Time travel keeps a copy
BigQuery retains prior versions of table data for a time-travel window (configurable up to seven days) plus a fail-safe period. A row you DELETE stays recoverable — and readable — for that window.
Running a DELETE on your users table feels like erasure. In BigQuery it usually isn't: the data survives in time travel, in derived tables, and in snapshots, and you are left with no evidence. Here is why, and the crypto-shredding approach that deletes and proves in one call.
Time travel keeps a copy
BigQuery retains prior versions of table data for a time-travel window (configurable up to seven days) plus a fail-safe period. A row you DELETE stays recoverable — and readable — for that window.
Downstream copies survive
The DELETE only touches the one table you ran it on. Staging tables, dbt marts, and exports that copied the same personal data are untouched, so the customer's data lives on elsewhere.
It's slow and costly at scale
DML DELETE is billed against the data scanned and can be expensive and slow on large tables, which makes per-user deletions at volume — DSAR batches, breach response — a real bottleneck.
No evidence is produced
A completed query leaves a log line, not an audit artifact. When a regulator asks what was deleted, when, and how completely, a query history does not answer the question.
The reliable pattern is crypto-shredding. Before personal fields land in BigQuery, encrypt each one with a per-user data encryption key. The warehouse — and everything downstream of it — then stores ciphertext. Staging tables, marts, exports, backups, and time-travel windows all inherit that protection automatically, because they only ever held encrypted bytes.
When a deletion request arrives, you do not chase rows. You destroy the per-user key in Cloud KMS. Every copy encrypted under that key becomes mathematically unreadable at the same instant, regardless of which table or snapshot it sits in. One KMS operation replaces the fleet of DELETE statements you would otherwise have to locate, run, and somehow prove.
The pipeline encrypts each PII field with the user's DEK before writing to BigQuery. Plaintext never lands in the warehouse.
A live registry records which columns and which dbt-derived models hold that user's encrypted data, establishing deletion scope without a manual hunt.
On request, the key vault destroys the DEK in KMS. Every encrypted copy — including copies in time travel and snapshots — becomes unreadable simultaneously.
A signed record captures the key fingerprint, the destruction timestamp, and the lineage of covered systems. That is the evidence you hand to an auditor or a DSAR.
How do I delete a user's PII from BigQuery for GDPR?
You can run DML DELETE statements, but they are slow at scale, leave copies in time travel and downstream tables, and produce no evidence. The reliable approach is crypto-shredding: encrypt PII with a per-user key on write, then destroy that key on request, which renders every encrypted copy unreadable at once and produces a proof certificate.
Does BigQuery time travel keep deleted data?
Yes. BigQuery keeps prior versions of table data in a time-travel window (up to seven days) and a further fail-safe period, so DELETEd rows remain recoverable for a time. Crypto-shredding sidesteps this because the retained versions contain ciphertext that is useless once the key is destroyed.
Why not just DELETE the rows and drop the derived tables?
You would have to enumerate every derived table, export, and backup that copied the data, run a delete against each, wait out every time-travel window, and still have no single artifact proving completeness. Key destruction covers all copies in one operation and emits that proof automatically.
How Chameleon maps BigQuery datasets and coordinates encryption and key destruction.
The mechanism in depth: why one key destruction beats a fleet of row deletes.
How the key-destruction event becomes an audit-ready certificate.