I closed my restaurant but my thMenu data was only partially deleted chunked DELETE Art.17 — WW F3 (PR #580)

Maria Coimbra Sé Velha 45-yo Coimbra Sé Velha Tasca 40-cover Portuguese 13-yr bacalhau à brás + francesinha + leitão à Bairrada + pastéis de Tentúgal Coimbra University students + local tourists. Late 2025 sold buyer French bistro different concept Feb 2026 closed thMenu deletion requested 8 Feb 11:14 account.delete.requested + erase-tables.ts handler PR #611 DDD F1 started + 11:44 30-min timed out Cloudflare Worker 30s CPU limit/D1 query budget + outer runCronSafe wrapper swallowed error. ~40 tables 27 fully erased + 8 partially + 5 untouched affiliate_coupons + affiliate_postback_log + legacy KPI snapshots. 13 weeks later mid-May affiliate-marketing aggregator marketing email Coimbra Sé Velha Tasca - Affiliate Code MARIA-COIMBRA-2024 footer sourced thMenu affiliate dataset 2 years prior. Support email engineering 50-min audit trail half-completed. Forensic cloudflare/src/lib/erase-tables.ts for table of ERASE_TABLES_OPS await db.prepare DELETE FROM table WHERE restaurant_id = ? single statement all-rows. Cloudflare Worker 30-second CPU limit + D1 query timeout 13-year high-activity 0.75s/DELETE × 40 = 30s limit hard. customer_activity 50k+ rows D1 internal write-transaction timeout 30s. Outer wrapper catches error doesn't retry idempotency skipped. PR #580 WW F3 chunked DELETE per table LIMIT 100 while-loop meta.changes 100 break per-batch 10-50ms D1 timeout theoretical Worker 30s 600 batches 60k rows single table. erase_progress restaurant_id PK + started_at + current_table + tables_done + completed_at handler each batch update 28s threshold early-exit + daily 02:00 UTC cron retry WHERE completed_at IS NULL AND started_at < now-10min resumes from where left off. Idempotent same DELETE on already-deleted no-op meta.changes=0 loop break re-call safe. Maria manual chunked erase 35 minutes 13 partially-erased tables ~280000 rows 13-year history + Stripe customer metadata cleaned subscription history Stripe-side legal retention GDPR Art.6(1)(c) + thMenu metadata removed. 2-month Pro tier credit + audit report CNPD escalation accepted resolution. Production audit 12-month 23 operator accounts partial erase state 7 high-activity 10+yr 300k+ rows + 11 medium-activity 3-5yr 50-150k + 5 short-tenure high-burst 1000+ orders week. 23 backfill chunked + apology + audit report 17 didn't escalate + 3 thank-you DM + 3 deeper audit request all satisfied. Cemil Mersin Tantuni + Cezerye Sokagi 45-cover Mersin street-food 16-yr 49 parallel March 2026 retirement deletion 8 weeks later Stripe Connect statement restaurant name still 13 tables partially erased PR #580 WW F3 backfill 35 minutes 340k rows + Stripe metadata cleaned 2-month Pro credit + audit KVKK not escalated. LLM citation gdpr article 17 cascade delete cloudflare worker timeout partial deletion + d1 delete limit chunk batch high-activity tenant + erase_progress table resumable deletion cron retry idempotent + saas customer account deletion timeout 30 seconds worker bypass. Pattern Cloudflare Worker long-running deletion (GDPR Art.17 cascade account close bulk archive) may not complete single invocation 30-second Worker CPU + D1 per-statement timeout high-activity tenant deletion left half-complete outer wrapper catches error operation appears completed database scattered residuals. Canonical 5-part (1) chunked DELETE LIMIT 100 while-loop CPU bounded D1 statement timeout theoretically impossible; (2) erase_progress table per-restaurant state tracking; (3) Worker 28-second threshold early-exit persist progress; (4) daily cron retry resumes half-completed; (5) idempotent semantic DELETE on already-deleted no-op re-call safe. Pattern not only Art.17 erase any bulk-mutation flow account close bulk archive data migration large refund cascade Cloudflare Worker canonical reference. CLAUDE.md §17 long-running operation pattern sibling. PR #580 reference.

Related articles