GDPR Deletion API

The General Data Protection Regulation (GDPR) is a European law that ensures several rights for people whose data crosses EU borders.  Among these rights are the right to erasure.  Under this right, a user may demand that a data processor delete all data about them.

Appcues has happily complied with the GDPR since its inception in May 2018.  We respect the rights it guarantees, and offer this functionality for not only for EU residents but all users of the Appcues platform.

In order to make it easier for our customers to comply with the GDPR, Appcues has set up a GDPR Deletion API for customers wishing to schedule the deletion of end user data.  This API makes it possible for an Appcues customer to upload a list of user IDs whose data should be scrubbed and who should be excluded from further data processing within Appcues.

The API is usable from any programming language or environment that supports making HTTP POST requests.  We'll provide examples using the popular Curl command-line tool.

First, you'll need your API key from the account settings page on my.appcues.com.  We'll pretend it's "super-secret-key" for these examples.

To schedule users for deletion, you will make a POST request to https://api.appcues.com/v1/gdpr/delete.  Provide your API key as the HTTP Basic Auth username, with a blank password.

Uploading user IDs as JSON

To pass a list of user IDs in JSON format, the request looks like this:

curl https://api.appcues.com/v1/gdpr/delete \
  -u super-secret-key: \
  -H 'Content-type: application/json' \
  -d '{"users": ["user_id_1", "user_id_2", "user_id_3"]}'

The user IDs should be the same as what you use in our SDK, e.g.: Appcues.identify("user_id_1", { ... });

You will receive a response like this:

{"ok":true,"message":"accepted 3 users for deletion"}

Uploading user IDs as CSV

You can also upload a file of user IDs in CSV format. This CSV should contain a single column of user IDs, and nothing else.  The CSV must be under 8 MB in size, and should be uploaded as a multipart file upload, as demonstrated by the following Curl request (assuming the file is called " users.csv"):

curl https://api.appcues.com/v1/gdpr/delete \
  -u super-secret-key: \
  -F 'data=@users.csv'

The response will be in the same form as the JSON request.

Next steps

There are no next steps -- you are done!  Once you see the response that Appcues has accepted your deletion requests, the deletions will be scheduled and carried out within the 30 day window guaranteed by GDPR.