User Privacy API v2
Using the v1 API?
If your integration still uses/api/2/deletions/users on amplitude.com, see the User Privacy API documentation. This page documents v2, hosted at privacy.amplitude.com.What's new in v2
If you're already integrated with v1, the most important change is how deletion scope is interpreted. v1 defaulted to single-app (project) deletion when scope was unspecified. v2 always deletes across your entire organization.
| Area | v1 (legacy) | v2 (current) |
|---|---|---|
| Default scope | Single project | Org-wide (all projects) |
| Scope control | Set delete_from_org: true for org-wide deletion | Not applicable — all requests delete from org |
| Endpoint | POST /api/2/deletions/users for create, GET for status, DELETE to remove from staging | POST /user-deletions/org/{orgId}/requests for create, GET for list and status |
delete_from_org is v1 only
Thedelete_from_org parameter exists only on the legacy v1 API. It is not supported on v2. All deletion requests submitted to privacy.amplitude.com delete user data across every project in your organization.Endpoints
All v2 routes are scoped to an organization. Replace {orgId} with your Amplitude organization ID.
| Operation | Method | Path | Request body | Response body |
|---|---|---|---|---|
| List deletion requests | GET | /user-deletions/org/{orgId}/requests | — | List<DeletionFetchResponse> |
| Submit deletion request | POST | /user-deletions/org/{orgId}/requests | DeletionRequest | DeletionResponse |
| Get deletion request | GET | /user-deletions/org/{orgId}/requests/{requestId} | — | DeletionFetchResponse |
Canceling requests is not yet supported on v2
v2 does not yet support deleting a request or removing a user from a staging job. If you need to cancel a pending deletion or remove a user before a job runs, continue using the v1 API until this capability ships on v2.Regions
The base URL depends on your project's data residency. In all examples on this page, use the default base URL unless your project uses Amplitude's EU data center—in that case use the EU base URL in this table.
| Data residency | Base URL |
|---|---|
| Default | https://privacy.amplitude.com |
| EU | https://privacy.eu.amplitude.com |
Use the host that matches your project's data residency.
Authentication
HTTP Basic auth with your project API key + secret key, base64-encoded as {api_key}:{secret_key}.
Authorization: Basic <base64(api_key:secret_key)>
DSAR is separate
Data Subject Access Requests use a different endpoint (/api/2/dsar/requests) and require an org-level API key. Contact Amplitude Support to provision one.
Submit a deletion request
POST /user-deletions/org/{orgId}/requests
Add users for deletion using a JSON body (DeletionRequest). Specify up to 100 users at a time. You can use a mix of Amplitude IDs and User IDs. Every request deletes user data across your entire organization.
Body parameters
| Field | Type | Required | Description |
|---|---|---|---|
amplitude_ids | int[] | At least one of amplitude_ids or user_ids | Amplitude IDs to delete. Up to 100 total IDs across both arrays. |
user_ids | string[] | At least one of amplitude_ids or user_ids | User IDs to delete. Up to 100 total IDs across both arrays. |
requester | string | Yes | Email of the person submitting the request. Used in audit emails. |
ignore_invalid_ids | boolean | No (default false) | If true, the job proceeds even if some IDs aren't found. If false, the request fails on any unknown ID. |
include_mapped_user_ids | boolean | No | If true, also deletes data associated with mapped user IDs (Portfolio add-on). |
delete_from_org is not a valid parameter on v2. It is a v1-only option to opt into org-wide deletion. On v2, org-wide deletion is the default and only behavior.List deletion requests
GET /user-deletions/org/{orgId}/requests
Returns all deletion requests for the organization.
curl --request GET 'https://privacy.amplitude.com/user-deletions/org/{orgId}/requests' \
-u 'API_KEY:API_SECRET' \
--header 'Accept: application/json'
Get a deletion request
GET /user-deletions/org/{orgId}/requests/{requestId}
Returns a single deletion request by ID.
curl --request GET 'https://privacy.amplitude.com/user-deletions/org/{orgId}/requests/{requestId}' \
-u 'API_KEY:API_SECRET' \
--header 'Accept: application/json'
Job lifecycle
| State | Meaning |
|---|---|
staging | Job created but not yet locked in. |
submitted | Job locked. Runs on the scheduled date. Cannot be modified. |
done | Deletion completed across all systems including backups. |
A job moves from staging to submitted 3 days before its scheduled run date. After a job becomes submitted, it cannot be canceled.
Org-wide deletion
All v2 deletion requests are org-wide. When you submit a request, Amplitude fans the deletion out to every project in the organization that contains data for the listed users.
- One deletion job is created for each project that has matching data.
- All account admins receive an email with the full list of Amplitude IDs scheduled for deletion across the org.
delete_from_org.If you previously used v1 without setting delete_from_org, your historical deletion requests may have only deleted from a single project. Re-submit those users through v2 to ensure org-wide deletion.
Service-level commitments and timing
| Commitment | Value |
|---|---|
| Maximum deletion completion time | 30 days from request |
| Job revocable until | 3 days before scheduled run date (v1 only until v2 supports cancellation) |
Important behaviors
Deletion doesn't stop future tracking
The User Privacy API removes existing data. It does not prevent Amplitude from accepting new events for the deleted user. If your SDK continues to send events for them, those events are ingested as a brand-new user. Amplitude has no memory of the deleted identity to re-link against.
To stop future tracking, use the setOptOut() method on the Amplitude SDK you're using.
Warehouse / CDC reingestion
If you ingest data into Amplitude from a data warehouse through Change Data Capture (CDC) or other warehouse-native ingestion methods, deletion in Amplitude does not propagate back to the source. On the next sync, the deleted data may be reingested.
To ensure complete deletion, delete the data in your warehouse source as well, then re-run the User Privacy API request. This applies to:
- Snowflake / BigQuery / Databricks / Redshift CDC sources
- Mirror Sync
- Any other warehouse-native ingestion path
Future event identity
After a deletion, if new events arrive for the same user_id, they are treated as a new user with a fresh Amplitude ID. There is no automatic re-stitching.
Statsig data
This User Privacy API only deletes data from the Amplitude platform. To delete data from the Statsig platform, use the Statsig User Data Deletion Requests API.Migrating from v1
If you have an existing v1 integration, see the v1 documentation for the legacy endpoint reference. Here's what to change when moving to v2:1. Update your endpoint
- POST https://amplitude.com/api/2/deletions/users
+ POST https://privacy.amplitude.com/user-deletions/org/{orgId}/requests
Use the list and get-by-ID GET routes above instead of v1's date-range query. v2 does not yet support DELETE to remove users from staging — keep using v1 for that workflow if needed.
2. Batch your requests
v2 accepts up to 100 IDs per request. Batch IDs in each request to delete users efficiently.
3. Remove delete_from_org
The delete_from_org parameter is v1-only. On v2, all requests delete org-wide by default — you don't need to (and can't) set this flag.
{
"user_ids": ["user_1"],
"requester": "privacy@yourcompany.com",
- "delete_from_org": true
}
If you were using v1 without delete_from_org, your requests only deleted from a single project. Migrating to v2 automatically upgrades those requests to org-wide deletion.
4. Use request status visibility
v2 exposes GET endpoints to list deletion requests and fetch a single request by requestId, including lifecycle state (staging / submitted / done).
Status codes
| Code | Message |
|---|---|
| 200 | Success |
| 400 | Bad Request |
| 401 | Unauthorized |
Was this helpful?