One-click data exports, deletion requests, and audit logs to handle GDPR, CCPA, and SOC 2 obligations without writing a custom script.
A customer emails you: "Under GDPR Article 15, I'm requesting a copy of all personal data you hold about me."
Now what?
Today, you probably have to manually query the database, format the result, scrub it for other customers' data, and email it back. It takes hours per request. If a customer asks for deletion instead of export, that's another manual workflow. If your enterprise customers ask for SOC 2 evidence around data subject rights, you're assembling that proof from scratch.
This feature builds proper data subject request handling into the platform so you can respond in minutes, not days, with a paper trail that satisfies auditors.
Self-service export endpoints. Generate a complete export of any single visitor's data — every conversation, every message, every metadata field — as a structured download. JSON or CSV format, signed URL, expiring link.
Right-to-deletion workflow. Mark a visitor for deletion. The system handles cascading: conversations, messages, feedback, support tickets, all anonymised or removed according to your retention policy. The action is logged so auditors can verify it happened.
Per-organization data export. Export everything an organization holds in one click. Useful for offboarding, internal audits, or regulators asking for a snapshot.
Audit log of all data subject actions. Every export, every deletion, every access to personal data is logged with who did it, when, and on whose behalf. This is the evidence you hand to a SOC 2 auditor.
Configurable retention policies. Set automatic deletion windows per data type — e.g., auto-delete raw conversation logs after 12 months, retain aggregated analytics indefinitely. Run-time enforcement ensures you don't accidentally hold data past your stated retention period.
Legal exposure. GDPR fines top out at 4% of global annual revenue. CCPA penalties run up to several thousand dollars per violation. The cost of getting data subject requests wrong is real. Building proper handling into the platform protects you and your customers.
Enterprise sales unblocker. Mid-market and enterprise customers ask about data subject rights during procurement. Without a clean answer, deals stall in security review. With a one-line answer ("we offer self-service export and deletion APIs, with a full audit log") deals close faster.
Time savings. Manually handling data subject requests is hours of engineering time per request. At scale this adds up to a meaningful percentage of someone's job. Automation reclaims that time.
Trust signal. Publicly documented data handling practices are a trust signal for privacy-conscious customers — including the ones whose buying committees include legal review.
The dashboard exposes a "Data Requests" section with three primary actions:
Each action requires elevated permissions and creates an audit log entry. Exports use signed URLs that expire after a configurable window.
For programmatic use cases, the same operations are available via API — useful if you want to build self-service "Download my data" links into your own product.
The custom export script someone wrote two years ago and nobody has tested since. The Excel sheet you maintain to track which customers have requested deletion. The slow back-and-forth between support, legal, and engineering when a request comes in.
This feature is designed to support — but does not by itself constitute — GDPR, CCPA, or SOC 2 compliance. You're still responsible for:
What this feature provides is the *technical mechanism* to fulfill requests when they come in, plus the audit trail to prove you did. The legal and operational layer is up to you.
This feature is planned. When it ships:
Once live, you'll have a defensible answer to enterprise procurement, a faster path to handling user requests, and the audit evidence to satisfy a SOC 2 review without scrambling.