[g_p]

Thanks for engineering responsibly! I think it's our duty to do this where we can.

As you say, data can be lost or stolen. But companies also change hands, and it is notoriously hard to prevent it being used for other reasons after acquisition (particularly in the US). Perhaps you can even look at if you actually need names and other details when handling discounts? Could you validate eligibility or do whatever is required, then assign a verified token to it? If it's more complex, a blinded signature might let you attest to a given identity being eligible for a discount, without you being able to look back and check which signature it was. I'm all for finding ways to not store data that isn't strictly necessary.

Everyone calls data the new oil, but I'm over that, and now see it as the new asbestos. It's expensive to have it, expensive to keep it, and expensive to get rid of it (if you do it right)