PrivacyService
このコンテンツはまだ日本語訳がありません。
Handles data subject rights under GDPR and LGPD — including data export, deletion, rectification, processing restriction, and existence confirmation. All RPCs extract org_id from the JWT; it is never included in request messages.
Some operations are async (export, delete) and return immediately with a PENDING status. The caller can poll the status or wait for a push notification on completion.
Methods
Section titled “Methods”| Method | Description |
|---|---|
ExportUserData | Export all personal data for a user as a downloadable ZIP |
DeleteUserData | Delete or anonymize all personal data for a user |
RectifyUserData | Correct personal data fields for a user |
RestrictProcessing | Restrict or unrestrict data processing for a user |
GetDataExistenceConfirmation | Confirm whether personal data exists for a user |
ExportUserData
Section titled “ExportUserData”Export all personal data associated with a user as a downloadable ZIP. This is an async operation — it returns immediately with PENDING status and sends a push notification when the export is ready.
Authorization: Requires JWT. Callable by the user themselves or an org admin.
Request: ExportUserDataRequest
Section titled “Request: ExportUserDataRequest”| Field | Type | Description |
|---|---|---|
user_id | string | Internal user ID whose data is being exported. UUID format. |
Response: ExportUserDataResponse
Section titled “Response: ExportUserDataResponse”| Field | Type | Description |
|---|---|---|
status | PrivacyRequestStatus | Current status of the export request. |
result_url | string | Pre-signed S3 URL to download the exported data (ZIP format). Only populated when status is COMPLETED. |
export_id | string | Unique identifier for this export request. UUID format. |
Example
Section titled “Example”TypeScript (Connect-Web)
const response = await privacyClient.exportUserData({ userId: "user-uuid",});// response.status === "PENDING" initially// Poll or wait for push notification, then use response.resultUrlGo (gRPC)
resp, err := privacyClient.ExportUserData(ctx, &pidgrv1.ExportUserDataRequest{ UserId: "user-uuid",})// resp.Status == pidgrv1.PRIVACY_REQUEST_STATUS_PENDING initially// Poll or wait for push notification, then use resp.ResultUrlDeleteUserData
Section titled “DeleteUserData”Delete or anonymize all personal data associated with a user. Deletion has a 30-day grace period during which processing is restricted and the request can be cancelled. After 30 days, deletion is irreversible.
When anonymize is true, PII is replaced with placeholders instead of hard-deleted, preserving audit trail integrity while removing personal data.
Authorization: Requires JWT. Admin only.
Request: DeleteUserDataRequest
Section titled “Request: DeleteUserDataRequest”| Field | Type | Description |
|---|---|---|
user_id | string | Internal user ID whose data is being deleted. UUID format. |
anonymize | bool | When true, PII is replaced with placeholders instead of hard-deleted. Preserves audit trail integrity. |
Response: DeleteUserDataResponse
Section titled “Response: DeleteUserDataResponse”| Field | Type | Description |
|---|---|---|
status | PrivacyRequestStatus | Current status of the deletion request. |
deleted_at | Timestamp | Timestamp when deletion was completed (or scheduled). Only populated when status is COMPLETED. |
Example
Section titled “Example”TypeScript (Connect-Web)
const response = await privacyClient.deleteUserData({ userId: "user-uuid", anonymize: true, // replace PII with placeholders});Go (gRPC)
resp, err := privacyClient.DeleteUserData(ctx, &pidgrv1.DeleteUserDataRequest{ UserId: "user-uuid", Anonymize: true,})RectifyUserData
Section titled “RectifyUserData”Correct personal data for a user. Corrections are propagated to all stored locations (profile, delivery records, analytics metadata).
Authorization: Requires JWT. Callable by the user themselves or an org admin.
