Data Subject Rights (DSAR)

View as Markdown

End-user data-subject requests (access, deletion, portability, etc.) under GDPR, CCPA / CPRA, and similar regimes land with you as the controller. Layers is your processor and executes on your documented instructions.

This page is a pointer to the partner-API surface that lets you do that. For full details and contractual framing see Partner API → Data protection and DPA.

Access / portability

Use the per-user events endpoint to return what Layers holds for a given user:

GET /v1/projects/:projectId/events/users/:userId
Authorization: Bearer lp_live_...

See API → telemetry.

Deletion

There is no self-serve deletion endpoint today. To erase an end-user's records:

Email security@layers.com with the project id and the user_id value(s) to erase.
We delete within 30 days (usually within one business day).

A DELETE /v1/projects/:projectId/events/users/:userId endpoint is on the roadmap — watch the changelog.

Materialized aggregates (dashboards) aren't per-user and don't change on individual deletion.

Rectification

Send a corrected event through the Layers SDK — the user's current-state properties update on ingest. Past event records are immutable and represent what the SDK actually reported at the time.

Hashed identifiers

If you previously sent email or phone, those were hashed at ingest (never stored plaintext). Match requests using the same normalization — lower-case + trim for email, digits-only for phone, then SHA-256.

Retention defaults

Data class	Default retention
SDK events	400 days; reducible per-project to a 30-day floor.
Event warehouse	2 years.
Generated media	Project lifetime.
OAuth tokens	Until revoked.
Partner API request logs	30 days.
Idempotency cache	24 hours.

Custom retention terms are negotiated under your DPA.

Your Org's data

To request a full export of data tied to your Org (settings, configs, content containers, audit log, etc.), email support@layers.com — we'll scope and deliver.