The VTEX Data Subject Rights API enables GDPR and LGPD compliance by allowing organizations to process data subject requests. It supports the right to access, rectify, erase, and restrict processing of personal data stored in VTEX systems.
openapi: 3.0.0
info:
title: VTex Data Subject Rights API - PII data architecture
description: ">❗ This API is currently in closed alpha testing stage, which means that only specific customers can access it now. Do not share this documentation with people outside of your company. If you do not have access yet, please refer to the [Erasing customer data](https://help.vtex.com/en/tutorial/erasing-customer-data--1R9Fn7A06Ifj4R9YD4JTKU) guide instead.\r\n\r\n>⚠️ The **Data Subject Rights API - PII data architecture** is only compatible with stores using the PII data architecture from [Data Protection Plus](https://developers.vtex.com/docs/guides/data-protection-plus), which is in closed beta phase, only available in select regions.\r\n>\r\n> This feature is part of [VTEX Shield](https://help.vtex.com/en/tutorial/vtex-shield--2CVk6H9eY2CBtHjtDI7BFh). If you are already a VTEX customer and want to adopt VTEX Shield for your business, please contact [Commercial Support](https://help.vtex.com/en/tracks/support-at-vtex--4AXsGdGHqExp9ZkiNq9eMy/3KQWGgkPOwbFTPfBxL7YwZ). Additional fees may apply. If you are not yet a customer but are interested in this solution, please complete our [contact form](https://vtex.com/us-en/contact/).\r\n\r\nAccording to data protection policies, such as [GDPR and LGPD](https://vtex.com/us-en/privacy-and-agreements/vtex-commitment/), companies using customer personal data are required to delete collected information upon the customer's request.\r\n\r\nData Subject Rights API allows stores using the [PII data architecture](https://developers.vtex.com/docs/guides/pii-data-architecture-specifications) from [Data Protection Plus](https://developers.vtex.com/docs/guides/data-protection-plus) to erase user data collected by Checkout, Orders, VTEX ID and Profile System, without depending on the VTEX Support flow described in the [Erasing customer data](https://help.vtex.com/en/tutorial/erasing-customer-data--1R9Fn7A06Ifj4R9YD4JTKU) guide.\r\n\r\n## Index\r\n\r\n- `POST` [Erase customer data](https://developers.vtex.com/docs/api-reference/user-data-rights-api#post-/api/user-rights/createAndProcessDeleteUserData)"
version: '1.0'
servers:
- url: http://api.vtex.com
description: VTEX server URL.
paths:
/api/user-rights/createAndProcessDeleteUserData:
post:
tags:
- Data Subject Rights
summary: VTex Erase customer data
description: "Deletes a given customer's data collected in your store by Checkout, Orders, VTEX ID and Profile System.\r\n\r\n> Only orders with `invoiced` or `canceled` status are erased in this request.\r\n\r\n>❗ This API is currently in closed alpha testing stage, which means that only specific customers can access it now. Do not share this documentation with people outside of your company. If you do not have access yet, please refer to the [Erasing customer data](https://help.vtex.com/en/tutorial/erasing-customer-data--1R9Fn7A06Ifj4R9YD4JTKU) guide instead.\r\n\r\n>⚠️ This endpoint is only compatible with stores using the PII data architecture from [Data Protection Plus](https://developers.vtex.com/docs/guides/data-protection-plus), which is in closed beta phase, only available in select regions.\r\n>\r\n> This feature is part of [VTEX Shield](https://help.vtex.com/en/tutorial/vtex-shield--2CVk6H9eY2CBtHjtDI7BFh). If you are already a VTEX customer and want to adopt VTEX Shield for your business, please contact [Commercial Support](https://help.vtex.com/en/tracks/support-at-vtex--4AXsGdGHqExp9ZkiNq9eMy/3KQWGgkPOwbFTPfBxL7YwZ). Additional fees may apply. If you are not yet a customer but are interested in this solution, please complete our [contact form](https://vtex.com/us-en/contact/).\r\n\r\n## Permissions\r\n\r\nAny user or [application key](https://developers.vtex.com/docs/guides/api-authentication-using-application-keys) must have at least one of the appropriate [License Manager resources](https://help.vtex.com/en/tutorial/license-manager-resources--3q6ztrC8YynQf6rdc6euk3) to be able to successfully run this request. Otherwise they will receive a status code `403` error. These are the applicable resources for this endpoint:\r\n\r\n| **Product** | **Category** | **Resource** |\r\n| --------------- | ----------------- | ----------------- |\r\n| User Rights | user-rights-request | **Write user rights requests** |\r\n\r\nThere are no applicable [predefined roles](https://help.vtex.com/en/tutorial/predefined-roles--jGDurZKJHvHJS13LnO7Dy) for this resource list. You must [create a custom role](https://help.vtex.com/en/tutorial/roles--7HKK5Uau2H6wxE1rH5oRbc#creating-a-role) and add at least one of the resources above in order to use this endpoint. To learn more about machine authentication at VTEX, see [Authentication overview](https://developers.vtex.com/docs/guides/authentication).\r\n\r\n>❗ To prevent integrations from having excessive permissions, consider the [best practices for managing app keys](https://help.vtex.com/en/tutorial/best-practices-application-keys--7b6nD1VMHa49aI5brlOvJm) when assigning License Manager roles to integrations."
