GDPR & Privacy Compliance

Export tenant data, delete contacts or message content, and view the decision trace for all data operations.

Molted Email provides built-in tools for GDPR and privacy compliance: data export, contact and tenant deletion, message content erasure, and a full decision trace of all data operations.

All GDPR operations are processed asynchronously. Use the status endpoints to poll for completion.

Data export

Request a full export of your tenant data. The export is packaged as JSON and made available for download once processing is complete.

POST https://api.molted.email/v1/me/export

curl

curl -X POST https://api.molted.email/v1/me/export \
  -H "Cookie: YOUR_SESSION_COOKIE"

Response

{
  "id": "export_abc123",
  "status": "pending",
  "createdAt": "2026-03-31T12:00:00Z"
}

Check export status

GET https://api.molted.email/v1/me/export/:id

curl

curl https://api.molted.email/v1/me/export/export_abc123 \
  -H "Cookie: YOUR_SESSION_COOKIE"

Response

{
  "id": "export_abc123",
  "status": "completed",
  "downloadUrl": "https://...",
  "fileSize": 204800,
  "createdAt": "2026-03-31T12:00:00Z",
  "completedAt": "2026-03-31T12:01:00Z"
}

Status	Description
`pending`	Export queued, not yet started.
`processing`	Export in progress.
`completed`	Export ready. Use `downloadUrl` to download.
`failed`	Export failed. Check `errorMessage` for details.

Deleting contacts

Delete a single contact

Remove all stored data for a single email address.

POST https://api.molted.email/v1/me/delete/contact

curl

curl -X POST https://api.molted.email/v1/me/delete/contact \
  -H "Cookie: YOUR_SESSION_COOKIE" \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Delete all contacts

Remove all contact records for the tenant.

POST https://api.molted.email/v1/me/delete/contacts

curl

curl -X POST https://api.molted.email/v1/me/delete/contacts \
  -H "Cookie: YOUR_SESSION_COOKIE"

Deleting message content

Delete the body and attachments of stored messages while keeping delivery metadata (timestamps, recipient, status).

POST https://api.molted.email/v1/me/delete/message-content

curl

curl -X POST https://api.molted.email/v1/me/delete/message-content \
  -H "Cookie: YOUR_SESSION_COOKIE" \
  -H "Content-Type: application/json" \
  -d '{"before": "2025-01-01T00:00:00Z"}'

This is useful for complying with data retention policies without losing delivery records.

Tenant deletion

Request deletion

Schedule the tenant and all associated data for deletion. A grace period applies before the deletion is executed.

POST https://api.molted.email/v1/me/delete/tenant

curl

curl -X POST https://api.molted.email/v1/me/delete/tenant \
  -H "Cookie: YOUR_SESSION_COOKIE"

Cancel deletion

Cancel a pending deletion request during the grace period.

DELETE https://api.molted.email/v1/me/delete/tenant

curl

curl -X DELETE https://api.molted.email/v1/me/delete/tenant \
  -H "Cookie: YOUR_SESSION_COOKIE"

Decision trace

All GDPR operations are recorded in the decision trace. Use this to demonstrate compliance with data subject access requests and regulatory audits.

GET https://api.molted.email/v1/me/audit-log

curl

curl "https://api.molted.email/v1/me/audit-log?limit=50" \
  -H "Cookie: YOUR_SESSION_COOKIE"

Response

{
  "entries": [
    {
      "id": "log_xyz789",
      "event": "gdpr.export.requested",
      "userId": "user_abc",
      "createdAt": "2026-03-31T12:00:00Z",
      "details": {}
    }
  ]
}

Event types

Event	Description
`gdpr.export.requested`	Data export was requested.
`gdpr.export.completed`	Export processing completed.
`gdpr.deletion.requested`	Deletion was scheduled.
`gdpr.deletion.cancelled`	Pending deletion was cancelled.
`gdpr.contact.deleted`	A contact record was deleted.
`gdpr.message_content.deleted`	Message body/attachments were deleted.

Suppressions & Consent -- manage suppression lists and consent records

On this page