Sign In

GDPR APIs

Note: This chapter assumes that you are already familiar with the GDPR compliances mentioned below, and are looking to automate the request process.

This guide is intended to help Castle Customers adhere to GDPR Compliances. The APIs described below specifically assist in supporting Article 15: Right of access by the data subject and Article 17: Right to be forgotten.


User Data Access Requests

GDPR introduced Article 15: Right of access by the data subject. This states that users have the right to request access to the data held on them. If you receive this request from your user, you may also need to forward the request to your vendors, such as Castle, so that the vendor can provide data related to this user as well. Castle offers an API endpoint to submit these User Data Access Requests.

Setting your privacy email address

In the Castle Dashboard, you first need to enter your company’s privacy email address. This email address must then be verified. Once you have saved and verified an email address, Castle will send any data request results to that email address. To set your privacy email address, log into your Castle dashboard and visit Settings > General.

Important: This email address should only be accessible to employees that are responsible for handling user privacy related matters.

User Devices landing page


User Data Access Request API

In order to submit a User Data Access Request, send a POST request without a body to the endpoint described below. You will need to authenticate the request with your Castle API Key.

Upon receiving a request, Castle will compile records pertaining to the associated user. When the data compilation is completed, Castle will send an email to your privacy email address on file. The email will contain a data download link that will expire after 48 hours.

Sample Request

1
2
3
4
  curl https://api.castle.io/v1/privacy/users/{user-id} \
    -X POST \
    -u ":YOUR-API-SECRET" \
    -H "Content-Type: application/json"

Sample Response

1
  202

User Data Purge Requests

GDPR introduced Article 17: Right to be forgotten. This states that users have the right to request that all the data held on them be permanently purged. If you receive this request from your user, you may also need to forward the request to your vendors, such as Castle, so that the vendor can purge that user’s data too. Castle offers an API endpoint to submit these User Data Purge Requests.


User Data Purge API

In order to submit a User Data Purge Request, send a DELETE request without a body to the endpoint described below. You will need to authenticate the request with your Castle API Key.

Upon receiving a request, Castle will permanently delete the user and their data from our systems. This will result in a permanent removal of all records associated to the user.

Example Request

1
2
3
4
  curl https://api.castle.io/v1/privacy/users/{user-id} \
    -X DELETE \
    -u ":YOUR-API-SECRET" \
    -H "Content-Type: application/json"

Sample Response

1
  202