GDPR Overview

Automating GDPR Retrieval and Deletion

Drift admins can manually request data retrieval and deletion via the Data Privacy section of their settings, but this can be tedious for larger organizations with many requests.

The Data Privacy API provides a way to trigger GDPR requests programatically.

There are two types of requests an organization can make:

  • Retrieval - fetches all data for all contacts and users with a given email
  • Deletion - deletes all data for all contacts and users with a given email

Unless these requests are necessary for compliance purposes, we recommend using the Contact API which provides real-time data.



The Data Privacy API can only be accessed by apps created by an organization. Third party applications are blocked from requesting these permissions. Keeping our customers' data secure is of the utmost important to Drift. We go to considerable lengths to ensure that all data sent to us is handled securely - keeping your data secure is fundamental to the nature of our business.


To perform GDPR requests, an app must request access to specific permission scopes.

Retrieval requires access to the gdpr_read scope.
Deletion requires access to the gdpr_write scope.

To read more about how the Drift API uses scopes, see our scopes documentation.