# Data Subject Rights (DSAR) (/docs/trust/dsar)



End-user data-subject requests (access, deletion, portability, etc.)
under GDPR, CCPA / CPRA, and similar regimes land with **you** as the
controller. Layers is your processor and executes on your documented
instructions.

This page is a pointer to the partner-API surface that lets you do
that. For full details and contractual framing see
[Partner API → Data protection](/docs/api/operational/data-protection)
and [DPA](/docs/trust/dpa).

## Access / portability [#access--portability]

Use the per-user events endpoint to return what Layers holds for a
given user:

```
GET /v1/projects/:projectId/events/users/:userId
Authorization: Bearer lp_live_...
```

See [API → telemetry](/docs/api/reference/telemetry/events).

## Deletion [#deletion]

There is no self-serve deletion endpoint today. To erase an end-user's
records:

1. Email [security@layers.com](mailto:security@layers.com) with the
   project id and the `user_id` value(s) to erase.
2. We delete within 30 days (usually within one business day).

A `DELETE /v1/projects/:projectId/events/users/:userId` endpoint is on
the roadmap — watch the [changelog](/docs/api/operational/changelog).

Materialized aggregates (dashboards) aren't per-user and don't change
on individual deletion.

## Rectification [#rectification]

Send a corrected event through the Layers SDK — the user's
current-state properties update on ingest. Past event records are
immutable and represent what the SDK actually reported at the time.

## Hashed identifiers [#hashed-identifiers]

If you previously sent `email` or `phone`, those were hashed at ingest
(never stored plaintext). Match requests using the same normalization
— lower-case + trim for email, digits-only for phone, then SHA-256.

## Retention defaults [#retention-defaults]

| Data class               | Default retention                                  |
| ------------------------ | -------------------------------------------------- |
| SDK events               | 400 days; reducible per-project to a 30-day floor. |
| Event warehouse          | 2 years.                                           |
| Generated media          | Project lifetime.                                  |
| OAuth tokens             | Until revoked.                                     |
| Partner API request logs | 30 days.                                           |
| Idempotency cache        | 24 hours.                                          |

Custom retention terms are negotiated under your DPA.

## Your Org's data [#your-orgs-data]

To request a full export of data tied to your Org (settings,
configs, content containers, audit log, etc.), email
[support@layers.com](mailto:support@layers.com) — we'll scope and
deliver.