Thread

  1. Schema design: user account deletion vs. keeping family tree data

    Christoph Pieper <christoph@fecra.de> — 2025-11-24T11:27:56Z

    Hi,
    
    I’m designing a schema for a family‑tree web app on PostgreSQL. Users
    register accounts and can create one or more family trees. Each tree
    consists of persons (the user themself, relatives, ancestors). Many persons
    in a tree will never have an account (e.g. great‑grandparents). Because of
    GDPR, when a user deletes their account we must remove/anonymise their user
    profile, but we want to keep the family tree data intact so that other
    users can still reference those ancestors.
    
    We expect hundreds of thousands to millions of persons and deep ancestry
    queries (N generations, inbreeding/relationship calculations).
    I’m hesitating between two schema designs:
    
    *Option A – Separate family_tree_node table*
    
    create table app_user (
      id          uuid primary key,
      email       text unique not null,
      created_at  timestamptz not null default now()
    );
    
    create table person (
      id                 uuid primary key,
      created_by_user_id uuid references app_user(id) on delete set null,
      first_name         text,
      last_name          text,
      birth_date         date
      -- more non-account-specific attributes may be added her in future!
    );
    
    create table family_tree (
      id            uuid primary key,
      owner_user_id uuid not null references app_user(id) on delete cascade,
      created_at    timestamptz not null default now()
    );
    
    create table family_tree_node (
      id              uuid primary key,
      family_tree_id  uuid not null references family_tree(id) on delete
    cascade,
      person_id       uuid references person(id) on delete set null,
      father_node_id  uuid references family_tree_node(id),
      mother_node_id  uuid references family_tree_node(id)
    );
    
    create index on family_tree_node (family_tree_id);
    create index on family_tree_node (person_id);
    create index on family_tree_node (father_node_id);
    create index on family_tree_node (mother_node_id);
    
    Here family_tree_node is the structural graph for a specific tree. A node
    may point to a person, but can also exist without one (minimal data only).
    If a user/account is deleted, we only drop/anonymise data in app_user (and
    optionally created_by_user_id), while person and family_tree_node remain.
    
    *Option B – Use person directly as the graph node (soft delete)*
    
    create table app_user (
      id          uuid primary key,
      email       text unique not null,
      created_at  timestamptz not null default now()
    );
    
    create table person (
      id                 uuid primary key,
      created_by_user_id uuid references app_user(id) on delete set null,
      first_name         text,
      last_name          text,
      birth_date         date,
      father_id          uuid references person(id),
      mother_id          uuid references person(id),
      deleted_at         timestamptz     -- soft delete flag
    );
    
    create index on person (father_id);
    create index on person (mother_id);
    create index on person (deleted_at);
    
    In this model, the pedigree graph is just a person(father_id, mother_id).
    When a user deletes their account we never hard‑delete persons; instead we
    set deleted_at and/or anonymise some fields. All queries must filter on
    deleted_at is null to hide soft‑deleted persons.
    
    Question:
    >From a PostgreSQL point of view (database best practices, data integrity,
    performance and long‑term maintainability at millions of rows), which
    approach would you prefer, or is there a better pattern for this kind of
    “account can be deleted, but genealogy should remain” use case?
    
    Regards and many thanks!
    Christoph
    
    
    
    -- 
    [image: fecra company logo]
    
    *Christoph Pieper*
    
    christoph@fecra.de
    
    fecra GmbH, Strelitzer Str. 63 10115 Berlin, Deutschland
    
    www.fecra.de  | HRB 268518 B
    
  2. Re: Schema design: user account deletion vs. keeping family tree data

    Bernice Southey <bernice.southey@gmail.com> — 2025-11-24T13:17:53Z

    Christoph Pieper <christoph@fecra.de> wrote:
    > Question:
    > From a PostgreSQL point of view (database best practices, data integrity, performance and long‑term maintainability at millions of rows), which approach would you prefer, or is there a better pattern for this kind of “account can be deleted, but genealogy should remain” use case?
    
    I can tell you what I'm doing. It solved many design problems, but I
    don't claim it's "best practice". I split my table in two.
        1 - columns that I can keep indefinitely
        2 - personal data
    That way I just delete the personal data row when I want to remove it.
    
    Thanks, Bernice
    
    
    
    
  3. Re: Schema design: user account deletion vs. keeping family tree data

    Rob Sargent <robjsargent@gmail.com> — 2025-11-24T15:43:07Z

    
    > On Nov 24, 2025, at 6:18 AM, Bernice Southey <bernice.southey@gmail.com> wrote:
    > 
    > Christoph Pieper <christoph@fecra.de> wrote:
    >> Question:
    >> From a PostgreSQL point of view (database best practices, data integrity, performance and long‑term maintainability at millions of rows), which approach would you prefer, or is there a better pattern for this kind of “account can be deleted, but genealogy should remain” use case?
    > 
    > I can tell you what I'm doing. It solved many design problems, but I
    > don't claim it's "best practice". I split my table in two.
    >    1 - columns that I can keep indefinitely
    >    2 - personal data
    > That way I just delete the personal data row when I want to remove it.
    > 
    > Thanks, Bernice
    > 
    > 
    
    +1
    Names are tricky, messy things.[1] Keep egoMaPa as leans as possible.
    
