GDPR export and deletion
Use Apex privacy endpoints to export or delete visitor data for a shop-scoped privacy request.
Apex supports shop-scoped visitor export and deletion workflows for privacy requests. These endpoints are server-to-server only: call them from your backend with an Apex API key that has the matching data permission.
The privacy workflow is based on the Apex visitor ID. If a shopper has used multiple browsers, cleared cookies, or checked out without a linked Apex assignment, one visitor ID may not represent every record you hold about that person.
Before you start
- Find the Apex visitor ID for the request.
- Use a secret API key from your server, never from browser code.
- Make sure the key has
data:exportfor export requests ordata:deletefor deletion requests. - Keep your own record of the customer request and the identifier you used.
Export visitor data
Send a POST request to /api/v1/data-export with a visitor ID. The optional limit is capped at 50,000 rows. The examples below read your secret API key from the APEX_API_KEY environment variable.
curl -X POST "https://app.drip-apex.com/api/v1/data-export" \
-H "Authorization: Bearer $APEX_API_KEY" \
-H "Content-Type: application/json" \
-d '{"visitor_id":"visitor_123","limit":10000}'A completed export returns a request ID, visitor ID, status, and the Tinybird event export for that shop and visitor.
To check the latest export request later, use either the request ID or visitor ID:
curl "https://app.drip-apex.com/api/v1/data-export?request_id=req_123" \
-H "Authorization: Bearer $APEX_API_KEY"Delete visitor data
Send a POST request to /api/v1/data-deletion with a visitor ID.
curl -X POST "https://app.drip-apex.com/api/v1/data-deletion" \
-H "Authorization: Bearer $APEX_API_KEY" \
-H "Content-Type: application/json" \
-d '{"visitor_id":"visitor_123"}'A deletion request returns accepted when the request is recorded and processing has completed for the implemented stores. Apex deletes matching Tinybird event rows and redacts matching local Operator messages, Operator run/event payloads, and screenshot job results. Apex keeps a minimal privacy request audit row with status, processed time, and error information if something fails.
To check deletion status:
curl "https://app.drip-apex.com/api/v1/data-deletion?visitor_id=visitor_123" \
-H "Authorization: Bearer $APEX_API_KEY"What Apex removes or returns
Export reads matching analytics events for the shop and visitor ID from the configured Tinybird event datasource.
Deletion removes matching analytics events from the configured Tinybird deletion datasource list. It also redacts local Apex artifacts that contain the visitor ID in Operator messages, Operator runs, Operator event payloads, and screenshot job results.
Deletion is scoped by shop ID and visitor ID. It does not delete your ecommerce platform's customer, order, or consent records; handle those in your store platform or customer-data system.
Troubleshooting
401or403: confirm you are using a server-side secret API key with the right data permission.400: include eithervisitor_idin the POST body orrequest_id/visitor_idwhen checking status.404: no matching privacy request exists for that shop and identifier.429: the API key rate limit was reached; retry after the rate-limit window.failedstatus: retry after checking the returned error and your Apex support channel.