Hi there! My team is looking into reducing any user personal data stored on our side but we stumbled upon the

devices

section inside active sessions with each object containing an

ip_address

field. In some country privacy laws it would be qualified as personal data (aka PII). What would be your suggestion for NOT storing it on our side? Thank you 🙏 P.S. I've provided a bit more context here: https://github.com/ory/kratos/discussions/3431

Seen that discussion already, it is definitely possible to make this configurable. Would you just not collect those data, or would you rather want only the IP subnet or similar?

Thanks Patrik for coming back to me on this. Since in our product we currently do not allow users to terminate their active sessions the information about IP addresses and user agents is not useful for us at all (unless I'm missing something). But instead it affects our compliance to certain regulations. I suppose we would prefer not to store any data in that case (to offer total privacy).

the feature was basically only added to allow users to distinguish sessions, so that you can have e.g.

Chrome on Mac, last used today at 12:34 in New York

If you could give us any pointers from how that configuration should be implemented (seems rather trivial) my team might consider contributing that change to Kratos. Would you recommend any quicker solutions in general? We are thinking of either periodic (cron-based) or reactive changes done on the DB level directly when this data is written. This is clearly a brittle and dirty solution but it could help us in a short term.

whatever the database you use offers