By ByteBot
Adding a deleted_at column to your database table seems elegant. Mark records as deleted instead of destroying them, filter them out in queries, and sleep better knowing nothing’s truly gone. However, thousands of developers have learned the hard way that soft delete isn’t a convenience feature—it’s technical debt with compound interest.
Moreover, a recent Hacker News discussion and a real-world production disaster reveal why the pattern that looks helpful upfront creates cascading problems at scale. The ticketing company story alone should make you reconsider that deleted_at migration.
When Soft Delete Sold Concert Seats Twice
An events ticketing company developer migrated away from Rails’ Paranoia gem to a new archival system. The developer removed acts_as_paranoid from the SeatClaim model—a library that automatically filtered deleted records from database queries. Consequently, the background worker managing seat reservations started retrieving “deleted” seat claims that should have been excluded.
Same seats at Shawn Mendes concerts sold multiple times. Furthermore, hundreds of double bookings occurred globally. Refunds, cancelled orders, apology emails, and a late-night postmortem followed. The developer’s conclusion: “Soft deletes should NOT be used in production-grade systems.”
This wasn’t theoretical. Real customers, real money, real consequences. The soft delete complexity hid behind an abstraction layer—remove the abstraction, chaos ensues.
Database Features Stop Working
Soft delete undermines what databases do best: enforce data integrity. Three critical features break down.
Referential Integrity Dies
Foreign keys become technically valid because the parent record still exists. However, the database can’t enforce CASCADE rules properly anymore. Child records happily reference “deleted” parents. As a result, you must enforce integrity in application code—error-prone and scattered across your codebase.
As Brandur Leach notes: “Foreign keys are effectively lost with soft deletion, and the major benefit of foreign keys—guaranteeing referential integrity—is compromised.” You’ve traded database-enforced correctness for application-level complexity.
Unique Constraints Create Chaos
Unique constraints apply to ALL rows, including soft-deleted ones. Register john@example.com, soft delete it, try to register again? Duplicate key error. The database sees two johns—one active, one deleted—and refuses.
Workarounds exist but add complexity: partial indexes (PostgreSQL-only), composite keys with deletion timestamps, or mutating unique fields on deletion. Nevertheless, each solution trades one problem for another.
Query Complexity Explodes
Every single query needs WHERE deleted_at IS NULL. JOINs, subqueries, aggregations—all must remember to filter. Miss one? You’ve leaked deleted user data to your API. ORM abstractions help until they don’t, as the ticketing disaster demonstrated.
Performance Degrades Over Time
Soft-deleted records don’t disappear—they pile up. In PostgreSQL’s MVCC model, these become “dead tuples” that bloat tables and indexes. Therefore, one developer reported a soft deletion query taking eight hours to update a few hundred rows. The table had bloated by 1-3 GB just from updating a boolean column.
Additionally, indexes bloat too, slowing lookups. Systems with high soft-deletion rates (50-70% of records) experience noticeable performance impact. The problem compounds over time. By the time you notice, you’re swimming in years of dead data that VACUUM can’t fully reclaim.
GDPR Makes It Illegal
GDPR’s “right to be forgotten” requires actual erasure. Soft delete keeps data recoverable—that’s the entire point—but that makes it non-compliant. Legal opinions are clear: “standard deletion not sufficient.” Data must be “unrecoverable without disproportionate effort.” Indeed, soft delete fails this test by design.
This isn’t just technical debt—it’s legal liability. Any system handling EU residents, healthcare data, or financial information faces compliance risk. The feature that seemed safest (keeping everything) creates regulatory exposure.
What To Do Instead
Better alternatives exist that provide audit trails without breaking database features.
Trigger-Based Archival (Recommended)
Use database triggers to copy deleted rows to a separate archive table automatically:
CREATE TABLE archive (
id UUID PRIMARY KEY,
table_name TEXT NOT NULL,
record_id TEXT NOT NULL,
data JSONB NOT NULL,
archived_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE TRIGGER archive_users_trigger
BEFORE DELETE ON users
FOR EACH ROW
EXECUTE FUNCTION archive_deleted_row();Live tables stay clean. Foreign keys work correctly. Indexes remain efficient. Simple time-based cleanup. Minimal performance overhead. This approach balances simplicity with functionality.
Hard Delete + Event Log
Emit deletion events before actually deleting:
// Emit event with full record snapshot
emit_event("user_deleted", {
user_id: user.id,
deleted_by: current_user.id,
snapshot: user.to_dict()
});
// Then perform real deletion
db.delete(user);Database stays pristine. Full audit trail preserved. Simple to implement. Recovery requires rebuilding from events, but how often do you really need that?
Event Sourcing (For Complex Audit Needs)
Store all changes as immutable events. Full history automatically. Time-travel queries possible. The trade-off? Architectural complexity. Only worth it for financial systems, collaborative editing, or complex workflows requiring complete history.
CDC/WAL Streaming (Automated)
Tools like Debezium read PostgreSQL’s write-ahead log and stream deletions to external archives. No application code changes required. Works automatically. Risk: consumer lag can exhaust disk space unless you configure max_slot_wal_keep_size properly.
When Soft Delete IS Acceptable
Soft delete has legitimate uses, but they’re rare and specific: user-facing trash bins with short retention periods (Gmail’s 30-day deleted items), extremely low deletion rates (under 1% of operations), or temporary holds like shopping carts that aren’t true deletions.
The test: If your deletion rate exceeds 5% of operations, you have unique constraints, or you need GDPR compliance, use an alternative.
The Verdict
Before adding that deleted_at column, ask what you’re really solving. Need audit trails? Event sourcing or append-only logs work better. Need recovery? Backups and trigger-based archival handle it without breaking your database. Need GDPR compliance? Hard delete is often the only legal answer.
After 15 years, one Hacker News commenter said it best: “I prefer to just back up regularly. The amount of times I’ve ‘undeleted’ something are few and far between.” Don’t let framework defaults (Rails Paranoia, Laravel SoftDeletes, Django safedelete) make architectural decisions for you.
In conclusion, soft delete trades short-term convenience for long-term technical debt. The pattern isn’t wrong in every case—but it’s wrong in most. Choose intentionally, understand the costs, and consider alternatives first.
