---
audience: developer
summary: Data export, erasure, AI-training consent.
title: GDPR API
path: reference/api/gdpr
status: published
---

# GDPR API

3 endpoints. EU compliance affordances for end users.

| Method | Path | Purpose |
|---|---|---|
| `POST` | `/v1/gdpr/export` | Request a full data export for the calling user. |
| `POST` | `/v1/gdpr/erase` | Request erasure (right to be forgotten). |
| `PUT` | `/v1/gdpr/consent/ai-training` | Set / unset consent for AI training data. |

## POST /v1/gdpr/export

Async — queues an export job, returns a job id:

```json
{ "data": { "job_id": "...", "status": "queued" } }
```

The job:

1. Collects every event, note, todo, media, audio, comment,
   reaction the calling user authored or owns.
2. Bundles them as a ZIP with a manifest similar to room export.
3. Uploads to a one-shot signed URL (valid for 7 days).
4. Notifies the user via email and an in-app notification.

Cross-tenant federated participants get their own server's export
output — your server only exports what's stored locally.

## POST /v1/gdpr/erase

```jsonc
{
  "scope": "all",                  // or specific list of room_ids / note_ids
  "delete_account": false,         // if true, the participant row is also removed
  "reason": "Optional free-text"
}
```

Async. Erasure:

- Redacts every event the user authored (body wiped, sender_id
  preserved for audit consistency).
- Deletes every note + audio they own.
- Anonymises their participant row (display_name → "Erased user").
- If `delete_account=true`, removes the participant row too —
  rooms they were the sole admin of get ownership transferred (or
  archived if no other admin exists).

Returns immediately with a job id. Erasure typically completes
within a minute.

## PUT /v1/gdpr/consent/ai-training

```json
{ "consent": false }
```

When `false`, this user's messages and notes are excluded from any
training-data export job the tenant might run. Default at tenant
level is configurable; users can override per-user.