Overview
Gorillaa Mail provides API endpoints for GDPR compliance, allowing you to handle Data Subject Requests (DSRs) programmatically. All privacy endpoints require the privacy:read or privacy:manage scope.
Data export (Art. 15)
Export all data associated with an email address — the right of access.
curl -X POST https://api.mail.gorillaa.one/v1/gdpr/export \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"format": "json"
}'
| Field | Type | Required | Description |
|---|
email | string | ✅ | The data subject’s email address |
format | string | — | json (default) or csv |
Response
{
"data": {
"email": "[email protected]",
"exportedAt": "2026-02-09T12:00:00Z",
"data": {
"emails": [ /* email records */ ],
"events": [ /* event records */ ],
"suppressions": [ /* suppression records */ ]
}
}
}
Export requests are processed synchronously. The response contains all data associated with the email address. Rate limit: 3 requests per 24 hours.
Data erasure (Art. 17)
Delete all data associated with an email address — the right to be forgotten.
curl -X POST https://api.mail.gorillaa.one/v1/gdpr/delete-request \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"reason": "User requested data deletion",
"confirmDelete": true
}'
| Field | Type | Required | Description |
|---|
email | string | ✅ | The data subject’s email address |
reason | string | — | Reason for erasure (max 500 chars) |
confirmDelete | boolean | ✅ | Must be true — confirms irreversible deletion |
Response
{
"data": {
"email": "[email protected]",
"erasedAt": "2026-02-09T12:00:00Z",
"method": "anonymize"
}
}
Data erasure is irreversible. All emails, events, and metadata associated with the address will be permanently deleted or anonymized. Rate limit: 1 request per 24 hours.
List GDPR requests
View the history and status of all GDPR requests:
curl "https://api.mail.gorillaa.one/v1/gdpr/status" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"data": [
{
"id": "dsr_abc123",
"type": "export",
"email": "[email protected]",
"requestedBy": "api_key_xyz",
"status": "completed",
"createdAt": "2026-02-09T12:00:00Z",
"completedAt": "2026-02-09T12:05:00Z"
},
{
"id": "dsr_def456",
"type": "erasure",
"email": "[email protected]",
"requestedBy": "api_key_xyz",
"status": "processing",
"createdAt": "2026-02-09T12:10:00Z"
}
]
}
Request statuses
| Status | Description |
|---|
pending | Request received, not yet started |
processing | Request is being processed |
completed | Request completed successfully |
failed | Request failed (check error details) |
cancelled | Request was cancelled |
Privacy preferences
Manage per-address privacy preferences for data subjects.
Get preferences
curl "https://api.mail.gorillaa.one/v1/privacy/preferences/[email protected]" \
-H "Authorization: Bearer YOUR_API_KEY"
Response
{
"email": "[email protected]",
"doNotSell": false,
"marketingEmails": true,
"productUpdates": true,
"updatedAt": "2026-02-09T12:00:00Z"
}
Update preferences
curl -X PATCH "https://api.mail.gorillaa.one/v1/privacy/preferences/[email protected]" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"doNotSell": true,
"marketingEmails": false,
"productUpdates": false
}'
| Field | Type | Description |
|---|
doNotSell | boolean | Opt out of data selling (CCPA) |
marketingEmails | boolean | Receive marketing emails |
productUpdates | boolean | Receive product update emails |
DSR request history
List all Data Subject Requests (both export and erasure):
curl "https://api.mail.gorillaa.one/v1/privacy/requests" \
-H "Authorization: Bearer YOUR_API_KEY"
Maintain an audit trail of GDPR requests for compliance. The Gorillaa Mail API retains request metadata even after data erasure is complete.
