Hello

We had a user on our forum who despite having previous warnings continued to post offensive comments to other members, eventually, after applying temporary restrictions we were left with no other choice than to ban a user.

In the months since, they have reregistered under different names / emails / IP addresses, but they break cover and we ban them again... and again...

Earlier this year the user wrote to us asking about GDPR and asked for their account to be deleted, which we did, we also replied explaining there were no records of them held now their account had been deleted.

We have now received the below email from the same user again, and hate to say I am unsure of how to reply to them

I have contacted all our mod team and they all say they have not made any contact with the user - our hunch is he is calling our bluff

Would it be possible to have any advice / guidance on what we can reply please?

....................................

Hi Everyone,

A moderator has now explicitly stated to me that the forum uses “fingerprinting” / device identification to recognise users. On that basis, I am making a formal Subject Access Request under the UK GDPR, and I’m also asking you to confirm your position under PECR in relation to cookies and similar technologies

1. UK GDPR — Subject Access Request (Article 15)

Please provide a copy of all personal data you hold about me, including (but not limited to):

A) Fingerprinting / device recognition

• Any device/browser fingerprint data held about me (even if stored or described internally as “device identifiers”, “security signals”, “risk scoring”, “probabilistic identifiers”, etc.)

• The specific attributes collected/derived (e.g., device/browser characteristics, configuration data, behavioural signals) and how they are combined/used

• Any unique identifiers generated from this data and how long they persist

• Whether this data is linked to my account directly, and if so how

B) Logs and other identifiers

• IP address history and timestamps (login/activity logs)

• User-agent strings and device/OS/browser details captured

• Cookie IDs, session IDs, and any local storage or similar identifiers associated with my account/sessions

C) Moderation / security / anti-abuse data

• Any moderation notes, flags, decisions, ban history (if applicable), anti-spam / anti-abuse outcomes, and any “risk scores” or classifications applied to my account/device

D) Third parties and sharing

• The recipients or categories of recipients this data is shared with (including Invision/IPS services, spam defence providers, analytics providers, or any other third parties), and what data fields are shared with each

E) Purposes, lawful basis, retention

• The purposes for processing each category of data

• The lawful basis relied upon for each purpose

• Retention periods (or clear criteria used to determine them) for fingerprinting/device data, IP logs, and related identifiers

Please supply the above in a commonly used electronic format. If you need further information to verify my identity, please specify exactly what you require.

UK GDPR requires you to respond without undue delay and in any event within one month of receipt of this request.

2. PECR / transparency — cookies and “similar technologies”

Given the moderator’s statement that fingerprinting is used, please confirm the following:

A) Where is this fingerprinting disclosed to users (privacy notice and/or cookie/tech notice), in clear terms?

B) Is fingerprinting used only for strictly necessary security/anti-abuse purposes, or also for analytics/measurement/other purposes?

C) What consent mechanism is relied upon where fingerprinting (or any non-essential tracking) is not strictly necessary?

D) Do any analytics or third-party scripts/cookies load before a user has made a consent choice? Please confirm your implementation.

This follow-up is not a general complaint — it’s a request for specific information and copies of the personal data you hold about me, prompted by the moderator’s confirmation that fingerprinting is being used.

Regards

This is just a standard harassment to cause you trouble, nothing more.

IPS uses the standard stuff like:

1. IP addresses

2. User agents

3. Session cookies

4. Spam defence signals

When you delete an account, there is absolutely no data being held from that user. Sure, the user could visit the website and their IP is tracked, but that is nothing to be concerned about. PECR is irrelevant here, since IPS does not use fingerprinting nor non-essential cookie tracking.

So if you have already deleted every account this user made, there is nothing to worry about. As far as replying goes, keep it calm and professional. If the user persists, ask if they are able to provide evidence of specific personal data you currently hold, or information allowing you to verify an active data subject relationship. If no evidence is given, you can consider this matter closed. Btw, for a SAR, they should provide evidence, or their case is irrelevant.

Thank you @Cedric V very much appreciated

When you have an account, you can request "PII request" under the users profile.
When the account is deleted, the info containing the PII request is also deleted. The info i talk about is what @Cedric V told you.
https://invisioncommunity.com/forums/topic/475691-pii-deletion-requests/

So you can easyly explain, that request for that data can be done under the user profile (if you board has this option enabled)
And if there is no account that info is not available.

(And then we disregard the 14days of log files of access.log on the server, as that still might contains some data, but will be gone in 14days anyway. And ofcouse the data in backups.)

Edited December 30, 2025Dec 30 by Moestuin