Pular para o conteúdo

PrivacyService

Este conteúdo não está disponível em sua língua ainda.

Handles data subject rights under GDPR and LGPD — including data export, deletion, rectification, processing restriction, and existence confirmation. All RPCs extract org_id from the JWT; it is never included in request messages.

Some operations are async (export, delete) and return immediately with a PENDING status. The caller can poll the status or wait for a push notification on completion.

Method Description
ExportUserData Export all personal data for a user as a downloadable ZIP
DeleteUserData Delete or anonymize all personal data for a user
RectifyUserData Correct personal data fields for a user
RestrictProcessing Restrict or unrestrict data processing for a user
GetDataExistenceConfirmation Confirm whether personal data exists for a user

Export all personal data associated with a user as a downloadable ZIP. This is an async operation — it returns immediately with PENDING status and sends a push notification when the export is ready.

Authorization: Requires JWT. Callable by the user themselves or an org admin.

Field Type Description
user_id string Internal user ID whose data is being exported. UUID format.
Field Type Description
status PrivacyRequestStatus Current status of the export request.
result_url string Pre-signed S3 URL to download the exported data (ZIP format). Only populated when status is COMPLETED.
export_id string Unique identifier for this export request. UUID format.

TypeScript (Connect-Web)

const response = await privacyClient.exportUserData({
userId: "user-uuid",
});
// response.status === "PENDING" initially
// Poll or wait for push notification, then use response.resultUrl

Go (gRPC)

resp, err := privacyClient.ExportUserData(ctx, &pidgrv1.ExportUserDataRequest{
UserId: "user-uuid",
})
// resp.Status == pidgrv1.PRIVACY_REQUEST_STATUS_PENDING initially
// Poll or wait for push notification, then use resp.ResultUrl

Delete or anonymize all personal data associated with a user. Deletion has a 30-day grace period during which processing is restricted and the request can be cancelled. After 30 days, deletion is irreversible.

When anonymize is true, PII is replaced with placeholders instead of hard-deleted, preserving audit trail integrity while removing personal data.

Authorization: Requires JWT. Admin only.

Field Type Description
user_id string Internal user ID whose data is being deleted. UUID format.
anonymize bool When true, PII is replaced with placeholders instead of hard-deleted. Preserves audit trail integrity.
Field Type Description
status PrivacyRequestStatus Current status of the deletion request.
deleted_at Timestamp Timestamp when deletion was completed (or scheduled). Only populated when status is COMPLETED.

TypeScript (Connect-Web)

const response = await privacyClient.deleteUserData({
userId: "user-uuid",
anonymize: true, // replace PII with placeholders
});

Go (gRPC)

resp, err := privacyClient.DeleteUserData(ctx, &pidgrv1.DeleteUserDataRequest{
UserId: "user-uuid",
Anonymize: true,
})

Correct personal data for a user. Corrections are propagated to all stored locations (profile, delivery records, analytics metadata).

Authorization: Requires JWT. Callable by the user themselves or an org admin.

Field Type Description
user_id string Internal user ID whose data is being corrected. UUID format.
corrections map<string, string> Map of field names to corrected values. Max 50 corrections per request.
Field Type Description
rectified_fields string[] Names of fields that were successfully rectified.

TypeScript (Connect-Web)

const response = await privacyClient.rectifyUserData({
userId: "user-uuid",
corrections: {
display_name: "Alice Johnson",
email: "alice.johnson@example.com",
},
});
// response.rectifiedFields === ["display_name", "email"]

Go (gRPC)

resp, err := privacyClient.RectifyUserData(ctx, &pidgrv1.RectifyUserDataRequest{
UserId: "user-uuid",
Corrections: map[string]string{
"display_name": "Alice Johnson",
"email": "alice.johnson@example.com",
},
})

Restrict or unrestrict data processing for a user. When restricted, the API skips this user in campaigns, analytics, and session replay.

Authorization: Requires JWT. Admin only.

Field Type Description
user_id string Internal user ID whose processing is being restricted. UUID format.
restricted bool When true, processing is restricted. When false, restriction is lifted.
Field Type Description
restricted bool Current restriction status.
restricted_at Timestamp Timestamp when the restriction was applied or removed.

TypeScript (Connect-Web)

// Restrict processing
const response = await privacyClient.restrictProcessing({
userId: "user-uuid",
restricted: true,
});
// Lift restriction
const response = await privacyClient.restrictProcessing({
userId: "user-uuid",
restricted: false,
});

Go (gRPC)

resp, err := privacyClient.RestrictProcessing(ctx, &pidgrv1.RestrictProcessingRequest{
UserId: "user-uuid",
Restricted: true,
})

Confirm whether personal data exists for a user and list the categories of stored data. This implements the LGPD-specific right of “confirmação de existência” (Art. 18, I).

Authorization: Requires JWT. Admin only.

Request: GetDataExistenceConfirmationRequest

Section titled “Request: GetDataExistenceConfirmationRequest”
Field Type Description
user_id string Internal user ID to check. UUID format.

Response: GetDataExistenceConfirmationResponse

Section titled “Response: GetDataExistenceConfirmationResponse”
Field Type Description
exists bool Whether any personal data exists for this user.
data_categories string[] Categories of data stored (e.g., "profile", "deliveries", "analytics").

TypeScript (Connect-Web)

const response = await privacyClient.getDataExistenceConfirmation({
userId: "user-uuid",
});
// response.exists === true
// response.dataCategories === ["profile", "deliveries", "analytics"]

Go (gRPC)

resp, err := privacyClient.GetDataExistenceConfirmation(ctx, &pidgrv1.GetDataExistenceConfirmationRequest{
UserId: "user-uuid",
})
// resp.Exists == true
// resp.DataCategories == []string{"profile", "deliveries", "analytics"}

Tracks the lifecycle of async privacy requests (export, delete).

Value Description
PRIVACY_REQUEST_STATUS_UNSPECIFIED Default value; should not be used explicitly.
PRIVACY_REQUEST_STATUS_PENDING Request has been created but not yet started.
PRIVACY_REQUEST_STATUS_PROCESSING Request is currently being processed.
PRIVACY_REQUEST_STATUS_COMPLETED Request completed successfully.
PRIVACY_REQUEST_STATUS_FAILED Request failed during processing.