Data Privacy API overview

🚧

The data privacy compliance resources included in this overview are intended solely for informational purposes and should not be construed as legal advice. Klaviyo strongly encourages all of our customers — and all ecommerce merchants — to consult with qualified legal counsel on how they should ensure that they are compliant with data privacy laws.

Before you begin

Check out our general API overview to make sure you're ready to get started with specific endpoints.

When it comes to ensuring your customers’ protection, it’s important to comply with applicable data privacy laws. Our Data Privacy API allows you to request a profile deletion corresponding to an email, phone number, or Klaviyo profile ID.

Additionally, when selected, our Data Privacy API performs profile deletion in compliance with GDPR and CCPA. For more information, refer to our guide on GDPR and CCPA requests.

🚧

Once you delete a profile, the action cannot be undone, and the profile will be permanently erased from your Klaviyo instance. When a profile is deleted via API, a GDPR deletion is performed. As required by GDPR, a list of contact information associated with any deleted Klaviyo profiles will be kept as a record.

Use cases

Here are some example use cases supported by the Data Privacy API:

• Request to delete a profile in Klaviyo when a profile with the same identifier is deleted in a third-party integration. For example, when a customer profile is deleted in an external system, you can send a HTTP request for profile deletion to Klaviyo’s Data Privacy API.
• Request to delete a profile in Klaviyo when a contact has explicitly requested for their profile to be deleted.

📘

If you’re thinking about deleting unengaged profiles (profiles that belong to an unengaged segment due to inactivity) consider profile suppression instead. Learn more about best practices for list cleaning in Klaviyo.

Data model

A data privacy deletion job should contain a profile object with one of the following profile identifiers:

• id

  The Klaviyo id of the profile to be deleted.

• email

  The email of the profile to be deleted.

• phone_number

  The phone number of the profile to be deleted.

Request Profile Deletion

Your request payload for Request Profile Deletion should be formatted like the example below:

{
  "data": {
    "type": "data-privacy-deletion-job",
    "attributes": {
      "profile": {
        "data": {
          "type": "profile",
          "attributes": {
            "email": "[email protected]"
          }
        }
      }
    }
  }
}

All profiles that match the provided identifier will be deleted asynchronously from your account in compliance with data protection laws. When the deletion completes, the deleted profile will appear on the Deleted Profiles page in Klaviyo.

📘

Note that the request payload in the example above only includes 1 profile identifier, in this case, email. If you provide more than 1 identifier (e.g., an email and a phone number) for the profile to be deleted in your request, you will receive a 400 error.

Next steps

• Learn about best practices in complying with data privacy laws and refer to the additional resources below to learn more about handling GDPR and CCPA requests.
• Using your Klaviyo test account and Postman, make a call to Request Profile Deletion, which will asynchronously delete a sample profile. Check to make sure the deleted profile has been logged under Deleted profiles in your Klaviyo account.

Additional resources

• How to collect GDPR-compliant consent
• Frequently asked questions about GDPR
• Frequently asked questions about the CCPA and CPRA