Q: How can the user ask for deletion of his data?
A: As the user's token is destroyed from their machine after the session ends, by default, the only cross-session personally identifiable information is the IP+User Agent hash. The user can contact the webmaster and ask for his data to be removed based on the IP+UA mentioned if those have not changed. If those have changed (eg. dynamic IP or browser was updated), by default, there is no way to uniquely identify the user anymore.