Request: RectifyUserDataRequest
Section titled “Request: RectifyUserDataRequest”| Field | Type | Description |
|---|---|---|
user_id | string | Internal user ID whose data is being corrected. UUID format. |
corrections | map<string, string> | Map of field names to corrected values. Max 50 corrections per request. |
Response: RectifyUserDataResponse
Section titled “Response: RectifyUserDataResponse”| Field | Type | Description |
|---|---|---|
rectified_fields | string[] | Names of fields that were successfully rectified. |
Example
Section titled “Example”TypeScript (Connect-Web)
const response = await privacyClient.rectifyUserData({ userId: "user-uuid", corrections: { display_name: "Alice Johnson", email: "alice.johnson@example.com", },});// response.rectifiedFields === ["display_name", "email"]Go (gRPC)
resp, err := privacyClient.RectifyUserData(ctx, &pidgrv1.RectifyUserDataRequest{ UserId: "user-uuid", Corrections: map[string]string{ "display_name": "Alice Johnson", "email": "alice.johnson@example.com", },})RestrictProcessing
Section titled “RestrictProcessing”Restrict or unrestrict data processing for a user. When restricted, the API skips this user in campaigns, analytics, and session replay.
Authorization: Requires JWT. Admin only.
Request: RestrictProcessingRequest
Section titled “Request: RestrictProcessingRequest”| Field | Type | Description |
|---|---|---|
user_id | string | Internal user ID whose processing is being restricted. UUID format. |
restricted | bool | When true, processing is restricted. When false, restriction is lifted. |
Response: RestrictProcessingResponse
Section titled “Response: RestrictProcessingResponse”| Field | Type | Description |
|---|---|---|
restricted | bool | Current restriction status. |
restricted_at | Timestamp | Timestamp when the restriction was applied or removed. |
Example
Section titled “Example”TypeScript (Connect-Web)
// Restrict processingconst response = await privacyClient.restrictProcessing({ userId: "user-uuid", restricted: true,});
// Lift restrictionconst response = await privacyClient.restrictProcessing({ userId: "user-uuid", restricted: false,});Go (gRPC)
resp, err := privacyClient.RestrictProcessing(ctx, &pidgrv1.RestrictProcessingRequest{ UserId: "user-uuid", Restricted: true,})GetDataExistenceConfirmation
Section titled “GetDataExistenceConfirmation”Confirm whether personal data exists for a user and list the categories of stored data. This implements the LGPD-specific right of “confirmação de existência” (Art. 18, I).
Authorization: Requires JWT. Admin only.
Request: GetDataExistenceConfirmationRequest
Section titled “Request: GetDataExistenceConfirmationRequest”| Field | Type | Description |
|---|---|---|
user_id | string | Internal user ID to check. UUID format. |
Response: GetDataExistenceConfirmationResponse
Section titled “Response: GetDataExistenceConfirmationResponse”| Field | Type | Description |
|---|---|---|
exists | bool | Whether any personal data exists for this user. |
data_categories | string[] | Categories of data stored (e.g., "profile", "deliveries", "analytics"). |
Example
Section titled “Example”TypeScript (Connect-Web)
const response = await privacyClient.getDataExistenceConfirmation({ userId: "user-uuid",});// response.exists === true// response.dataCategories === ["profile", "deliveries", "analytics"]Go (gRPC)
resp, err := privacyClient.GetDataExistenceConfirmation(ctx, &pidgrv1.GetDataExistenceConfirmationRequest{ UserId: "user-uuid",})// resp.Exists == true// resp.DataCategories == []string{"profile", "deliveries", "analytics"}PrivacyRequestStatus Enum
Section titled “PrivacyRequestStatus Enum”Tracks the lifecycle of async privacy requests (export, delete).
| Value | Description |
|---|---|
PRIVACY_REQUEST_STATUS_UNSPECIFIED | Default value; should not be used explicitly. |
PRIVACY_REQUEST_STATUS_PENDING | Request has been created but not yet started. |
PRIVACY_REQUEST_STATUS_PROCESSING | Request is currently being processed. |
PRIVACY_REQUEST_STATUS_COMPLETED | Request completed successfully. |
PRIVACY_REQUEST_STATUS_FAILED | Request failed during processing. |