    [1] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
    
    
  4. Re: Schema design: user account deletion vs. keeping family tree data

    pg254kl@georgiou.vip — 2025-11-24T21:51:35Z

    Option B would be fine with me, unless there is good reason to normalize 
    it further.  A query using recursive CTE would be able to find ancestors 
    and descendants neatly and efficiently.
    
    I deal with some tables in the billions of rows, and with that hat on, I 
    would use int/bigint identity for the PKs instead of UUIDs (less 
    storage, smaller indices, faster joins).  I would have a boolean 
    'active' column to handle soft deletes, along with created_at and 
    disabled_at timestamptz columns maintained by triggers.  I would use 
    composite partitioning, first level partition by list on 'active', and 
    second level partition by range on the id PK with the range being a few 
    million.  If for some reason you have to use UUIDs, use time-based 
    UUIDv7 (native on PostgreSQL v18) so you can range partition.
    
    -- 
    regards,
    Kiriakos Georgiou
    
    
    On 11/24/25 6:27 AM, Christoph Pieper - christoph at fecra.de wrote:
    > Hi,
    >
    > I’m designing a schema for a family‑tree web app on PostgreSQL. Users 
    > register accounts and can create one or more family trees. Each tree 
    > consists of persons (the user themself, relatives, ancestors). Many 
    > persons in a tree will never have an account (e.g. 
    > great‑grandparents). Because of GDPR, when a user deletes their 
    > account we must remove/anonymise their user profile, but we want to 
    > keep the family tree data intact so that other users can still 
    > reference those ancestors.
    >
    > We expect hundreds of thousands to millions of persons and deep 
    > ancestry queries (N generations, inbreeding/relationship calculations).
    > I’m hesitating between two schema designs:
    >
    > *Option A – Separate family_tree_node table*
    >
    > create table app_user (
    >   id          uuid primary key,
    >   email       text unique not null,
    >   created_at  timestamptz not null default now()
    > );
    >
    > create table person (
    >   id                 uuid primary key,
    >   created_by_user_id uuid references app_user(id) on delete set null,
    >   first_name         text,
    >   last_name          text,
    >   birth_date         date
    >   -- more non-account-specific attributes may be added her in future!
    > );
    >
    > create table family_tree (
    >   id            uuid primary key,
    >   owner_user_id uuid not null references app_user(id) on delete cascade,
    >   created_at    timestamptz not null default now()
    > );
    >
    > create table family_tree_node (
    >   id              uuid primary key,
    >   family_tree_id  uuid not null references family_tree(id) on delete 
    > cascade,
    >   person_id       uuid references person(id) on delete set null,
    >   father_node_id  uuid references family_tree_node(id),
    >   mother_node_id  uuid references family_tree_node(id)
    > );
    >
    > create index on family_tree_node (family_tree_id);
    > create index on family_tree_node (person_id);
    > create index on family_tree_node (father_node_id);
    > create index on family_tree_node (mother_node_id);
    >
    > Here family_tree_node is the structural graph for a specific tree. A 
    > node may point to a person, but can also exist without one (minimal 
    > data only). If a user/account is deleted, we only drop/anonymise data 
    > in app_user (and optionally created_by_user_id), while person and 
    > family_tree_node remain.
    >
    > *Option B – Use person directly as the graph node (soft delete)*
    >
    > create table app_user (
    >   id          uuid primary key,
    >   email       text unique not null,
    >   created_at  timestamptz not null default now()
    > );
    >
    > create table person (
    >   id                 uuid primary key,
    >   created_by_user_id uuid references app_user(id) on delete set null,
    >   first_name         text,
    >   last_name          text,
    >   birth_date         date,
    >   father_id          uuid references person(id),
    >   mother_id          uuid references person(id),
    >   deleted_at         timestamptz     -- soft delete flag
    > );
    >
    > create index on person (father_id);
    > create index on person (mother_id);
    > create index on person (deleted_at);
    >
    > In this model, the pedigree graph is just a person(father_id, 
    > mother_id). When a user deletes their account we never hard‑delete 
    > persons; instead we set deleted_at and/or anonymise some fields. All 
    > queries must filter on deleted_at is null to hide soft‑deleted persons.
    >
    > Question:
    > From a PostgreSQL point of view (database best practices, data 
    > integrity, performance and long‑term maintainability at millions of 
    > rows), which approach would you prefer, or is there a better pattern 
    > for this kind of “account can be deleted, but genealogy should remain” 
    > use case?
    >
    > Regards and many thanks!
    > Christoph
    >
    >
    >
    > -- 
    > fecra company logo 	
    >
    > *Christoph Pieper*
    >
    > christoph@fecra.de <mailto:christoph@fecra.de>
    >
    > fecra GmbH, Strelitzer Str. 63 10115 Berlin, Deutschland
    >
    > www.fecra.de <https://www.fecra.de/>  | HRB 268518 B
    >
  5. Re: Schema design: user account deletion vs. keeping family tree data

