GDPR & privacy

Flashpoint.AI provides built-in GDPR and CCPA compliance tools. Three operations cover the core data subject rights: lookup, export (Right to Access), and erasure (Right to Erasure).

All operations are team-scoped — a team can only manage data subjects within their own data. Every operation is recorded in the audit trail with the actor, timestamp, and outcome.

Subject lookup

Check whether a data subject exists in your team's data before initiating an export or erasure request.

GET /api/v1/gdpr/subjects/lookup?email=respondent@example.com

curl "https://surveys.flashpoint.ai/api/v1/gdpr/subjects/lookup?email=respondent@example.com" \
  -H "X-Service-Token: $TOKEN" \
  -H "X-Team-ID: $TEAM_ID" \
  -H "X-User-ID: $USER_ID"

{
  "found": true,
  "response_count": 3,
  "distribution_count": 5,
  "email_hash": "a1b2c3d4e5f6..."
}

Field	Description
`found`	`true` if any responses or distribution records match
`response_count`	Number of survey responses linked to this email
`distribution_count`	Number of email distribution records for this address
`email_hash`	One-way hash of the email, used as the de-identified reference

The lookup does not expose full PII — only counts and the hash.

Right to Access (data export)

Export all data held for a data subject. Returns every survey response and distribution record associated with the given email address. GDPR Article 15 requires this to be fulfilled within 30 days of request.

POST /api/v1/gdpr/subjects/export

curl -X POST https://surveys.flashpoint.ai/api/v1/gdpr/subjects/export \
  -H "X-Service-Token: $TOKEN" \
  -H "X-Team-ID: $TEAM_ID" \
  -H "X-User-ID: $USER_ID" \
  -H "Content-Type: application/json" \
  -d '{"email": "respondent@example.com"}'

{
  "email_hash": "a1b2c3d4e5f6...",
  "surveys_participated": 2,
  "responses": [
    {
      "response_id": "r1a2b3c4-...",
      "survey_id": "s5d6e7f8-...",
      "status": "COMPLETE",
      "data": { "Q1": "3", "Q2": ["1", "4"], "Q3": "Great experience" },
      "country": "US",
      "started_at": "2026-05-20T14:00:00Z",
      "completed_at": "2026-05-20T14:08:32Z",
      "created_at": "2026-05-20T14:00:00Z"
    }
  ],
  "distribution_records": [
    {
      "email_list_id": "el1a2b3c-...",
      "survey_id": "s5d6e7f8-...",
      "status": "completed",
      "sent_at": "2026-05-19T10:00:00Z",
      "started_at": "2026-05-20T14:00:00Z",
      "completed_at": "2026-05-20T14:08:32Z"
    }
  ],
  "exported_at": "2026-05-26T12:00:00Z"
}

The export is audit-logged automatically — the requesting user, timestamp, and response count are recorded.

Right to Erasure (anonymization)

Anonymize all PII for a data subject. This operation is irreversible. GDPR Article 17 requires completion within 30 days.

POST /api/v1/gdpr/subjects/delete

curl -X POST https://surveys.flashpoint.ai/api/v1/gdpr/subjects/delete \
  -H "X-Service-Token: $TOKEN" \
  -H "X-Team-ID: $TEAM_ID" \
  -H "X-User-ID: $USER_ID" \
  -H "Content-Type: application/json" \
  -d '{"email": "respondent@example.com", "reason": "Data subject erasure request via support ticket #4821"}'

{
  "email_hash": "a1b2c3d4e5f6...",
  "responses_anonymized": 3,
  "distribution_records_anonymized": 5,
  "completed_at": "2026-05-26T12:01:00Z"
}

Field	Description
`responses_anonymized`	Number of survey responses where PII was cleared
`distribution_records_anonymized`	Number of email records where the address was replaced with a hash
`completed_at`	Timestamp of completion

How anonymization works

Erasure does not delete response data outright. Survey answers are retained for aggregate analytics (per GDPR Recital 26 — anonymous data is not personal data). Instead, Flashpoint.AI removes every field that could identify the individual:

On survey responses:

Field	Before	After
`ip_hash`	`a1b2c3...`	`null`
`country`	`US`	`null`
`region`	`California`	`null`
`city`	`San Francisco`	`null`
`timezone`	`America/Los_Angeles`	`null`
`email_token`	`tok_xyz...`	`null`
`respondent_metadata`	`{"browser": "Chrome", ...}`	`{}`
`panel_data`	`{"participant_id": "..."}`	`{}`
Answer data (`data`)	Preserved	Preserved
Status	Preserved	Preserved

On distribution records:

Field	Before	After
`email`	`respondent@example.com`	`anonymized:a1b2c3d4...`
`token`	`tok_full_token_value`	`revoked:tok_full`

The email is replaced with an anonymized: prefix plus a truncated hash. The distribution token is revoked so the survey link can no longer be used.

Retention

Active surveys retain anonymized response data indefinitely for aggregate analytics.
Soft-deleted surveys preserve the audit trail (who created, published, deleted) but anonymization removes all respondent PII regardless of survey status.
Audit log entries for GDPR operations themselves are retained permanently as compliance evidence. They record the actor, action, and outcome but never store the original email — only the hash.