Compliance

Compliance, built in

Data export, erasure, and audit logging are product features with API endpoints, not an enterprise add-on or a support ticket.

Data subject rights

DSARs answered with a request

A data subject asks what you hold on them: GET /v1/gdpr/export with their address returns it. They ask to be forgotten: DELETE /v1/gdpr/erase removes it. Article 20 account export and Article 17 full account deletion are equally self-serve. Erasure is per-email precise, not all-or-nothing.

curl -X DELETE \
  "https://api.euromail.dev/v1/gdpr/[email protected]" \
  -H "Authorization: Bearer em_live_..."
Retention

Deleted on schedule, logged immutably

Email bodies are purged after 30 days automatically; metadata and delivery logs after six months; suppression entries persist so protection outlives the data. Every account action lands in an immutable audit log (timestamp, actor, action, IP), ready for the day an auditor asks.

Email body retention
30 days, then purged
Metadata retention
6 months
Audit log
Immutable, every action
DSAR endpoints
Per-email export & erase