when and only when all subscriptions associated with the record are in cancelled state.
When you choose to delete PII for a customer, whether it gets deleted immediately or after a certain interval is configurable in Chargebee. Thus, for the sake of clarity, we will use the term deletion request to signify the act of issuing a command to delete PII in the Chargebee system. Such a command can be issued via the user interface (whether manual or automatic) or via API .
When you navigate to Settings > Configure Chargebee > Personal Data, you would find under List of Personal Data the customer information that Chargebee allows you to delete. Select the fields that constitute Personally Identifiable Information (PII) for your customers as per your company policies. The fields selected here are the ones that will get deleted for eligible customer records once a deletion request is issued.
MRR and other aggregate revenue metrics are not affected by clearing PII. This is because no information from the customer's record that contributes to aggregate data is cleared using this feature.
To serve legal and auditing purposes, Chargebee does not allow you to delete stored invoices and event logs for your customers.
Whenever a request is raised (whether automatically, manually or via API) for deletion of PII in Chargebee, the deletion happens after the time period set under Settings > Configure Chargebee > Personal Data > Data retention period. This time period can range between zero (immediate deletion) to 3 months.
If, during this period, a subscription gets activated under a customer record marked for PII deletion, the customer record is rendered ineligible for PII deletion and the deletion request for that record is cancelled.
If you wish to manually cancel a scheduled deletion, you must contact support during the data retention period.
Once deleted, the data cannot be recovered by any means so please observe caution, especially when setting the data retention period field to "immediately".
Once the above 2 settings have been configured, you can issue PII deletion requests in Chargebee using either the user interface or the API .
The following options exist on the user interface:
1. Automatic deletion:
You can choose to have Chargebee trigger deletion requests for all customer records automatically the moment they become eligible for PII deletion.
To do this, turn on the Clear data automatically? switch under Settings > Personal Data.
Once deleted, data cannot be recovered so be careful with this feature especially when the data retention period field is set to "immediately".
2. Manual deletion:
You can use the web interface to issue deletion requests for individual customer records. This is done using the Clear Personal Data button on the customer details page. The button is only shown for eligible customer records.
Classic UI users
The Clear Personal Data option is displayed in Classic UI as shown here:
It is advisable to first review what data gets cleared by clicking on Manage settings below the button.
3. Bulk Deletions:
If you wish to issue PII deletion requests for multiple customer records (but not all eligible records), a bulk operation is your best choice (see FAQ)
A key feature in Chargebee is that any data item that is newly selected in Step 1 gets deleted immediately for all customer records for which PII was deleted previously.
The following diagram explains this:
The Delete Personal Data feature is key for having your customer data privacy policies in place. The operation permanently deletes personal information from the customer record after a configurable data retention period. A customer record is only eligible for this operation when all its subscriptions are in the cancelled state. The deletion requests can be issued via the web interface or API.
This functionality will take effect from the 15th of November, 2022.
Earlier, if you accidentally delete a payment method for a customer, the payment method would even get deleted from the payment gateway. This is because the payment methods are originally stored in the payment gateway itself.
With delayed deletion, if you accidentally delete a payment method in Chargebee, it will get deleted from the Payment Gateway only after seven days. However, the payment method is deleted from Chargebee instantly. This gives you seven days to get in touch with the Chargebee support to restore those payment methods.
Can personal data be retrieved once deleted?
No. This feature has been designed to help you comply with data privacy regulations such as the GDPR. As a result, once deleted the information is lost for good.
How can I prevent a scheduled deletion from going through?
A scheduled deletion gets executed when the data retention period expires. Contact support well within that period to cancel any scheduled deletions.
How is "Clear Personal Data" different from "Delete Customer"?
Clear Personal Data is designed to allow you to enact your data privacy policies by giving you a way to purge sensitive customer information from defunct customer records. The Delete Customer action implies Clear Personal Data and additionally removes the customer record from the web interface.
Here are some finer points of difference between the two actions:
Clear Personal Data
Permanently deletes selected personal information from the customer record.
Permanently deletes selected personal information and clears the customer record from the web interface but retains it in the database. The event logs are available on the web interface even after this action.
No aggregate revenue metrics are affected by this action.
Aggregate metrics are affected.
Can only be done for eligible customer records.
Any customer record is eligible for this action.
The information is deleted for good and cannot be retrieved.
Special [link api customers#list_customers_include_deleted]API provision exists to fetch information that has not been permanently deleted under the action.
Why does "Delete Customer" not permanently delete the entire customer record? I have concerns around privacy.
Delete Customer action does not delete the entire customer record permanently because merchants using Chargebee sometimes need access to non-personal information about their customers for auditing purposes. However, to protect customer data privacy, whenever Delete Customer is invoked, Delete Personal Data is automatically invoked for the customer record ensuring that the selected PII is deleted permanently.
Could you explain how I can delete PII for one or more customer records using the Chargebee user interface?
For existing customer records in Chargebee, you may issue delete PII requests for either a group of records or individual records at a time:
Case 1: Delete for a group of eligible records in the system.
If you wish to delete PII for some/all the eligible records in the system, you may do so using one of the following options:
Option 1: Automatic deletion: this can be done only for all eligible records. Here's how:
Enable automatic deletion as described in part 1 of step 3. This will instantly schedule all eligible customer records that are currently in the Chargebee system for PII deletion. You can turn this off immediately if you do not wish to delete PII for any further records that become eligible.
Option 2: Bulk operations: this option can be used to delete PII for all eligible records or for a subset of the records as desired. Here are the steps:
(1) Navigate to Customers and click on the drop-down menu for preset filters.
(2) Select the "Has Only Cancelled or No Subscriptions" filter as shown below:
(3) This would list all the customer records that are eligible for personal data deletion.
(4) If you wish to filter further, you can click on the filter icon on the left of the drop-down menu, choose your filters and then click on Apply Filter.
(5) Click Export > Export as CSV. Let the .zip file download.
(6) Navigate to Settings > Import & Export Data > Choose a bulk operation.
(7) Under Choose an Operation, select Customers > choose Clear Customers' PII from the list > Click Proceed.
(8) When prompted to upload the CSV file, use customers.csv in the ZIP file downloaded in step 5. and proceed.
Case 2: Delete PII for an individual customer record
For clearing PII using the user interface for an individual customer record, navigate to the details page of the customer record and use the feature described under part 2 of step 3.
Once PII is deleted for a customer, can a new subscription be created for them?
Yes, a new subscription can be created for such customer records. Once a subscription is created, the customer record would turn ineligible for PII deletion preventing any scheduled deletions from taking place.