Data Export & GDPR Requests

Anvil gives you two distinct export flows: one for tenant-wide data ownership (you moving your data in or out of the platform), and one for data-subject rights under GDPR, CCPA, PIPL and similar laws. This page covers both.

Why Export Matters

You should be able to walk out of any SaaS vendor with your data at any time. If a vendor cannot produce a complete, machine-readable export on demand, you are locked in. We designed Anvil so that leaving us costs you zero data — only switching cost you want us to earn is the product value itself.

Self-Serve Tenant Export

For bulk exports of your own tenant data:

Navigate to **Settings > Data > Export**.

Select datasets: Leads, Contacts, Conversations, Activities, Pipelines, Tags, Knowledge Bases.

Choose a format: CSV, JSON, or Parquet (recommended for large datasets).

Select a date range.

Click **Start Export**.

Exports run asynchronously. You receive an email and a export.ready webhook when the download is ready. Files are encrypted at rest with a per-export key and available for 7 days.

Enterprise plans can also configure continuous exports to S3 / GCS buckets you own — data lands in your warehouse within 5 minutes of being generated.

Data Subject Access Requests

When a data subject asks "what do you know about me?", Anvil provides a one-call API:

POST /v1/privacy/subject-access-request
Content-Type: application/json

{
  "identifier": { "email": "user@example.com" },
  "scope": "all",
  "format": "json"
}

We return a signed download URL within 24 hours containing every personal-data record associated with that email across all platforms, collection tasks, conversations, and activity logs. The response matches the structure required by GDPR Article 15.

You can also initiate SARs from the dashboard at **Settings > Privacy > DSAR**.

Right to Erasure

Data subjects can exercise the right to be forgotten under GDPR Article 17 (and equivalents under PIPL / CCPA). The API:

POST /v1/privacy/erasure-request
{
  "identifier": { "email": "user@example.com" },
  "reason": "subject_request"
}

Within 30 days (legal maximum), Anvil:

Hard-deletes the personal data from Postgres primary + all read replicas.

Purges vector embeddings that reference the subject from Qdrant.

Removes the subject from ClickHouse analytics (replaced with anonymized `\u003eredacted\u003c`).

Propagates the deletion to downstream webhooks you have configured.

Retains a tombstone record (subject ID + timestamp) for audit purposes, which contains no personal data.

Exports containing erased subjects generated before the erasure are NOT retroactively modified — this is the customer's responsibility in any downstream systems.

Data Portability

Under GDPR Article 20, subjects can ask for their data in a portable format. Our /v1/privacy/subject-access-request endpoint satisfies this by default; JSON is the recommended format for machine portability.

Retention Controls

At the tenant level you can configure retention policies per entity:

Lead retention: default 365 days, range 7-1825.

Conversation retention: default 180 days, range 7-730.

Crawl result retention: default 90 days, range 1-365.

Policies run nightly. Expired records are hard-deleted unless explicitly marked as **legal hold**, in which case they are retained until the hold is lifted.

Regulatory Mapping

Right / Regulation	Anvil Surface
GDPR Art. 15 — access	`POST /v1/privacy/subject-access-request`
GDPR Art. 16 — rectification	`PATCH /v1/leads/:id`, `PATCH /v1/contacts/:id`
GDPR Art. 17 — erasure	`POST /v1/privacy/erasure-request`
GDPR Art. 18 — restriction	`POST /v1/privacy/restrict`
GDPR Art. 20 — portability	`/v1/privacy/subject-access-request?format=json`
CCPA §1798.105 — deletion	Same endpoint as Art. 17
CCPA §1798.110 — right to know	Same endpoint as Art. 15
PIPL Art. 44-47 — subject rights	Same endpoints; China residency data stays in-region

For a full DPA / privacy review, email [738888@proton.me](mailto:738888@proton.me).

← Back to Docs