ByteGain provides an API to perform GDPR actions on user data.

All requests are processed asynchronously and it may take up to 30 days for a request to be fulfilled. Once a request is fulfilled, the customer will receive an out of band notification via email, Slack, or similar.

Successful requests return a request ID that can be used to inquire on the status of a request.


Due to the sensitive information, the requests must be made from secure customer servers to the ByteGain servers. All requests must be sent over HTTPS.

Error Handling

Error conditions will be signaled immediately, in the form of HTTP error codes with a JSON body with more error information.

The caller must retry requests that may initially fail with a recoverable HTTP error code or due to network connectivity issues.


Customers are encouraged to test their integration with the ByteGain GDPR API. This can be achieved by setting the request field test to true (see below) so that the ByteGain servers know to not process or keep a record for such requests. Test requests may use non-existent user IDs, but otherwise the rest of the data must be correct or an error will be returned.

Request Format


  "secretKey": "<CUSTOMER_SECRET_KEY>",
  "action": "<ACTION>",
  "userId": "<user_id>",
  "test": false

Request Fields:

secretKey: (required string) customer specific secret key which can be retrieved via the web interface. This is not the same API key used to call the bytegain.js javascript library or mobile SDK. Keep this key private and secure.

action: (required string) the action to perform for the given userId. One of:

userId: (required string) the user ID to apply the action for. This is the ID of a registered user as known to the customer and passed to bytegain.js or mobile SDK identify calls.

test: (optional boolean, defaults to false) must be set to true when testing API integration. Requests for which test is true will always return a request ID TEST_REQUEST_IGNORED and actual processing will be ignored by the server, except for request validation and error handling (return error code).


HTTP status code 202 ACCEPTED if the request was received and queued for processing.
Response body for non-test requests:

  "id": "<REQUEST_ID>",
  "timestamp": "<TIMESTAMP>"

Response body for test requests:

  "test": true,
  "timestamp": "<TIMESTAMP>"

Other HTTP status codes represent errors. Responses that have a recoverable HTTP error code must be retried after a delay. It is recommended to use an exponential backoff time between retry attempts.


curl -d '{"secretKey": "replace_with_your_secret_key", "action": "SUPPRESS_AND_DELETE_USER_DATA", "userId": "", "test": true}'


  1. Suppressing data collection for a user: while ByteGain provides the SUPPRESS_AND_DELETE_USER_DATA action, it is strongly recommended that customers do not even load or call the bytegain.js library or mobile SDK for such users.