the WhatsApp AI agent downloads WhatsApp voice notes, stores them temporarily as files, transcribes them, and then stores the transcripts in the database. GDPR gives users the right to erasure of their data. Cascading deletion from the database record through to backup systems is harder than it looks.
Key Analysis
GDPR Article 17 right to erasure applies to all personal data — including audio files in /tmp, transcripts in the database, and backup copies of the database.
Cascading deletion means: delete the workspace item, delete the transcript, delete any retained audio file, and ensure backup restoration does not re-introduce the deleted data.
The /tmp pattern (download, process, delete immediately) is the best approach for minimising voice data exposure: data that is never stored cannot need to be erased.
Risk Signals
Voice note audio files retained after transcription without a documented deletion policy.
Transcripts stored without being linked to a documented retention schedule or erasure workflow.
Database backups that pre-date erasure being restored without applying erasure records to the restored data.
Action Items
Delete voice note audio files immediately after transcription completes (even before the API response is sent).
Link transcript retention to the workspace item: when the workspace item is deleted, cascade delete the transcript.
Maintain an erasure log: when a GDPR erasure request is processed, record which backups were affected and how they should be handled at next restore.