Iterable provides API endpoints that can help you respond to General Data Protection Regulation (GDPR) right of access and right to be forgotten requests.
NOTE
To process GDPR requests, you must use Iterable's API. To learn more, check out these resources:
In this article
Right of access requests
To export a user's data from a particular Iterable project, use an API key for
the project to call GET /api/export/userEvents
and GET /api/users/{email}
.
Call these endpoints for each project from which you'd like to export the user's data.
NOTE
For more information about exporting user data, read Backing Up Important Data.
Right to be forgotten requests
To respond to right to be forgotten requests, Iterable allows you to:
How Iterable identifies and respects the right to be forgotten
To prevent data collection for a user who has requested their right to be forgotten, Iterable must be able to identify the user in the future to block further data collection.
When Iterable forgets a user, it does the following:
- Uses SHA-256 encryption to hash the unique identifier.
- Stores the hashed unique identifier in the list of forgotten users.
Iterable doesn't store forgotten users by their userId
or email
values.
Instead, it stores the hashed values of these unique identifiers.
Additionally, Iterably does not decrypt these values when you request the list of forgotten users.
Deleting users
Deleting a user removes all their information from an Iterable project: user profile, subscription preferences, list memberships, campaign events, and custom events.
Deleting a user does not prevent Iterable from collecting more data about the user, if it's ever received. To prevent Iterable from collecting more data about a user, you should instead forget the user.
For more information about deleting users, read this related article, Deleting Users.
Forgetting users
Forget users to delete their data from an Iterable project and prevent Iterable from collecting more information about them in the future.
For a given user, call this endpoint for each project necessary. Use this endpoint only for handling "right to be forgotten" requests.
The POST /api/users/forget
API endpoint does two things:
- Deletes the user's data from the Iterable project.
- Prevents Iterable from collecting more information about or sending messages to that user. To do this, the user's unique identifier is lowercased, trimmed, and hashed using SHA-256 encryption, and stores the encrypted value in a list of forgotten users.
Processing times to forget a user in Iterable
It can take up to ten minutes for Iterable to initiate forgetting a user.
User data will be fully forgotten within 30 days of the forget request.
Listing forgotten users
To get a list of users that have been forgotten, you can request a list of forgotten users.
This list contains hashed unique identifiers associated with users that are forgotten, or are in the process of being forgotten, by an Iterable project.
To get the forgotten user list for a project, use these endpoints:
GET /api/users/forgotten
- returns a list of hashedemail
values (email-based and hybrid projects).GET /api/users/forgottenUserIds
- returns a list of hasheduserId
values (userID-based and hybrid projects).
Finding a user in the forgotten list
When you check the list of forgotten users, you must hash the unique identifier of the user you're checking to see if it matches any of the hashed values in the list.
To check if the list of forgotten IDs contains a particular email address or user ID:
- Lowercase the user's email address or user ID.
- Strip out all whitespace.
- Calculate the SHA-256 hash (this is typically done using a programming language or tool).
- Check the list for the hashed value.
Unforgetting users
The POST /api/users/unforget
API endpoint restores a project's ability to store information about and send
messages to a user who had previously been forgotten.
However, it does not recover any data stored about the user before they were
forgotten.
For a given user, call this endpoint for each project necessary. Iterable generally processes unforget requests within six hours.
Want to learn more?
For more information about some of the topics in this article, check out these resources:
Iterable Academy
- Iterable & GDPR Iterable Academy is open to everyone — you don't need to be an Iterable customer!
Support docs
Iterable API docs