parameters:
- $ref: '#/components/parameters/Content-Type'
- $ref: '#/components/parameters/Accept'
- $ref: '#/components/parameters/an'
requestBody:
content:
application/json:
schema:
type: object
properties:
email:
type: string
description: Email of the client whose data will be deleted.
example: [email protected]
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
properties:
uuid:
type: string
description: User data rights request unique identifier in [UUID](https://www.uuidtools.com/what-is-uuid) format.
requestType:
type: string
description: Type of user data rights request.
email:
type: string
description: Client email.
status:
type: string
description: Status of the user data rights request.
dataResponse:
type: string
description: Escaped JSON containing information about the status of data deletion on each VTEX system that stores client data.
requestTime:
type: string
description: Date of the user data rights request in [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html)format.
applications:
type: array
description: Array containing an object for each VTEX application that stores client data.
items:
type: object
description: Object containing information about user data status in each VTEX application that stores client data.
properties:
application:
type: string
description: Abbreviated name of the application, which can be `chk` (Checkout), `orders` (Order Management System), `profileSystemV2` (PII Profile System) or `vid` (VTEX ID).
status:
type: string
description: "Status of client data in the given application. The possible values are:\n\r- `Completed` - Processing completed successfully.\n\r- `Error` - An unexpected error occurred during the process. You must make a new request.\n\r- `PendingCheck` - Pending validation. Unable to perform validation on one or more services.\n\r- `Blocked` - Pending validation. One or more services are unable to fulfill the deletion request. You need to wait and make a new request in the future.\n\r- `PendingDeletion` - It was not possible to delete data in one or more services. You must make a new request."
errorDetail:
type: string
description: In case of error, this field contains an explanatory error message. Otherwise, this field is an empty string.
updateAt:
type: string
description: Date of the latest update in client data in the given application, in UTC format.
example:
uuid: 3e2f53dc-b099-4dc8-9727-581b2a97f39c
requestType: Removal
email: [email protected]
status: Completed
dataResponse: "{\r\n \"VTEX Checkout\": [],\r\n \"orders\": {\r\n \"dataStatus\": {\r\n \"status\": \"anonymized\",\r\n \"reason\": \"Sensitive information was anonymized rather than deleted to preserve the store metrics.\",\r\n \"evidence\": \"Anonymized [0] orders\",\r\n \"dryRun\": true\r\n },\r\n \"orders\": []\r\n },\r\n \"Profile System PII API\": {},\r\n \"VTEX ID\": {\r\n \"type\": \"https://tools.ietf.org/html/rfc7231#section-6.5.4\",\r\n \"title\": \"Not Found\",\r\n \"status\": 404,\r\n \"traceId\": \"00-65d5abf9263b07eb185beee49e2075dc-b67b373e2e93dcf8-00\"\r\n }\r\n}"
requestTime: '2023-09-05T17:19:33.1969022-03:00'
applications:
- application: chk
status: Deleted
errorDetail: ''
updateAt: '2023-09-05T20:20:23'
- application: orders
status: Deleted
errorDetail: ''
updateAt: '2023-09-05T20:20:25'
- application: profileSystemV2
status: Deleted
errorDetail: ''
updateAt: '2023-09-05T20:20:26'
- application: vid
status: Deleted
errorDetail: ''
updateAt: '2023-09-05T20:20:29'
components:
parameters:
Content-Type:
name: Content-Type
in: header
description: Type of the content being sent.
required: true
style: simple
schema:
type: string
example: application/json
Accept:
name: Accept
in: header
description: HTTP Client Negotiation _Accept_ Header. Indicates the types of responses the client can understand.
required: true
style: simple
schema:
type: string
example: application/json
an:
name: an
in: query
description: Name of your VTEX account.
required: false
style: form
schema:
type: string
example: mystore
securitySchemes:
appKey:
type: apiKey
in: header
name: X-VTEX-API-AppKey
description: Unique identifier of the [application key](https://developers.vtex.com/docs/guides/api-authentication-using-application-keys).
appToken:
type: apiKey
in: header
name: X-VTEX-API-AppToken
description: Secret token of the [application key](https://developers.vtex.com/docs/guides/api-authentication-using-application-keys).
VtexIdclientAutCookie:
type: apiKey
in: header
name: VtexIdclientAutCookie
description: '[User token](https://developers.vtex.com/docs/guides/api-authentication-using-user-tokens), valid for 24 hours.'
tags:
- name: Data Subject Rights
security:
- appKey: []
appToken: []
- VtexIdclientAutCookie: []