    Jan Claeys <lists@janc.be> — 2025-11-25T21:08:40Z

    On Mon, 2025-11-24 at 12:27 +0100, Christoph Pieper wrote:
    > I’m designing a schema for a family‑tree web app on PostgreSQL. Users
    > register accounts and can create one or more family trees. Each tree
    > consists of persons (the user themself, relatives, ancestors). Many
    > persons in a tree will never have an account (e.g.
    > great‑grandparents).
    > Because of GDPR, when a user deletes their account we must
    > remove/anonymise their user profile, but we want to keep the family
    > tree data intact so that other users can still reference those
    > ancestors.
    
    Be careful. Storing and especially sharing/publishing any personal data
    of, or closely related to, a living person (including the relations of
    such person) would likely be a problem without permission from that
    person. You probably want to contact a lawyer who’s familiar with the
    GDPR & other privacy laws…
    
    Personally, I would always keep tree data from different users apart,
    give them detailed per-record control over what data can be published
    and/or shared, and mark any records of living people as hidden/private
    by default. And I would delete all records a user created when they
    delete their account, or at the very least all those belonging to
    living people.
    
    ----
    
    About the schema design:
     * both your options assume a person has exactly 1 father and 1 mother
       (probably better just call them "parents" nowadays), and has only 1
       pair of parents (what with people who were adopted, etc.?)
     * "first name" & "last name" are assumptions that only make sense in
       some countries (even when your users are only German, their
       ancestors might not all be), and of course a person might have
       different legal names over their life
     * birth dates in genealogy are often not precise, especially if you go
       further in time, and the Postgres date type can’t  express things
       like "November 1810", "about 1534", "1913 or 1918" or "between 1610
       and 1615", so might need a custom date type (and you later probably
       also want to be able to store/link many other dates?)
    
    Genealogy is messy, and you will have to be able to store all sorts of
    data you didn’t expect at first thought (see also the website about
    names Rob Sargent linked to).
    You also seem to make assumptions about relations being 1:1 or 1:N when
    in reality they are very often 1:N or N:N instead.
    
    
    -- 
    Jan Claeys (please don't CC me when replying to the list)
    
    
    
    
  6. Re: Schema design: user account deletion vs. keeping family tree data

    Ron Johnson <ronljohnsonjr@gmail.com> — 2025-11-25T22:02:26Z

    On Tue, Nov 25, 2025 at 4:08 PM Jan Claeys <lists@janc.be> wrote:
    [snip]
    
    > Genealogy is messy, and you will have to be able to store all sorts of
    > data you didn’t expect at first thought (see also the website about
    > names Rob Sargent linked to).
    > You also seem to make assumptions about relations being 1:1 or 1:N when
    > in reality they are very often 1:N or N:N instead.
    >
    
    Gramps is a great Python-based genealogy program, which has a Web frontend:
    https://github.com/gramps-project/gramps-web
    
    -- 
    Death to <Redacted>, and butter sauce.
    Don't boil me, I'm still alive.
    <Redacted> lobster!
    
  7. Re: Schema design: user account deletion vs. keeping family tree data

    Christoph Pieper <christoph@fecra.de> — 2025-11-26T22:24:19Z

    Thanks everybody!
    
    And what do you think about Option A?
    Especially the pedigree node approach beside the animal node?
    
  8. Re: Schema design: user account deletion vs. keeping family tree data

    Rob Sargent <robjsargent@gmail.com> — 2025-11-26T23:26:48Z

    
    > On Nov 26, 2025, at 3:25 PM, Christoph Pieper <christoph@fecra.de> wrote:
    > 
    > Thanks everybody!
    > 
    > And what do you think about Option A?
    > Especially the pedigree node approach beside the animal node?
    
    I have to ask if you are thinking about genetics or genealogy. Your opening statement certainly implies the former. That you will have many many users tends towards the latter. 
    
    With respect to genetics I repeat myself (and another responder): keep the triplet table simple as can be with ego-mother-father. All else is fluff. ;)  You will have to lose/break pedigrees in the event of a deletion/retraction. Keep in mind that there is a school of thought that claims pedigrees are in fact identifying information. 
    
    For genealogy you might work off a two table setup: person and relationship. The former defines an id and the latter relates two persons with a specific type of relationship including half sibs, step sibs, uncle/aunt - whatever your users wish to tell you